diff --git a/.github/workflows/lock-versions.yml b/.github/workflows/lock-versions.yml index c02f560fa..460071ee8 100644 --- a/.github/workflows/lock-versions.yml +++ b/.github/workflows/lock-versions.yml @@ -6,7 +6,7 @@ on: description: 'List of branches to lock versions (ordered, comma separated)' required: true # 7.17 was intentionally skipped because it was added late and was bug fix only - default: '8.13,8.14,8.15,8.16,8.17,8.18' + default: '8.14,8.15,8.16,8.17,8.18,9.0' jobs: pr: diff --git a/.github/workflows/pythonpackage.yml b/.github/workflows/pythonpackage.yml index 3b01b0677..97ca3e0f0 100644 --- a/.github/workflows/pythonpackage.yml +++ b/.github/workflows/pythonpackage.yml @@ -2,7 +2,7 @@ name: Unit Tests on: push: - branches: [ "main", "7.*", "8.*" ] + branches: [ "main", "7.*", "8.*", "9.*" ] pull_request: branches: [ "*" ] diff --git a/detection_rules/etc/api_schemas/9.0/9.0.base.json b/detection_rules/etc/api_schemas/9.0/9.0.base.json new file mode 100644 index 000000000..23138b136 --- /dev/null +++ b/detection_rules/etc/api_schemas/9.0/9.0.base.json @@ -0,0 +1,412 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "query", + "saved_query", + "machine_learning", + "eql", + "esql", + "threshold", + "threat_match", + "new_terms" + ], + "enumNames": [], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "name", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/9.0/9.0.eql.json b/detection_rules/etc/api_schemas/9.0/9.0.eql.json new file mode 100644 index 000000000..30f489eed --- /dev/null +++ b/detection_rules/etc/api_schemas/9.0/9.0.eql.json @@ -0,0 +1,490 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "event_category_override": { + "min_compat": "8.0", + "type": "string" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql" + ], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "tiebreaker_field": { + "min_compat": "8.0", + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_field": { + "min_compat": "8.0", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "eql" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/9.0/9.0.esql.json b/detection_rules/etc/api_schemas/9.0/9.0.esql.json new file mode 100644 index 000000000..b3e42f35b --- /dev/null +++ b/detection_rules/etc/api_schemas/9.0/9.0.esql.json @@ -0,0 +1,478 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "esql" + ], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "esql" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/9.0/9.0.machine_learning.json b/detection_rules/etc/api_schemas/9.0/9.0.machine_learning.json new file mode 100644 index 000000000..7b1b42c22 --- /dev/null +++ b/detection_rules/etc/api_schemas/9.0/9.0.machine_learning.json @@ -0,0 +1,476 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "anomaly_threshold": { + "type": "integer" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "license": { + "type": "string" + }, + "machine_learning_job_id": { + "anyOf": [ + { + "type": "string" + }, + { + "items": { + "type": "string" + }, + "type": "array" + } + ] + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "machine_learning" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "anomaly_threshold", + "author", + "description", + "machine_learning_job_id", + "name", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/9.0/9.0.new_terms.json b/detection_rules/etc/api_schemas/9.0/9.0.new_terms.json new file mode 100644 index 000000000..c0d7d437f --- /dev/null +++ b/detection_rules/etc/api_schemas/9.0/9.0.new_terms.json @@ -0,0 +1,533 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "new_terms": { + "additionalProperties": false, + "properties": { + "field": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "history_window_start": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "value": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "type": "array" + }, + "value": { + "description": "NewTermsFields", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + } + }, + "required": [ + "field", + "history_window_start", + "value" + ], + "type": "object" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "new_terms" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "new_terms", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/9.0/9.0.query.json b/detection_rules/etc/api_schemas/9.0/9.0.query.json new file mode 100644 index 000000000..408c8bbb9 --- /dev/null +++ b/detection_rules/etc/api_schemas/9.0/9.0.query.json @@ -0,0 +1,482 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "query" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/9.0/9.0.threat_match.json b/detection_rules/etc/api_schemas/9.0/9.0.threat_match.json new file mode 100644 index 000000000..f10aa0d85 --- /dev/null +++ b/detection_rules/etc/api_schemas/9.0/9.0.threat_match.json @@ -0,0 +1,573 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "concurrent_searches": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "items_per_search": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "threat_filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "threat_index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat_indicator_path": { + "type": "string" + }, + "threat_language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "threat_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "entries": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "enum": [ + "mapping" + ], + "type": "string" + }, + "value": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "field", + "type", + "value" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "entries" + ], + "type": "object" + }, + "type": "array" + }, + "threat_query": { + "type": "string" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "threat_match" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "threat_index", + "threat_mapping", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/9.0/9.0.threshold.json b/detection_rules/etc/api_schemas/9.0/9.0.threshold.json new file mode 100644 index 000000000..584696214 --- /dev/null +++ b/detection_rules/etc/api_schemas/9.0/9.0.threshold.json @@ -0,0 +1,508 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + } + }, + "required": [ + "duration" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "threshold": { + "additionalProperties": false, + "properties": { + "cardinality": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "value": { + "description": "ThresholdValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "type": "array" + }, + "field": { + "description": "CardinalityFields", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "type": "array" + }, + "value": { + "description": "ThresholdValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "threshold" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "threshold", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/packages.yaml b/detection_rules/etc/packages.yaml index 80600b38c..d326f1f04 100644 --- a/detection_rules/etc/packages.yaml +++ b/detection_rules/etc/packages.yaml @@ -3,7 +3,7 @@ package: maturity: - production log_deprecated: true - name: '9.0' + name: '9.1' registry_data: categories: - security @@ -12,7 +12,7 @@ package: capabilities: - security subscription: basic - kibana.version: ^9.0.0 + kibana.version: ^9.1.0 description: Prebuilt detection rules for Elastic Security format_version: 3.0.0 icons: @@ -27,5 +27,5 @@ package: license: Elastic-2.0 title: Prebuilt Security Detection Rules type: integration - version: 9.0.0-beta.1 + version: 9.1.0-beta.1 release: true diff --git a/detection_rules/etc/stack-schema-map.yaml b/detection_rules/etc/stack-schema-map.yaml index 50b2d41c8..58747ac41 100644 --- a/detection_rules/etc/stack-schema-map.yaml +++ b/detection_rules/etc/stack-schema-map.yaml @@ -92,12 +92,12 @@ # ecs: "8.11.0" # endgame: "8.4.0" -## Supported +# "8.13.0": +# beats: "8.13.4" +# ecs: "8.11.0" +# endgame: "8.4.0" -"8.13.0": - beats: "8.13.4" - ecs: "8.11.0" - endgame: "8.4.0" +## Supported "8.14.0": beats: "8.14.3" @@ -125,6 +125,11 @@ endgame: "8.4.0" "9.0.0": + beats: "9.0.0-beta1" + ecs: "9.0.0-rc1" + endgame: "8.4.0" + +"9.1.0": beats: "9.0.0-beta1" ecs: "9.0.0-rc1" endgame: "8.4.0" \ No newline at end of file diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index cc8eaa11c..6a3aa5778 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -2,19 +2,12 @@ "000047bb-b27a-47ec-8b62-ef1a5d2c9e19": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 309, "rule_name": "Attempt to Modify an Okta Policy Rule", "sha256": "61224002fe2acb034c68f8a1ce071b7b5373f3cce6e3134e155cd51017a68e99", "type": "query", "version": 211 - }, - "8.14": { - "max_allowable_version": 410, - "rule_name": "Attempt to Modify an Okta Policy Rule", - "sha256": "61224002fe2acb034c68f8a1ce071b7b5373f3cce6e3134e155cd51017a68e99", - "type": "query", - "version": 312 } }, "rule_name": "Attempt to Modify an Okta Policy Rule", @@ -23,32 +16,12 @@ "version": 412 }, "00140285-b827-4aee-aa09-8113f58a08f3": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 213, - "rule_name": "Potential Credential Access via Windows Utilities", - "sha256": "8cd037720adc468e6c21ea2add4914a716d1fa7f3ffb7542a3196bf05c40a420", - "type": "eql", - "version": 116 - } - }, "rule_name": "Potential Credential Access via Windows Utilities", "sha256": "b3a3605004e2c4a6c948a89b070b0ee2a28e33958a603a1c06e4bcf9dfa1553d", "type": "eql", "version": 316 }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "System Shells via Services", - "sha256": "94047c055fb327e889a977deaf20ab8494f8d7c817d09a9039eecead9f00ec21", - "type": "eql", - "version": 113 - } - }, "rule_name": "System Shells via Services", "sha256": "c6c35ad0725cb2e48652c4674ae470c1adbbbdccbd396fa2c586f2edae14028e", "type": "eql", @@ -104,16 +77,6 @@ "version": 204 }, "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 206, - "rule_name": "Potential Cookies Theft via Browser Debugging", - "sha256": "810907d90a27aee361c0e4bdf4d0bfe79e58e47c2b9f7a8df4b14ad750f1aa8a", - "type": "eql", - "version": 108 - } - }, "rule_name": "Potential Cookies Theft via Browser Debugging", "sha256": "415830680cf9d50d3845dbb66278e1153b189e660304ba0a15ca8d3d5f47ed5d", "type": "eql", @@ -132,16 +95,6 @@ "version": 7 }, "02a4576a-7480-4284-9327-548a806b5e48": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 307, - "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", - "sha256": "376189f0989a9c834ea9e807f1c31236301e528eec227aa389419a7e53aeabf0", - "type": "eql", - "version": 209 - } - }, "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", "sha256": "3e2498d141db920ce8fc17488acde7032ea81b42d39f7e26c4050febb32a3bec", "type": "eql", @@ -166,16 +119,6 @@ "version": 207 }, "035889c4-2686-4583-a7df-67f89c292f2c": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 211, - "rule_name": "High Number of Process and/or Service Terminations", - "sha256": "4c5ca4a33be28031ab32a084760e988f017a7edd84cc8c08f314f52d3873cb50", - "type": "threshold", - "version": 113 - } - }, "rule_name": "High Number of Process and/or Service Terminations", "sha256": "7bb30e533a5784e8b443498afc2acd04fa726e74eec86a301107c57c0e73a4fd", "type": "threshold", @@ -224,16 +167,6 @@ "version": 105 }, "043d80a3-c49e-43ef-9c72-1088f0c7b278": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 100, - "rule_name": "Potential Escalation via Vulnerable MSI Repair", - "sha256": "47373227a503f5fe1fde96d536e6a205fcac83b971b0dee087b3614cd96c814f", - "type": "eql", - "version": 3 - } - }, "rule_name": "Potential Escalation via Vulnerable MSI Repair", "sha256": "95d69d7ba9d1821cb7a31fc102eddbf4725f3512d45f8c1129cd08902c00b9da", "type": "eql", @@ -252,16 +185,6 @@ "version": 2 }, "053a0387-f3b5-4ba5-8245-8002cca2bd08": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", - "sha256": "1ca8fdf09317fd36c70df03f3201b8274dda82e84f259811b7e392d1b5d8e6b4", - "type": "eql", - "version": 112 - } - }, "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", "sha256": "a219cd9773dc1fa8aa69881e4de1fb3c8b9b635a1c380a4782cf15cec90f8904", "type": "eql", @@ -274,32 +197,12 @@ "version": 8 }, "0564fb9d-90b9-4234-a411-82a546dc1343": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 213, - "rule_name": "Microsoft IIS Service Account Password Dumped", - "sha256": "05e330c5bc7ed2ce8eebca407e464236f706e834abd2347c5e29222915cb9919", - "type": "eql", - "version": 115 - } - }, "rule_name": "Microsoft IIS Service Account Password Dumped", "sha256": "3f61af7fb95a6f56f3d8b10f22c2543e1500a295cedb05240385a644cfb3960c", "type": "eql", "version": 215 }, "05b358de-aa6d-4f6c-89e6-78f74018b43b": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "Conhost Spawned By Suspicious Parent Process", - "sha256": "0437ed81150e42654cb33e6ad318152edb266126d44225341bc12cc678bc578e", - "type": "eql", - "version": 110 - } - }, "rule_name": "Conhost Spawned By Suspicious Parent Process", "sha256": "de972a03d58e0257614b0bd101a01763a9c8905bf07a6d5a97b16871115da13e", "type": "eql", @@ -318,32 +221,12 @@ "version": 109 }, "0635c542-1b96-4335-9b47-126582d2c19a": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 213, - "rule_name": "Remote System Discovery Commands", - "sha256": "b86728d65216af8f9dfa8912908f8a4225fdff95bd52dd63c2483d7bdd8385b4", - "type": "eql", - "version": 114 - } - }, "rule_name": "Remote System Discovery Commands", "sha256": "8385d01edb4859b073dd968c3ed428bdc9f20bb184869f14eb4f42692a0abe06", "type": "eql", "version": 214 }, "06568a02-af29-4f20-929c-f3af281e41aa": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 109, - "rule_name": "System Time Discovery", - "sha256": "33fe7970c008c5046403b819e98a65e6552a9579cc28562fe551e9ec75fcf0ef", - "type": "eql", - "version": 11 - } - }, "rule_name": "System Time Discovery", "sha256": "cf15b2bf8ac5ddd54fcb4f2ccedb51733cf85512ca197097fe3c7ab31f87755a", "type": "eql", @@ -356,16 +239,6 @@ "version": 5 }, "06a7a03c-c735-47a6-a313-51c354aef6c3": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 108, - "rule_name": "Enumerating Domain Trusts via DSQUERY.EXE", - "sha256": "d70040688d2d40faca05dc65ea89f7b7cb6dc34b2c978f2fc33e67f843a5c79f", - "type": "eql", - "version": 10 - } - }, "rule_name": "Enumerating Domain Trusts via DSQUERY.EXE", "sha256": "e7a8862a024f6ea8a346b16441845118d570aebb01a849748f0c3d313172edae", "type": "eql", @@ -378,16 +251,6 @@ "version": 102 }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 211, - "rule_name": "Potential Evasion via Filter Manager", - "sha256": "af64a92d30ef699c25bf08f37822770635ec2e44be940f17de9cf25ba519f602", - "type": "eql", - "version": 115 - } - }, "rule_name": "Potential Evasion via Filter Manager", "sha256": "990f986bae1d4f295042fd090a380cd0d6f3d7b8850dd78cf6d5b4e2ffe7d8f0", "type": "eql", @@ -401,16 +264,6 @@ "version": 3 }, "074464f9-f30d-4029-8c03-0ed237fffec7": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", - "sha256": "9f32696b9fa2e1510dd9d329776fa82b31d56c88665b21f900724188a3fb1f33", - "type": "eql", - "version": 112 - } - }, "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", "sha256": "36865a14b607cf48b5cdfcf52bd07a4c37c6a89038d1230ec983ac280ad050ce", "type": "eql", @@ -429,16 +282,6 @@ "version": 7 }, "07b1ef73-1fde-4a49-a34a-5dd40011b076": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 107, - "rule_name": "Local Account TokenFilter Policy Disabled", - "sha256": "09c2f36752a76180ee5f6c3d999fca9b4a594baf1e68da518828098d4a918b29", - "type": "eql", - "version": 10 - } - }, "rule_name": "Local Account TokenFilter Policy Disabled", "sha256": "a02807e2dbf00fd418c04b345cf9bb599e756134d50cfc7ceb239d0db3e3d270", "type": "eql", @@ -469,16 +312,6 @@ "version": 107 }, "0859355c-0f08-4b43-8ff5-7d2a4789fc08": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 108, - "rule_name": "First Time Seen Removable Device", - "sha256": "f1ac8cf1be60a96de758a01dfbfd0a5b594450e5a38ceae29fc315267402c892", - "type": "new_terms", - "version": 10 - } - }, "rule_name": "First Time Seen Removable Device", "sha256": "70f7e9b02ae62752a1aa355c2bf0737861fcbe8f6d564b36f533e1c115925ed6", "type": "new_terms", @@ -545,16 +378,6 @@ "version": 6 }, "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 105, - "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", - "sha256": "c9e9c7d9aeb625a2ff827174aa3e775a8396562727ff6250c64dbc0a9e2fe28e", - "type": "query", - "version": 7 - } - }, "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", "sha256": "d48d0db0dcf2f0f427cffe2c1fc5c43f10abee34268e5d667453968fbde0f29d", "type": "query", @@ -567,32 +390,12 @@ "version": 5 }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 207, - "rule_name": "Anomalous Windows Process Creation", - "sha256": "e58901307b82a6b703f7a5b2767769ca7cbec1c80db040954fe646835f35d714", - "type": "machine_learning", - "version": 109 - } - }, "rule_name": "Anomalous Windows Process Creation", "sha256": "c0f120a64ff245f24b22572875fa394dbdc77cb4f3718153eba555eb889feac8", "type": "machine_learning", "version": 209 }, "0b2f3da5-b5ec-47d1-908b-6ebb74814289": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 212, - "rule_name": "User account exposed to Kerberoasting", - "sha256": "f4161c7c3cb1aa92b083eb597fae4114d218aee981cb01a13851e639a4dea970", - "type": "query", - "version": 114 - } - }, "rule_name": "User account exposed to Kerberoasting", "sha256": "ebd85ca66aad316c0f9ca0890392b1bf3c4c86c58b9b097f3079dd6dbc0a6dee", "type": "query", @@ -617,16 +420,6 @@ "version": 108 }, "0b96dfd8-5b8c-4485-9a1c-69ff7839786a": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 101, - "rule_name": "Attempt to Establish VScode Remote Tunnel", - "sha256": "651c708c609fb7785a9f1776142e6f473de4466714636ff521fc42e5e303c8f0", - "type": "eql", - "version": 5 - } - }, "rule_name": "Attempt to Establish VScode Remote Tunnel", "sha256": "f3895557013bb677c666836d9909116795173df120b18f2792b6aa20cbe69580", "type": "eql", @@ -658,16 +451,6 @@ "version": 3 }, "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "Peripheral Device Discovery", - "sha256": "0ba61428f49133210022937f1edfd3ba9e42329cb91126ff0465644e23fc62ce", - "type": "eql", - "version": 112 - } - }, "rule_name": "Peripheral Device Discovery", "sha256": "61263ade531000457423d75f215e58ba78b6b5cfd11f5e95bf5fca9d5d77c526", "type": "eql", @@ -740,23 +523,12 @@ "version": 105 }, "0e79980b-4250-4a50-a509-69294c14e84b": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "MsBuild Making Network Connections", - "sha256": "7c639b668c0b9207254749cb4e45c08ed861a61d1b5e8b27147b3b664d0ae255", - "type": "eql", - "version": 111 - } - }, "rule_name": "MsBuild Making Network Connections", "sha256": "1d7d425a4b556f2c948c50f0b1dfd888045fc7023dbe3fbad411dbb83d420c0e", "type": "eql", "version": 212 }, "0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6": { - "min_stack_version": "8.14", "rule_name": "Sensitive Audit Policy Sub-Category Disabled", "sha256": "36d53d03849de22fb24be66156f15194ce07ace1ab38974701e6b69efe28551e", "type": "query", @@ -794,16 +566,6 @@ "version": 100 }, "0f93cb9a-1931-48c2-8cd0-f173fd3e5283": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 309, - "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", - "sha256": "47eb039775808da28b11790e0cc065e4a50d78e27c509b0d3658b680d0e8afa5", - "type": "threshold", - "version": 211 - } - }, "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", "sha256": "bbaf49b522cd5d40af2d47cba7e4b4171ca4727ca8719122a6cdbee63432dc73", "type": "threshold", @@ -847,32 +609,12 @@ "version": 105 }, "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs", - "sha256": "46d8b330ba652e23adf896e687f3e5366a624a5331876fc279966cc8b152cf65", - "type": "eql", - "version": 112 - } - }, "rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs", "sha256": "a2bdb54600ed5810827ddcde587fdd19f4abe4ac4f268242ea2b360c433b20ae", "type": "eql", "version": 212 }, "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 211, - "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "sha256": "a994d1f91f21add41bfa56ede5881e607b7400b4d3892076489853ee155f7fce", - "type": "eql", - "version": 113 - } - }, "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", "sha256": "89ff75015ccc7505d10b8e1dd68a6e00bc013390bb1d3c3261ebea0dee5a9cd8", "type": "eql", @@ -891,16 +633,6 @@ "version": 100 }, "11dd9713-0ec6-4110-9707-32daae1ee68c": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 113, - "rule_name": "PowerShell Script with Token Impersonation Capabilities", - "sha256": "a7ec142dcda7675c77e9b876a21fdbc81216e3a996b187d8b9ce5fb6ee881abc", - "type": "query", - "version": 15 - } - }, "rule_name": "PowerShell Script with Token Impersonation Capabilities", "sha256": "6b484742b765e528a93679109d41f88dab5fc43c020fe7354c920f488c850661", "type": "query", @@ -925,16 +657,6 @@ "version": 100 }, "1224da6c-0326-4b4f-8454-68cdc5ae542b": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 106, - "rule_name": "Suspicious Windows Process Cluster Spawned by a User", - "sha256": "36f3d53e0e615d93af889f1a29da008db557f004f34ab0b3a14b5210f0aeee2f", - "type": "machine_learning", - "version": 8 - } - }, "rule_name": "Suspicious Windows Process Cluster Spawned by a User", "sha256": "5e43858136609068909a67bd2ffd833f974eeee7ae19cdb80a02ae08ad096d70", "type": "machine_learning", @@ -953,16 +675,6 @@ "version": 100 }, "128468bf-cab1-4637-99ea-fdf3780a4609": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 206, - "rule_name": "Suspicious Lsass Process Access", - "sha256": "b5585ef93c094d17af2ec93e821abae35166aff50db392c679bdfd4ad289691e", - "type": "eql", - "version": 108 - } - }, "rule_name": "Suspicious Lsass Process Access", "sha256": "19af37acbf8a0f9774fb22c8fe43855471d07d04d9aa68dfaf95e90219bd65a0", "type": "eql", @@ -981,48 +693,18 @@ "version": 205 }, "12de29d4-bbb0-4eef-b687-857e8a163870": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 102, - "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", - "sha256": "272a96e698a6afe16c3181d064b9c894e77f51b3eaf866209b5dce7565d67d30", - "type": "eql", - "version": 4 - } - }, "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", "sha256": "6650390a0ab837875b873ec9ee59ab4afc35d94df7e4e550ab6e853cccd6b929", "type": "eql", "version": 206 }, "12f07955-1674-44f7-86b5-c35da0a6f41a": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 212, - "rule_name": "Suspicious Cmd Execution via WMI", - "sha256": "8a50a6a6f107f05960872b508ca599e3ced73c94f3e91ba756d516d1fb627486", - "type": "eql", - "version": 115 - } - }, "rule_name": "Suspicious Cmd Execution via WMI", "sha256": "f257b59519a3f70f969db80deb185a3cf39536af5b3c532c376b9108da677c08", "type": "eql", "version": 316 }, "1327384f-00f3-44d5-9a8c-2373ba071e92": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 207, - "rule_name": "Persistence via Scheduled Job Creation", - "sha256": "17d08d5a22a343108d957c179ce6094d0257d0d8b2579a4951119dda819508f6", - "type": "eql", - "version": 110 - } - }, "rule_name": "Persistence via Scheduled Job Creation", "sha256": "b0ccfcb313b2d42d0235a2596412d1178773cf4161732fd7ad768553a89a446b", "type": "eql", @@ -1041,16 +723,6 @@ "version": 105 }, "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 106, - "rule_name": "Potential Ransomware Behavior - High count of Readme files by System", - "sha256": "39c607c5899fa2a4b06f20c10675605931045838a883996b8978c1a623348ea7", - "type": "threshold", - "version": 7 - } - }, "rule_name": "Potential Ransomware Behavior - High count of Readme files by System", "sha256": "d0a42671292f00c27195e313455fdfaba1fec838c135fe4e95baf80fe9fe68bd", "type": "threshold", @@ -1093,16 +765,6 @@ "version": 204 }, "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Potential Persistence via Time Provider Modification", - "sha256": "c1c4d209cde3b94cd2f8c548ecdb34cb3fa679dd0b53e7fdede58f9d1556ead5", - "type": "eql", - "version": 113 - } - }, "rule_name": "Potential Persistence via Time Provider Modification", "sha256": "9b84185dd52ac21aec4f2a8db1583492782012ec7a3cf59ce9987512ffb52e0f", "type": "eql", @@ -1111,19 +773,12 @@ "1502a836-84b2-11ef-b026-f661ea17fbcc": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 102, "rule_name": "Successful Application SSO from Rare Unknown Client Device", "sha256": "56af4b22ba4a30c2b5b78e2dcfb7357c29381c5d442a322e59257043cb4e98b2", "type": "new_terms", "version": 4 - }, - "8.14": { - "max_allowable_version": 203, - "rule_name": "Successful Application SSO from Rare Unknown Client Device", - "sha256": "56af4b22ba4a30c2b5b78e2dcfb7357c29381c5d442a322e59257043cb4e98b2", - "type": "new_terms", - "version": 105 } }, "rule_name": "Successful Application SSO from Rare Unknown Client Device", @@ -1144,32 +799,12 @@ "version": 4 }, "15a8ba77-1c13-4274-88fe-6bd14133861e": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 211, - "rule_name": "Scheduled Task Execution at Scale via GPO", - "sha256": "5590dc04999fc927242cf1926db4e2333087ea2de5e17c69677fa0ce42a76e5b", - "type": "eql", - "version": 113 - } - }, "rule_name": "Scheduled Task Execution at Scale via GPO", "sha256": "48a21cf9c0af5dfe2bfe8c63b5a363ce108759818d65d6b3413ecbd1d0492b71", "type": "eql", "version": 213 }, "15c0b7a7-9c34-4869-b25b-fa6518414899": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 212, - "rule_name": "Remote File Download via Desktopimgdownldr Utility", - "sha256": "59e37cb962abea6a86b2a9384e1f08d2d036cdf4ab29173bc0d6e344af013204", - "type": "eql", - "version": 115 - } - }, "rule_name": "Remote File Download via Desktopimgdownldr Utility", "sha256": "ceac041df0548aca97242dafdaeb9c690d4d47ac4073a6393c65e651869946b4", "type": "eql", @@ -1194,16 +829,6 @@ "version": 103 }, "166727ab-6768-4e26-b80c-948b228ffc06": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 104, - "rule_name": "File Creation Time Changed", - "sha256": "4b13b87a19503b754f0e1168a58053e72b7ab57ed3f6b4fa1e85ca983050228f", - "type": "eql", - "version": 6 - } - }, "rule_name": "File Creation Time Changed", "sha256": "96cb410b392f1a8774e854637ac35223c3f06af1886b4805a50b9337a05c3290", "type": "eql", @@ -1228,16 +853,6 @@ "version": 114 }, "16fac1a1-21ee-4ca6-b720-458e3855d046": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Startup/Logon Script added to Group Policy Object", - "sha256": "3cc36b41be0eac9cd7741554fb1bd65a80c0a77275abb17d58fd202b42c25c6b", - "type": "eql", - "version": 112 - } - }, "rule_name": "Startup/Logon Script added to Group Policy Object", "sha256": "f0b9ffa215ff2cbd2e2a889ada8e94883b25b009557f7f572ffacebd45b15863", "type": "eql", @@ -1256,80 +871,30 @@ "version": 4 }, "1781d055-5c66-4adf-9c59-fc0fa58336a5": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 206, - "rule_name": "Unusual Windows Username", - "sha256": "e9ed01e74760cd8f6b5436fa2bf1017b75f7981365876ee0443e0bab995a0f27", - "type": "machine_learning", - "version": 108 - } - }, "rule_name": "Unusual Windows Username", "sha256": "1e10d9ab500e362602268cac7c057d8f4200d268485ee4c70b1e1381d74f32a7", "type": "machine_learning", "version": 208 }, "1781d055-5c66-4adf-9c71-fc0fa58338c7": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 205, - "rule_name": "Unusual Windows Service", - "sha256": "a1c9cbff26b71eb5194648a9907fd39e1504c7662a8f217cd2e9c099f9e24767", - "type": "machine_learning", - "version": 107 - } - }, "rule_name": "Unusual Windows Service", "sha256": "63fc4e38fc33fd24ef301efc7a52d2781085a9dd8465d14910b075c4ca6b5023", "type": "machine_learning", "version": 207 }, "1781d055-5c66-4adf-9d60-fc0fa58337b6": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 206, - "rule_name": "Suspicious Powershell Script", - "sha256": "fc63208d7b1218e72d90948342343c545aab84431421c2d3b6d81b1a925181a1", - "type": "machine_learning", - "version": 108 - } - }, "rule_name": "Suspicious Powershell Script", "sha256": "3bfa0053ceaa3a5923c2aeac1cbb923a448d65b83dda46cfc701cbcf37772899", "type": "machine_learning", "version": 208 }, "1781d055-5c66-4adf-9d82-fc0fa58449c8": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 205, - "rule_name": "Unusual Windows User Privilege Elevation Activity", - "sha256": "219fa2a191fb555ae903516b407568cc9bbc7be95ca6f3fb302311ce94382f0f", - "type": "machine_learning", - "version": 107 - } - }, "rule_name": "Unusual Windows User Privilege Elevation Activity", "sha256": "b13eb00c757b1251104bf4c37b3a291ee5acc963ba34c008a8b6d8731a102b47", "type": "machine_learning", "version": 207 }, "1781d055-5c66-4adf-9e93-fc0fa69550c9": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 205, - "rule_name": "Unusual Windows Remote User", - "sha256": "c2ce8aa3cd6b41359d2374f00b781728b1d6990960574e1d27d013e9a33cda80", - "type": "machine_learning", - "version": 107 - } - }, "rule_name": "Unusual Windows Remote User", "sha256": "6e49cc6ec8fa0f149019eeb0d99bc587779e02711c05c54762667fb21676de08", "type": "machine_learning", @@ -1348,16 +913,6 @@ "version": 2 }, "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "Renamed Utility Executed with Short Program Name", - "sha256": "3b12641768e2a47b26428daf4f845ab28c7dd839b86550febd738e1e8586d6ff", - "type": "eql", - "version": 111 - } - }, "rule_name": "Renamed Utility Executed with Short Program Name", "sha256": "897127ce66b9d6ef35af246c068852d99e7af8df437c3e4d98baa466d779a8cf", "type": "eql", @@ -1370,16 +925,6 @@ "version": 105 }, "181f6b23-3799-445e-9589-0018328a9e46": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 100, - "rule_name": "Script Execution via Microsoft HTML Application", - "sha256": "12f1a83fb96e68e2440fc75a664bb40ec93c873078e8e95f4e7ada4d552370dc", - "type": "eql", - "version": 3 - } - }, "rule_name": "Script Execution via Microsoft HTML Application", "sha256": "35522252e970985ab70a0f4b89c64a7985895c75db81381345559495693ccc8e", "type": "eql", @@ -1464,16 +1009,6 @@ "version": 103 }, "1a6075b0-7479-450e-8fe7-b8b8438ac570": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "Execution of COM object via Xwizard", - "sha256": "f6391e8f5b0619d0a9d9c44f7eb9fd4ee84d804dce2a33222731c4d7f110975b", - "type": "eql", - "version": 113 - } - }, "rule_name": "Execution of COM object via Xwizard", "sha256": "c65c9419a9ac1a778ae51ad7d033bd3775009b43563844b80f984ff2f2f64e45", "type": "eql", @@ -1486,16 +1021,6 @@ "version": 209 }, "1aa9181a-492b-4c01-8b16-fa0735786b2b": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "User Account Creation", - "sha256": "1046be8b577da52ec4ae4f06bcbf7ac7e32232c0e2d407916cb0474c8add7849", - "type": "eql", - "version": 112 - } - }, "rule_name": "User Account Creation", "sha256": "3b110982e7dcff42742a98ac233650c6dc58347d5faf2db2f46a849fb45b1bb2", "type": "eql", @@ -1556,16 +1081,6 @@ "version": 205 }, "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 207, - "rule_name": "Incoming Execution via WinRM Remote Shell", - "sha256": "ce97e8b346f6e7bba7e209a95c49253e1561ae4cc80a170c9ae2e23ae6f36dbb", - "type": "eql", - "version": 109 - } - }, "rule_name": "Incoming Execution via WinRM Remote Shell", "sha256": "26cde5fd51100b2103cc8ebd9ffa4347f2529e861975e6d4b22770ff4e8f244a", "type": "eql", @@ -1574,19 +1089,12 @@ "1ceb05c4-7d25-11ee-9562-f661ea17fbcd": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 104, "rule_name": "Okta Sign-In Events via Third-Party IdP", "sha256": "a6cd972bd4e61e4b5162bada4abcd0d49ddb1c1219971cdbffbb8efd8589444d", "type": "query", "version": 6 - }, - "8.14": { - "max_allowable_version": 205, - "rule_name": "Okta Sign-In Events via Third-Party IdP", - "sha256": "a6cd972bd4e61e4b5162bada4abcd0d49ddb1c1219971cdbffbb8efd8589444d", - "type": "query", - "version": 107 } }, "rule_name": "Okta Sign-In Events via Third-Party IdP", @@ -1595,16 +1103,6 @@ "version": 207 }, "1d276579-3380-4095-ad38-e596a01bc64f": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "Remote File Download via Script Interpreter", - "sha256": "832c238b226f2b7fbbc201338e1d0dfe12a9a7ebf4a6263a1f038ab6019e0e6f", - "type": "eql", - "version": 111 - } - }, "rule_name": "Remote File Download via Script Interpreter", "sha256": "ada7bae223693811f424b80ca156f7135da309f54f39186bed4f022974dda573", "type": "eql", @@ -1623,32 +1121,12 @@ "version": 108 }, "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 108, - "rule_name": "PowerShell Script with Encryption/Decryption Capabilities", - "sha256": "bebecc71ea78fc04d87220b72ed8450adc877e7430358cbb0634a5f9ff266344", - "type": "query", - "version": 9 - } - }, "rule_name": "PowerShell Script with Encryption/Decryption Capabilities", "sha256": "0787e6065fa1eb22d7f0b4ae1c97a7da2bd3d32393f320be448e93e2df69dddc", "type": "query", "version": 109 }, "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "sha256": "56bbd2e4cd59a4c2cde86cbbbfcd9e0afc33c8305d71bab718500435d3a78c7e", - "type": "eql", - "version": 112 - } - }, "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", "sha256": "07df6892a87587ca8babc6706f4c0106779b8517b3fef2294f5eb30ea9491d7b", "type": "eql", @@ -1661,16 +1139,6 @@ "version": 9 }, "1defdd62-cd8d-426e-a246-81a37751bb2b": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 207, - "rule_name": "Execution of File Written or Modified by PDF Reader", - "sha256": "b1632c3ea7afb58a44d388ad05920751d22614d6714b65ffeb29af66d7ebf70d", - "type": "eql", - "version": 108 - } - }, "rule_name": "Execution of File Written or Modified by PDF Reader", "sha256": "86f5fcf575f0f6c1addf031e30cf8e4bf984916f511300021ddd5d036bf4792d", "type": "eql", @@ -1683,16 +1151,6 @@ "version": 106 }, "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 105, - "rule_name": "PowerShell Script with Discovery Capabilities", - "sha256": "84304c49d97dfd2c29bf2dac4eab3f95bd8ec1c210dde0c3c55dffb087436df1", - "type": "query", - "version": 7 - } - }, "rule_name": "PowerShell Script with Discovery Capabilities", "sha256": "7efabb7cc18356aa60fe4c271bef0144b303a454cd4203ec421a5a679a75572e", "type": "query", @@ -1705,32 +1163,12 @@ "version": 103 }, "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 102, - "rule_name": "Creation of a DNS-Named Record", - "sha256": "4955aaefda636b2420e5116875b69def93dd7fd67397cb2a0322de00b946b0fc", - "type": "eql", - "version": 5 - } - }, "rule_name": "Creation of a DNS-Named Record", "sha256": "601853c2f6f8d5d47352dae612917238325b67762d8659f901e4a21c832d90f1", "type": "eql", "version": 105 }, "1e6363a6-3af5-41d4-b7ea-d475389c0ceb": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 105, - "rule_name": "Creation of SettingContent-ms Files", - "sha256": "a70ff9e091484d965ff3685d7e196ddebed427ccb1b700563fad5c6a47880a39", - "type": "eql", - "version": 6 - } - }, "rule_name": "Creation of SettingContent-ms Files", "sha256": "ff8663b5c757bb323d6d9af69fd2819865654af9bb2de2359009d0cb368ec2a6", "type": "eql", @@ -1749,16 +1187,6 @@ "version": 105 }, "1f0a69c0-3392-4adf-b7d5-6012fd292da8": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 109, - "rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell", - "sha256": "021df20053fabc64b24430c7e4bdb3fa187c6f00b27139bffc24759c4e97b817", - "type": "query", - "version": 11 - } - }, "rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell", "sha256": "440ef66551ac7e38e741b7fefff772fab1e8807ba1d7129dacdf19a382fd06ad", "type": "query", @@ -1771,16 +1199,6 @@ "version": 3 }, "1f460f12-a3cf-4105-9ebb-f788cc63f365": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 103, - "rule_name": "Unusual Process Execution on WBEM Path", - "sha256": "c0c0dc9d02782e6a4e0945d5a4067d3508deaeed48634ba3aa3bce892de5a9c4", - "type": "eql", - "version": 5 - } - }, "rule_name": "Unusual Process Execution on WBEM Path", "sha256": "d89337c9d0ba87570647603b26f42ac3171fd6d9640b10b178348bff7117b07e", "type": "eql", @@ -1799,16 +1217,6 @@ "version": 105 }, "1fe3b299-fbb5-4657-a937-1d746f2c711a": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 212, - "rule_name": "Unusual Network Activity from a Windows System Binary", - "sha256": "4fefe2cc790c9b5fd8afbd08cfd7bd28ee6f50dffd877ec1400d81c1659bcc36", - "type": "eql", - "version": 114 - } - }, "rule_name": "Unusual Network Activity from a Windows System Binary", "sha256": "b8941a4bd23e47360ee8b1a98140c573efad95250ad8e4ff1315da0b83ee3d8f", "type": "eql", @@ -1821,16 +1229,6 @@ "version": 104 }, "201200f1-a99b-43fb-88ed-f65a45c4972c": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Suspicious .NET Code Compilation", - "sha256": "acfdd598b6015547f15e05e3ee2dd61dec13a52e09ccef1f154e133678cb2e8a", - "type": "eql", - "version": 114 - } - }, "rule_name": "Suspicious .NET Code Compilation", "sha256": "2c8e7933b55726a6bd967fa3c6e4ecaa207c4acd5574f5970995d8bc9b341746", "type": "eql", @@ -1843,16 +1241,6 @@ "version": 105 }, "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Creation or Modification of Root Certificate", - "sha256": "3f84e82e7eeac167ba639d999edb121e0b7b2d9ccae3655a4d3d543667794332", - "type": "eql", - "version": 111 - } - }, "rule_name": "Creation or Modification of Root Certificate", "sha256": "4271caa450f1e1e8420eee5f49d3481396358bdee6fa3480756e5ce91adde73a", "type": "eql", @@ -1871,32 +1259,12 @@ "version": 210 }, "205b52c4-9c28-4af4-8979-935f3278d61a": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 101, - "rule_name": "Werfault ReflectDebugger Persistence", - "sha256": "69246453362e5ca8115d5ebc4d54e31708b17fca42e8f1c3289e2f21e27e0982", - "type": "eql", - "version": 3 - } - }, "rule_name": "Werfault ReflectDebugger Persistence", "sha256": "99ed70fd9f47a95ed1240f5cc52f747dee59633a0c745c4efa9ab0127865b48c", "type": "eql", "version": 203 }, "208dbe77-01ed-4954-8d44-1e5751cb20de": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "LSASS Memory Dump Handle Access", - "sha256": "c71196cfccc34b4c3d768cc7220422fdaf2d6163c21dc2b1f3c8d1616a87dfb9", - "type": "eql", - "version": 113 - } - }, "rule_name": "LSASS Memory Dump Handle Access", "sha256": "72f43c85a5250cea55570cba448f42de38ff7b2fb9730edd8f6a78a7cc05fd4a", "type": "eql", @@ -1933,16 +1301,6 @@ "version": 7 }, "220be143-5c67-4fdb-b6ce-dd6826d024fd": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 107, - "rule_name": "Full User-Mode Dumps Enabled System-Wide", - "sha256": "39e75f704730200ba6057b7687a63159e2080003d55f8b8e6217740e487ab59e", - "type": "eql", - "version": 9 - } - }, "rule_name": "Full User-Mode Dumps Enabled System-Wide", "sha256": "7d93d723489d1f6a59e139b58489ea66daaaa5a601a1f03527f4e18f249bd3ac", "type": "eql", @@ -1999,19 +1357,12 @@ "23f18264-2d6d-11ef-9413-f661ea17fbce": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 102, "rule_name": "High Number of Okta Device Token Cookies Generated for Authentication", "sha256": "5878c82e5f3d8f2d217199e6f32a1448352e8c4ce303fe0ba02fb32c73a3df47", "type": "esql", "version": 4 - }, - "8.14": { - "max_allowable_version": 202, - "rule_name": "High Number of Okta Device Token Cookies Generated for Authentication", - "sha256": "5878c82e5f3d8f2d217199e6f32a1448352e8c4ce303fe0ba02fb32c73a3df47", - "type": "esql", - "version": 104 } }, "rule_name": "High Number of Okta Device Token Cookies Generated for Authentication", @@ -2026,32 +1377,12 @@ "version": 207 }, "25224a80-5a4a-4b8a-991e-6ab390465c4f": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 208, - "rule_name": "Lateral Movement via Startup Folder", - "sha256": "9a03061d1c7d42331e54fa8c990602900d110a67d95d1245e44eae86e42cdc90", - "type": "eql", - "version": 110 - } - }, "rule_name": "Lateral Movement via Startup Folder", "sha256": "77d41e72a8e9b4a7bbb7fab3c40167833d4e87d06b28d8e465774750ef5104b5", "type": "eql", "version": 310 }, "2553a9af-52a4-4a05-bb03-85b2a479a0a0": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 103, - "rule_name": "Potential PowerShell HackTool Script by Author", - "sha256": "099be59655d3f1d35382b882049816c2c0570633f5d119e1ae6285bf5d5a901c", - "type": "query", - "version": 5 - } - }, "rule_name": "Potential PowerShell HackTool Script by Author", "sha256": "75e4844865ebef904a98f31b4021a2423b98a9e56a10e931089cea0ea3821cc7", "type": "query", @@ -2078,19 +1409,12 @@ "260486ee-7d98-11ee-9599-f661ea17fbcd": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 104, "rule_name": "New Okta Authentication Behavior Detected", "sha256": "70f1f9059df5bd8fccefb340c09ead9f96478027b8a573ef31fed90b89e5e935", "type": "query", "version": 6 - }, - "8.14": { - "max_allowable_version": 205, - "rule_name": "New Okta Authentication Behavior Detected", - "sha256": "70f1f9059df5bd8fccefb340c09ead9f96478027b8a573ef31fed90b89e5e935", - "type": "query", - "version": 107 } }, "rule_name": "New Okta Authentication Behavior Detected", @@ -2105,16 +1429,6 @@ "version": 8 }, "263481c8-1e9b-492e-912d-d1760707f810": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 101, - "rule_name": "Potential Relay Attack against a Domain Controller", - "sha256": "54a0ad6f86ecdf068b1aae65f14d158a4f15e61b09a082762d2bd3413455bd6d", - "type": "eql", - "version": 4 - } - }, "rule_name": "Potential Relay Attack against a Domain Controller", "sha256": "2985960617b321f48dd8601a1a8803bca75bb670250579ab023076cccb62abbd", "type": "eql", @@ -2133,16 +1447,6 @@ "version": 2 }, "265db8f5-fc73-4d0d-b434-6483b56372e2": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Persistence via Update Orchestrator Service Hijack", - "sha256": "4cb0180da3ef6e0e18bd152032578629a162d39c81b679998254e1e96d7a7a1e", - "type": "eql", - "version": 112 - } - }, "rule_name": "Persistence via Update Orchestrator Service Hijack", "sha256": "8a1961e72e2bd40e50a0aa2d9798a0fddb3d6b24b4c0d0272eacefc88d9bb15c", "type": "eql", @@ -2185,16 +1489,6 @@ "version": 312 }, "27071ea3-e806-4697-8abc-e22c92aa4293": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 104, - "rule_name": "PowerShell Script with Archive Compression Capabilities", - "sha256": "6bf709b275145a7968784c0cad4cc126d1032ae778c4d23e18d5502e0c430d95", - "type": "query", - "version": 6 - } - }, "rule_name": "PowerShell Script with Archive Compression Capabilities", "sha256": "7968dcf6597d447a945c7445f46e60b9c60182148cddf51f04392d3a1650b46e", "type": "query", @@ -2213,16 +1507,6 @@ "version": 207 }, "2772264c-6fb9-4d9d-9014-b416eed21254": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 208, - "rule_name": "Incoming Execution via PowerShell Remoting", - "sha256": "21c8229d021bc8b4ae787107ff45217ab56d52e249857ff17e0a4f51ef3c7f85", - "type": "eql", - "version": 110 - } - }, "rule_name": "Incoming Execution via PowerShell Remoting", "sha256": "5a0f9b9a7ffefc4f2658c7b3637872e4beedb55b3e26d5cc76e3bf45f89cba0c", "type": "eql", @@ -2241,16 +1525,6 @@ "version": 207 }, "2820c9c2-bcd7-4d6e-9eba-faf3891ba450": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 215, - "rule_name": "Account Password Reset Remotely", - "sha256": "fb5aa2394d8110f0ee46049a6b1ecea7a58a015560ea9e83bc0a7189668b9a9e", - "type": "eql", - "version": 118 - } - }, "rule_name": "Account Password Reset Remotely", "sha256": "137bd2d87af18453725653508901c2d8ad9bbb67598c3aab9cb61849bdd9e991", "type": "eql", @@ -2263,16 +1537,6 @@ "version": 3 }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Account Discovery Command via SYSTEM Account", - "sha256": "7395e4f0038f91caff80f8f82fb7a573cc2e3be731008e546f8e2f2738da7397", - "type": "eql", - "version": 111 - } - }, "rule_name": "Account Discovery Command via SYSTEM Account", "sha256": "2b775cfcd03f8ddcaab836d20fc03e2cd95cd89e3e8e729f6f6ea92f1e16bca4", "type": "eql", @@ -2317,7 +1581,7 @@ "28eb3afe-131d-48b0-a8fc-9784f3d54f3c": { "min_stack_version": "8.16", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 104, "rule_name": "Privilege Escalation via SUID/SGID", "sha256": "6ace4761c9708044d26fcf7337460b8479b0c47a4aad784406a4831f875a8ea1", @@ -2343,48 +1607,18 @@ "version": 208 }, "290aca65-e94d-403b-ba0f-62f320e63f51": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 213, - "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", - "sha256": "d0e818d0f2ad9ea6d298e000b8823c6f9fae9d4ba58fd7d4a769d192a825bb7d", - "type": "eql", - "version": 116 - } - }, "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", "sha256": "89b1b7dceaff3f36997ec337f2d8cef3fe495d208678da2825e4ed3ce0e5ea3e", "type": "eql", "version": 317 }, "2917d495-59bd-4250-b395-c29409b76086": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", - "sha256": "28c64115f2234bf5d1fecf8825b0c7f3345d8785463039b6e20726ad83f4fae9", - "type": "eql", - "version": 113 - } - }, "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", "sha256": "69c08ef4a5f787e70fccfd3ec58af92bb9dc8c37e8c0371220c0a70bf79f5b7f", "type": "eql", "version": 417 }, "291a0de9-937a-4189-94c0-3e847c8b13e4": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 310, - "rule_name": "Enumeration of Privileged Local Groups Membership", - "sha256": "74bf38098dbce95a0c1c95412e8fba9a3f5532a02c1838b1198a971eed59d253", - "type": "new_terms", - "version": 214 - } - }, "rule_name": "Enumeration of Privileged Local Groups Membership", "sha256": "f4a3fd4093cb4ee803a7b1fde1a972683e35233b3065923dc59ac148914fd788", "type": "new_terms", @@ -2393,19 +1627,12 @@ "29b53942-7cd4-11ee-b70e-f661ea17fbcd": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 103, "rule_name": "New Okta Identity Provider (IdP) Added by Admin", "sha256": "ced824201a88878d9e9186b2e710aea0f3325e0e249c379f3b6cc276abb4e8dd", "type": "query", "version": 5 - }, - "8.14": { - "max_allowable_version": 204, - "rule_name": "New Okta Identity Provider (IdP) Added by Admin", - "sha256": "ced824201a88878d9e9186b2e710aea0f3325e0e249c379f3b6cc276abb4e8dd", - "type": "query", - "version": 106 } }, "rule_name": "New Okta Identity Provider (IdP) Added by Admin", @@ -2444,80 +1671,30 @@ "version": 109 }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Adobe Hijack Persistence", - "sha256": "c39267858935a1708b5485ab0f15d8fec3c65af74dda3eabe1a645357b6ff54c", - "type": "eql", - "version": 114 - } - }, "rule_name": "Adobe Hijack Persistence", "sha256": "e7b371bc3cb56880f4b66c8f8fe941a3dc804cf4d7a909203eb1aac36b2eb4e8", "type": "eql", "version": 415 }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 211, - "rule_name": "Windows Defender Exclusions Added via PowerShell", - "sha256": "fda9500da0b3d309b22466c14a3b99bc7b486e029d19035500b51c712c4d337d", - "type": "eql", - "version": 113 - } - }, "rule_name": "Windows Defender Exclusions Added via PowerShell", "sha256": "e69123e81346af8a6014260f65776c0326786a0019351371eba62067fb23d7e9", "type": "eql", "version": 314 }, "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", - "sha256": "19459360acfaabbee9191b0bffc67924d652582ec4b24d908ab43e31ed2baf8f", - "type": "eql", - "version": 111 - } - }, "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", "sha256": "ed9cc4c9d37caa1424d72d1771b8aaa477eee67588db0cf67131757668706a64", "type": "eql", "version": 211 }, "2c6a6acf-0dcb-404d-89fb-6b0327294cfa": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 100, - "rule_name": "Potential Foxmail Exploitation", - "sha256": "fa4198db44ca8125dc5157ed58f08cb85ded4ed4fdd90a197bd108a4788e7bb9", - "type": "eql", - "version": 3 - } - }, "rule_name": "Potential Foxmail Exploitation", "sha256": "91d807d619d392937f23f7570110f1a16024dea7638053710bbe2c380ba68794", "type": "eql", "version": 204 }, "2d62889e-e758-4c5e-b57e-c735914ee32a": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 100, - "rule_name": "Suspicious PowerShell Execution via Windows Scripts", - "sha256": "da7b8fc9196d2268f214a0e688fb4743c4aaac83e91d448cac7edb41ecb0cc4d", - "type": "eql", - "version": 3 - } - }, "rule_name": "Command and Scripting Interpreter via Windows Scripts", "sha256": "3ddbfa8f343a66c1a88ceece0f1578b6413e48d8e9866070c72412b45e29c6d3", "type": "eql", @@ -2530,16 +1707,6 @@ "version": 211 }, "2dd480be-1263-4d9c-8672-172928f6789a": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 310, - "rule_name": "Suspicious Process Access via Direct System Call", - "sha256": "6f9f6d3a9b1c3c10ee6f372c529e3043cf57abbe70e819991e61b39bd48cfac8", - "type": "eql", - "version": 212 - } - }, "rule_name": "Suspicious Process Access via Direct System Call", "sha256": "9f2195a1ff14af308fa971db89cf85114f85149da9fab3f43237cc3cbb0a5bd6", "type": "eql", @@ -2558,71 +1725,30 @@ "version": 208 }, "2de87d72-ee0c-43e2-b975-5f0b029ac600": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 108, - "rule_name": "Wireless Credential Dumping using Netsh Command", - "sha256": "a2a8c353c9789286a12acad9ac5ef3f78e625e7f76155b7f8fabe49323aa8e5c", - "type": "eql", - "version": 11 - } - }, "rule_name": "Wireless Credential Dumping using Netsh Command", "sha256": "8791e7fb1a6be5e42e542ffbff43107f655cb9129d6d372da900d9d185d90c16", "type": "eql", "version": 212 }, "2e0051cb-51f8-492f-9d90-174e16b5e96b": { - "min_stack_version": "8.14", "rule_name": "Potential File Transfer via Curl for Windows", "sha256": "a4dac855d53d9474f8e5110cd803cc954889544153b5054d8a1d6efef103d335", "type": "eql", "version": 2 }, "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Renamed AutoIt Scripts Interpreter", - "sha256": "3f92ade9c8cf46297f9846194909bde8477311035bce84de538a59154fab0a08", - "type": "eql", - "version": 112 - } - }, "rule_name": "Renamed AutoIt Scripts Interpreter", "sha256": "ba2643e57a281cd68d1f699d40aa824bffb36faa4b50d6ee43eafdc67fbf0942", "type": "eql", "version": 212 }, "2e29e96a-b67c-455a-afe4-de6183431d0d": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 212, - "rule_name": "Potential Process Injection via PowerShell", - "sha256": "5b87e1ff673e96046b8a94a9a5aa5135f3d5993a7c6cb7cbb27f420605413029", - "type": "query", - "version": 113 - } - }, "rule_name": "Potential Process Injection via PowerShell", "sha256": "7e0cc4f4c58256634c207a3b45ff788e4f9970f7e0b9436f55f186c002437855", "type": "query", "version": 213 }, "2e311539-cd88-4a85-a301-04f38795007c": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 104, - "rule_name": "Accessing Outlook Data Files", - "sha256": "e16b755ef96474eeeb8efab6ae108f1e9420b53cd1d79d3e822dc3215788f7a9", - "type": "eql", - "version": 6 - } - }, "rule_name": "Accessing Outlook Data Files", "sha256": "37fe2693dac2a707118e828ab9b2e21018b8028366804f4304ff2122f53d546b", "type": "eql", @@ -2631,19 +1757,12 @@ "2e56e1bc-867a-11ee-b13e-f661ea17fbcd": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 100, "rule_name": "Okta User Sessions Started from Different Geolocations", "sha256": "154a54c158e1072b12c8c12e5c0b1a4efd33eeb055cc0a97dfbce0af0e73dc48", "type": "threshold", "version": 2 - }, - "8.14": { - "max_allowable_version": 302, - "rule_name": "Okta User Sessions Started from Different Geolocations", - "sha256": "9d2bcc3e964c0434187bfaa20b0f3273fdedbc87d5c26e8096ceaf6770db9e66", - "type": "esql", - "version": 204 } }, "rule_name": "Okta User Sessions Started from Different Geolocations", @@ -2658,16 +1777,6 @@ "version": 105 }, "2edc8076-291e-41e9-81e4-e3fcbc97ae5e": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Creation of a Hidden Local User Account", - "sha256": "79fe2f7b518213d1f446515f7a7b768af9118e6217220e52e9e106464cc3c478", - "type": "eql", - "version": 111 - } - }, "rule_name": "Creation of a Hidden Local User Account", "sha256": "19b7467f53896db1e8c5f00dde89e1ac429dc7e8125d433e5c4aac81a6f41de2", "type": "eql", @@ -2680,16 +1789,6 @@ "version": 101 }, "2f2f4939-0b34-40c2-a0a3-844eb7889f43": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 211, - "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", - "sha256": "c854f417e250f05be348cb5bd38338d7abaf467dc4b5ab1ef0fd15c0fe00d652", - "type": "query", - "version": 112 - } - }, "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", "sha256": "f30a726cc8233f0fd47f045cc06753a16529142e73e25f7f2f0a62d4321894c8", "type": "query", @@ -2714,16 +1813,6 @@ "version": 110 }, "2ffa1f1e-b6db-47fa-994b-1512743847eb": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 214, - "rule_name": "Windows Defender Disabled via Registry Modification", - "sha256": "3a93523d026c5a673617ab034e9aacbeef768ba67239b7db35fd13d4082ed83b", - "type": "eql", - "version": 115 - } - }, "rule_name": "Windows Defender Disabled via Registry Modification", "sha256": "2fc498a71ba2f88f7d63796eca1ee83dbe34d62673590eba2f4b869845a5cb02", "type": "eql", @@ -2778,16 +1867,6 @@ "version": 105 }, "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 213, - "rule_name": "Bypass UAC via Event Viewer", - "sha256": "26c302e48a82a4c71b95bbacfe998d079412e39f679f834e69fae5d875669849", - "type": "eql", - "version": 116 - } - }, "rule_name": "Bypass UAC via Event Viewer", "sha256": "79da03cd16b3fe390ba1bcbf7210a4e75e1160924c4eaa555b1886746c2b8e38", "type": "eql", @@ -2824,16 +1903,6 @@ "version": 105 }, "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Program Files Directory Masquerading", - "sha256": "606536c8d6bfe0e947e3e259b6e852bc054d4d698047726f4d5c75b729bf55e1", - "type": "eql", - "version": 114 - } - }, "rule_name": "Program Files Directory Masquerading", "sha256": "16bc5626deef5e54395b10b7f90e3c0e85fffdc658d81ccd2d12a5cc6e59d03d", "type": "eql", @@ -2846,16 +1915,6 @@ "version": 3 }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "0c5ba486bee0cc0f0fe8315f14137e5a0062539cbb92e1a748fe09f9371887c7", - "type": "eql", - "version": 113 - } - }, "rule_name": "Suspicious MS Outlook Child Process", "sha256": "b1e1ffa2ffa385597f3e15523743b90d7750dbd78db3790213585db3f9c79dc3", "type": "eql", @@ -2916,16 +1975,6 @@ "version": 107 }, "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "Port Forwarding Rule Addition", - "sha256": "1278795e146f4388f338e9288d125c501ac2323f738e27e32771e3f98bf5983d", - "type": "eql", - "version": 111 - } - }, "rule_name": "Port Forwarding Rule Addition", "sha256": "1cc79e2c4f68e45ffdf9e7e58a3a627ca8fd4f5577008f4af3b2e0cc353dcd19", "type": "eql", @@ -2944,16 +1993,6 @@ "version": 3 }, "35df0dd8-092d-4a83-88c1-5151a804f31b": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 212, - "rule_name": "Unusual Parent-Child Relationship", - "sha256": "d1997aecd63bdf78d6a33f57d17ebd466ad6d7b59bc5c9eec9d99fa339cc883b", - "type": "eql", - "version": 115 - } - }, "rule_name": "Unusual Parent-Child Relationship", "sha256": "63739523a9c101ce0f6304534a8a20f2b7177870efdfb4f8342beec9b6d01ca9", "type": "eql", @@ -2978,16 +2017,6 @@ "version": 112 }, "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 208, - "rule_name": "Suspicious ImagePath Service Creation", - "sha256": "e0de6aabadb9b3edc0355ae72df8fa446a91a842ef12b8ef6ec687e906c931f5", - "type": "eql", - "version": 111 - } - }, "rule_name": "Suspicious ImagePath Service Creation", "sha256": "3cfd44cb623fa5f87fb2bc4b70fb4825b8c30cc422f5ca4959f8affa6a59c239", "type": "eql", @@ -3038,19 +2067,12 @@ "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 309, "rule_name": "Attempted Bypass of Okta MFA", "sha256": "5e5251cb58730100b0cc28f80d6377c224454944d105b37cfddbc186d96993c8", "type": "query", "version": 211 - }, - "8.14": { - "max_allowable_version": 410, - "rule_name": "Attempted Bypass of Okta MFA", - "sha256": "5e5251cb58730100b0cc28f80d6377c224454944d105b37cfddbc186d96993c8", - "type": "query", - "version": 312 } }, "rule_name": "Attempted Bypass of Okta MFA", @@ -3059,16 +2081,6 @@ "version": 412 }, "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 214, - "rule_name": "Network Connection via Certutil", - "sha256": "3f6234c8ab1d36fc0aee41b20d47c226fdddafbf988fd7a990edd1967bb6c123", - "type": "eql", - "version": 116 - } - }, "rule_name": "Network Connection via Certutil", "sha256": "ee7de9f4e8ab3c5761b6312c919095c5cf492a9db5a0723c83799fc34b584f5e", "type": "eql", @@ -3117,16 +2129,6 @@ "version": 4 }, "397945f3-d39a-4e6f-8bcb-9656c2031438": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 206, - "rule_name": "Persistence via Microsoft Outlook VBA", - "sha256": "b4336a223059e535a011019a1195afac85891381ddf49844a802db5e2b477d60", - "type": "eql", - "version": 108 - } - }, "rule_name": "Persistence via Microsoft Outlook VBA", "sha256": "e8b70f2aab1ae0ee6ed818eb7bb5e7feb7fb75ac124680f6f0e9e79ae7395e46", "type": "eql", @@ -3139,16 +2141,6 @@ "version": 4 }, "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Potential DNS Tunneling via NsLookup", - "sha256": "fc1b169b413a359de4934f4cdf8bca79458b0cd5efd1a93bba0b8a05aba10b7d", - "type": "eql", - "version": 112 - } - }, "rule_name": "Potential DNS Tunneling via NsLookup", "sha256": "b6849461e18e497a4263083d82b749167b7e60058fe7cf9b90db792dfedbc744", "type": "eql", @@ -3173,7 +2165,6 @@ "version": 100 }, "3aaf37f3-05a1-40a5-bb6e-e380c4f92c52": { - "min_stack_version": "8.14", "rule_name": "WDAC Policy File by an Unusual Process", "sha256": "640dfc022ddd5eeadf5bb3e60d197db1c475d8e6f2e672c0eb61b1c5390c98b8", "type": "eql", @@ -3204,32 +2195,12 @@ "version": 104 }, "3b47900d-e793-49e8-968f-c90dc3526aa1": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "Unusual Parent Process for cmd.exe", - "sha256": "9bd527185ec4c38596e49c3a7ad276daa080ef3cf609a464de4f59e21fc1080d", - "type": "eql", - "version": 112 - } - }, "rule_name": "Unusual Parent Process for cmd.exe", "sha256": "ae201f63b498ee9be3fb10b20daa1fefbe924dae1f8f7aecdfa986d172ae93e1", "type": "eql", "version": 414 }, "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 213, - "rule_name": "NTDS or SAM Database File Copied", - "sha256": "e7e2e6f51e3b146d38491ba00f4d5be16be218fd4df4c1722005f294e0748e60", - "type": "eql", - "version": 116 - } - }, "rule_name": "NTDS or SAM Database File Copied", "sha256": "14fa291c0e479222e6175385f35702531994795946c66295ddec4f95b50845db", "type": "eql", @@ -3266,32 +2237,12 @@ "version": 103 }, "3d00feab-e203-4acc-a463-c3e15b7e9a73": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 101, - "rule_name": "ScreenConnect Server Spawning Suspicious Processes", - "sha256": "9a8b7d4f395146c067ba15784a025d26856d4595658268dfb01fcc8117120808", - "type": "eql", - "version": 5 - } - }, "rule_name": "ScreenConnect Server Spawning Suspicious Processes", "sha256": "7537070f3775a1dff89d78c8ef5ae633d97e6cd0a32180d83b000540270ab29c", "type": "eql", "version": 205 }, "3d3aa8f9-12af-441f-9344-9f31053e316d": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 104, - "rule_name": "PowerShell Script with Log Clear Capabilities", - "sha256": "8d47f5eaa5c9f058fdbe3f27d372e37c1166e236a41a1ba4383f97faa18e2972", - "type": "query", - "version": 6 - } - }, "rule_name": "PowerShell Script with Log Clear Capabilities", "sha256": "3eb8a1947715938780e819d71334fd11a170328f2310ffc13b69fc69fdf047fb", "type": "query", @@ -3316,16 +2267,6 @@ "version": 5 }, "3e0eeb75-16e8-4f2f-9826-62461ca128b7": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 106, - "rule_name": "Suspicious Execution via Windows Subsystem for Linux", - "sha256": "179cea119143b4ac449008db8f5bce05e743da299c57ecb9c2599d4ad223cefe", - "type": "eql", - "version": 9 - } - }, "rule_name": "Suspicious Execution via Windows Subsystem for Linux", "sha256": "c7ce8b4413d99ed660c419bd822448ecdb2bb29f85095afc3954b5b698f0510e", "type": "eql", @@ -3356,32 +2297,12 @@ "version": 1 }, "3ecbdc9e-e4f2-43fa-8cca-63802125e582": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Privilege Escalation via Named Pipe Impersonation", - "sha256": "abfd83fc5f72d9b12cc92cb190d7f4e9f759d7e1b048db54399447345f56c2f1", - "type": "eql", - "version": 113 - } - }, "rule_name": "Privilege Escalation via Named Pipe Impersonation", "sha256": "1468f7e6e831e3af972a832a3504553bafb48b5b69afdfa59403fbbc96d1ad85", "type": "eql", "version": 314 }, "3ed032b2-45d8-4406-bc79-7ad1eabb2c72": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 307, - "rule_name": "Suspicious Process Creation CallTrace", - "sha256": "198d879bb094b81e6bb30e836abf7c7c2a2d4b08cf6f8de140a531126de8f927", - "type": "eql", - "version": 208 - } - }, "rule_name": "Suspicious Process Creation CallTrace", "sha256": "be4f79a2a38ca61332f643c365ce4e3776f3ff9a73f6887ef1aa6d67d5153a22", "type": "eql", @@ -3424,7 +2345,6 @@ "version": 5 }, "3f7bd5ac-9711-44b4-82c1-fa246d829f15": { - "min_stack_version": "8.14", "rule_name": "Command Execution via ForFiles", "sha256": "30f1410a357c558927f5cce5f2d9674c0e66b3fcd0ccdfed460da52ae466ff4a", "type": "eql", @@ -3443,16 +2363,6 @@ "version": 104 }, "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 106, - "rule_name": "Unusual Process Spawned by a User", - "sha256": "224877a0c6c75c03df527910da6a040b10e978b5277a900b3a5ebd606e5dcebc", - "type": "machine_learning", - "version": 8 - } - }, "rule_name": "Unusual Process Spawned by a User", "sha256": "c26260d1977bf5bdca1f886c44ec9eb78f3a2a3f006f7c578474c60debadf653", "type": "machine_learning", @@ -3471,16 +2381,6 @@ "version": 204 }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "Unusual Persistence via Services Registry", - "sha256": "f1c3d405ae61b94497a8a3b5ee7ad7b72dcadfec716c42f2975f6e18b624ec88", - "type": "eql", - "version": 112 - } - }, "rule_name": "Unusual Persistence via Services Registry", "sha256": "5e43f778807201218a8a3cd2b8d33600b9cad394bf1d10a1a6a2bb8219170ffe", "type": "eql", @@ -3499,16 +2399,6 @@ "version": 106 }, "416697ae-e468-4093-a93d-59661fa619ec": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 211, - "rule_name": "Control Panel Process with Unusual Arguments", - "sha256": "78c5895b416222839fc4b6839d36612b1a0f0e27a9024d52f91607da235123e1", - "type": "eql", - "version": 114 - } - }, "rule_name": "Control Panel Process with Unusual Arguments", "sha256": "311c4b3abd771bf6dbbf76f79d3b9fa882b6979c0298c1d842b6c8a780fa4117", "type": "eql", @@ -3559,19 +2449,12 @@ "42bf698b-4738-445b-8231-c834ddefd8a0": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 310, "rule_name": "Okta Brute Force or Password Spraying Attack", "sha256": "f65119ef6918a244fc9d7e77a24da44f7c9571685cd9e6c587ea87d19951038a", "type": "threshold", "version": 212 - }, - "8.14": { - "max_allowable_version": 411, - "rule_name": "Okta Brute Force or Password Spraying Attack", - "sha256": "f65119ef6918a244fc9d7e77a24da44f7c9571685cd9e6c587ea87d19951038a", - "type": "threshold", - "version": 313 } }, "rule_name": "Okta Brute Force or Password Spraying Attack", @@ -3580,16 +2463,6 @@ "version": 413 }, "42eeee3d-947f-46d3-a14d-7036b962c266": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 109, - "rule_name": "Process Creation via Secondary Logon", - "sha256": "f79e046cbbec23da583f5a9a5ff0c2359af0a92b60efb6da01790d90fefb9cb9", - "type": "eql", - "version": 12 - } - }, "rule_name": "Process Creation via Secondary Logon", "sha256": "0f366e14695fce4131d2de09a7d46f8a0d1e897bd78444ef5ed8bbce30a30770", "type": "eql", @@ -3614,32 +2487,12 @@ "version": 110 }, "440e2db4-bc7f-4c96-a068-65b78da59bde": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Startup Persistence by a Suspicious Process", - "sha256": "3093b3093e9dfac5593dd9dead91b15345100e95d1bca816d602302c4ad03332", - "type": "eql", - "version": 112 - } - }, "rule_name": "Startup Persistence by a Suspicious Process", "sha256": "c0608c95611f1a89e093cb3a0b2080c46a012ec91358883418506af1cd874eb3", "type": "eql", "version": 312 }, "445a342e-03fb-42d0-8656-0367eb2dead5": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 206, - "rule_name": "Unusual Windows Path Activity", - "sha256": "67bd807b50763f06dc6861bd1b4a7ad996afbb5766a7dc22bec1762999b6b281", - "type": "machine_learning", - "version": 108 - } - }, "rule_name": "Unusual Windows Path Activity", "sha256": "0c67162e07a41a693f97af4942752d9557c76b058a4fa0df6be8777647152a80", "type": "machine_learning", @@ -3652,16 +2505,6 @@ "version": 4 }, "44fc462c-1159-4fa8-b1b7-9b6296ab4f96": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 110, - "rule_name": "Multiple Vault Web Credentials Read", - "sha256": "4ed1c92271f971ccdfb787166f5469edc64084f2b7ec98c1c9f03fa7103e1f23", - "type": "eql", - "version": 13 - } - }, "rule_name": "Multiple Vault Web Credentials Read", "sha256": "d952fa6126823aa4795c6d47b481559663ee4641dff520e86f387180decc8a2b", "type": "eql", @@ -3686,64 +2529,24 @@ "version": 3 }, "45ac4800-840f-414c-b221-53dd36a5aaf7": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Windows Event Logs Cleared", - "sha256": "03df4c9ba83974ad56a692f1e48ad01c5afbc399f016252d9a8f5d25442ad9c5", - "type": "query", - "version": 112 - } - }, "rule_name": "Windows Event Logs Cleared", "sha256": "b2877be463d6d3476c7945fcff9d4b10cbba5ff4847f04b747a59dad96a73e1b", "type": "query", "version": 212 }, "45d273fb-1dca-457d-9855-bcb302180c21": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 212, - "rule_name": "Encrypting Files with WinRar or 7z", - "sha256": "290b151b10a6eaef87bb1d4a1dd273bd7a7c6b9c9c883d653da3bc809f159060", - "type": "eql", - "version": 113 - } - }, "rule_name": "Encrypting Files with WinRar or 7z", "sha256": "6389d9780340aa3eba76379358bc68062f775f8c23b81e15d7be509e7fcc87b2", "type": "eql", "version": 214 }, "4630d948-40d4-4cef-ac69-4002e29bc3db": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 212, - "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "500d6f2d6faa250fea7e87e78ccb4ffc1ac323562a22fb542e4733f33c5e1d59", - "type": "eql", - "version": 115 - } - }, "rule_name": "Adding Hidden File Attribute via Attrib", "sha256": "d1654db54f8a2c7e763a7c7d1fb20d71cf19355115ae479352db7b977682a0a7", "type": "eql", "version": 316 }, "4682fd2c-cfae-47ed-a543-9bed37657aa6": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "Potential Local NTLM Relay via HTTP", - "sha256": "9738558986f5eefce14d8f415a984acc7980e6eaf9211b61fbccbcf8814b2e06", - "type": "eql", - "version": 113 - } - }, "rule_name": "Potential Local NTLM Relay via HTTP", "sha256": "cbae5504e94c8d135be970e202b61d75493807ca03a926f3422e7f3913e1bddd", "type": "eql", @@ -3774,16 +2577,6 @@ "version": 104 }, "47e22836-4a16-4b35-beee-98f6c4ee9bf2": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", - "sha256": "1715a0e265def59183c4652ae4742b17cc3578a5d1132831b499ce28f0c7c4a2", - "type": "eql", - "version": 112 - } - }, "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", "sha256": "4fc3777d4378758cdba6f0626f707192e45e0bb4eabaa43407e35f914e7d6dcb", "type": "eql", @@ -3802,16 +2595,6 @@ "version": 109 }, "483c4daf-b0c6-49e0-adf3-0bfa93231d6b": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", - "sha256": "60cb1aafa8d037f564143057fa316c87b326346f698ec418f9301fe073ccfc7c", - "type": "eql", - "version": 112 - } - }, "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", "sha256": "5be642a84f9f578e4f7ca280227774f6649786fd9f505fd832b741d7e28a6005", "type": "eql", @@ -3830,16 +2613,6 @@ "version": 11 }, "48b6edfc-079d-4907-b43c-baffa243270d": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 109, - "rule_name": "Multiple Logon Failure from the same Source Address", - "sha256": "d3b2f8128fcad0de701a9aa48b9d8f5259837ff59505a81935bc2e5b6d3f3c38", - "type": "eql", - "version": 12 - } - }, "rule_name": "Multiple Logon Failure from the same Source Address", "sha256": "d2585f969107cc9ae78709ef7ed7d0086a142fd32b9378b3306633fb87466cc5", "type": "eql", @@ -3888,16 +2661,6 @@ "version": 3 }, "4982ac3e-d0ee-4818-b95d-d9522d689259": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 105, - "rule_name": "Process Discovery Using Built-in Tools", - "sha256": "d6a6479c0c7905bb1f2dd6b93ad2e973b02944bfa46b720e228d49bb15ccb7ec", - "type": "eql", - "version": 7 - } - }, "rule_name": "Process Discovery Using Built-in Tools", "sha256": "c6d9fdb39c7405bc9de7c5d374c70044f34ef32a788ca37046a79a6db321127f", "type": "eql", @@ -3928,16 +2691,6 @@ "version": 6 }, "4b438734-3793-4fda-bd42-ceeada0be8f9": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Disable Windows Firewall Rules via Netsh", - "sha256": "5f73d21d945760cc5f0e2e9e4f3a20183956cd20ac5963505a49fc7c29dd290a", - "type": "eql", - "version": 112 - } - }, "rule_name": "Disable Windows Firewall Rules via Netsh", "sha256": "b8fb9ee22e08968e0dc38a4a7821aa9e0f623a492d275bc8d7f3e825532b5f56", "type": "eql", @@ -3962,16 +2715,6 @@ "version": 5 }, "4bd1c1af-79d4-4d37-9efa-6e0240640242": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 208, - "rule_name": "Unusual Process Execution Path - Alternate Data Stream", - "sha256": "c6c357f72dda9ad192ec0f1297502bd068bf0cbdcc97ab58e49d86e7cfdde988", - "type": "eql", - "version": 110 - } - }, "rule_name": "Unusual Process Execution Path - Alternate Data Stream", "sha256": "724c9eb77e876a0609dca7f377c3b888ee71c8ace7316e67235b6399e7dde6d3", "type": "eql", @@ -3984,16 +2727,6 @@ "version": 2 }, "4c59cff1-b78a-41b8-a9f1-4231984d1fb6": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 110, - "rule_name": "PowerShell Share Enumeration Script", - "sha256": "95583fef64f6c5454d616320d43ceda2a467cb8e217231374faa423e8363fdf1", - "type": "query", - "version": 11 - } - }, "rule_name": "PowerShell Share Enumeration Script", "sha256": "fdb260cd12a650f01e9663894e62c091eec9d70cfa7d579f4708358a4415dc9c", "type": "query", @@ -4018,32 +2751,12 @@ "version": 107 }, "4de76544-f0e5-486a-8f84-eae0b6063cdc": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 212, - "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", - "sha256": "214f871b4ac72ba8d644b997c7991d4b88cfc32320409761af37fcb8717ce0a7", - "type": "eql", - "version": 114 - } - }, "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", "sha256": "449e14f8848eac71399cc23c1b6669e220569f25f071fa022f970e5fc8a87f9b", "type": "eql", "version": 315 }, "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 110, - "rule_name": "Multiple Logon Failure Followed by Logon Success", - "sha256": "a850bf83897d0291d578f2f0ac69c11ed4288d5da688c63475e863bfc7edebc4", - "type": "eql", - "version": 13 - } - }, "rule_name": "Multiple Logon Failure Followed by Logon Success", "sha256": "751b70e5b7717328b4dd47712a45f968eae280094169a92ef83343b306e70e8d", "type": "eql", @@ -4056,32 +2769,12 @@ "version": 111 }, "4ed493fc-d637-4a36-80ff-ac84937e5461": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 211, - "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", - "sha256": "706691106e2a013f1cf173681567fcb4f84c44db8406ee24fd96b866d5d17888", - "type": "eql", - "version": 113 - } - }, "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", "sha256": "2f2d1d989113eef4a198eec72d1cba340c3aa89886d5461b653e7969b9e4a186", "type": "eql", "version": 314 }, "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 208, - "rule_name": "Suspicious Script Object Execution", - "sha256": "d03461949ea02ae5d1a9afa32408fcc350c90751725cecedddb19bc153f58ba7", - "type": "eql", - "version": 110 - } - }, "rule_name": "Suspicious Script Object Execution", "sha256": "21d6ca38910e536e9886d360bd1cfe63932e9d4036a7d6a26af4708806dfecdb", "type": "eql", @@ -4090,19 +2783,12 @@ "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 308, "rule_name": "Unauthorized Access to an Okta Application", "sha256": "7c9a2609b0c927d2b54d9609d677f0379515475dbcb523900a3bab9c18910f63", "type": "query", "version": 210 - }, - "8.14": { - "max_allowable_version": 409, - "rule_name": "Unauthorized Access to an Okta Application", - "sha256": "7c9a2609b0c927d2b54d9609d677f0379515475dbcb523900a3bab9c18910f63", - "type": "query", - "version": 311 } }, "rule_name": "Unauthorized Access to an Okta Application", @@ -4123,16 +2809,6 @@ "version": 6 }, "4fe9d835-40e1-452d-8230-17c147cafad8": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Execution via TSClient Mountpoint", - "sha256": "9ff2cb9dd5ea847ba0e865edd15a145b5015f7bfd5601d9a07a3ad7c4aa13b0c", - "type": "eql", - "version": 114 - } - }, "rule_name": "Execution via TSClient Mountpoint", "sha256": "43a1d4bda6d39e5c7941b832e24b922e10f38531c3c5d2b9b8f55bdfe0b0d99d", "type": "eql", @@ -4141,19 +2817,12 @@ "50887ba8-7ff7-11ee-a038-f661ea17fbcd": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 104, "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", "sha256": "3fd4abe84fade840ddabfa0b4a59937c3d0c030a1681cc96bef3b4c37db789f7", "type": "threshold", "version": 6 - }, - "8.14": { - "max_allowable_version": 205, - "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", - "sha256": "3fd4abe84fade840ddabfa0b4a59937c3d0c030a1681cc96bef3b4c37db789f7", - "type": "threshold", - "version": 107 } }, "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", @@ -4168,16 +2837,6 @@ "version": 2 }, "51176ed2-2d90-49f2-9f3d-17196428b169": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 107, - "rule_name": "Windows System Information Discovery", - "sha256": "17e4aea652e17a149717afe81d8d917e26f0dbd3d4cad9923c0e7cb71eac92e7", - "type": "eql", - "version": 9 - } - }, "rule_name": "Windows System Information Discovery", "sha256": "3fbcb0954df0fd52c7091bdf8c13448b46dcbafa7fd29d10fba35297879b48f5", "type": "eql", @@ -4190,16 +2849,6 @@ "version": 105 }, "513f0ffd-b317-4b9c-9494-92ce861f22c7": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 207, - "rule_name": "Registry Persistence via AppCert DLL", - "sha256": "13b9667f77ece11fa75c760717a7f1a7474e6cf3583c6d428b0b835bbb79c161", - "type": "eql", - "version": 110 - } - }, "rule_name": "Registry Persistence via AppCert DLL", "sha256": "a122de466303b9918efe6f15d1a658addad361829c6bf7d515d823a75eb19a2f", "type": "eql", @@ -4218,16 +2867,6 @@ "version": 105 }, "5188c68e-d3de-4e96-994d-9e242269446f": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 102, - "rule_name": "Service DACL Modification via sc.exe", - "sha256": "0103f881f5ee4e7c9d82ed15157325d5b5a58d4e397d6367d4da02bbf8ce0034", - "type": "eql", - "version": 4 - } - }, "rule_name": "Service DACL Modification via sc.exe", "sha256": "2196b597b084d5ecbb13b0b17492f36f5b84dcca3a09a280a2e2d59035ac22bb", "type": "eql", @@ -4240,16 +2879,6 @@ "version": 3 }, "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 207, - "rule_name": "Incoming DCOM Lateral Movement with MMC", - "sha256": "341be9c43bad17537b54fdc7f40f8c156c772443e30caf8193c825ef8ae6e632", - "type": "eql", - "version": 109 - } - }, "rule_name": "Incoming DCOM Lateral Movement with MMC", "sha256": "98bc7f7c240e76cd9d3ecb1a5633fb0d68e571ceffa5569f91e5702c53b02d8f", "type": "eql", @@ -4280,16 +2909,6 @@ "version": 1 }, "52aaab7b-b51c-441a-89ce-4387b3aea886": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 208, - "rule_name": "Unusual Network Connection via RunDLL32", - "sha256": "30b9af8ec0f1c7c96bfc668ec005cc11e6b68a9d649ea1270b7f576bc393b37b", - "type": "eql", - "version": 109 - } - }, "rule_name": "Unusual Network Connection via RunDLL32", "sha256": "6a3129bcebcc413938e081a72c565ac7e9a135830fc1c5c11e4c24f98d29c734", "type": "eql", @@ -4344,32 +2963,12 @@ "version": 7 }, "53a26770-9cbd-40c5-8b57-61d01a325e14": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Suspicious PDF Reader Child Process", - "sha256": "33313501aab3ebd4c97177b9d2f9462691e4c62a10efc4c19fc3417517abfbcf", - "type": "eql", - "version": 113 - } - }, "rule_name": "Suspicious PDF Reader Child Process", "sha256": "dae0c8a08f768305b1aa9ad113a02db0438a7c0d22a4aa8088f1a3568300c6a6", "type": "eql", "version": 314 }, "53dedd83-1be7-430f-8026-363256395c8b": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 105, - "rule_name": "Binary Content Copy via Cmd.exe", - "sha256": "83eb2f905a505910e8693162369ba3f7e06a7c2f331aa002af5bb31379c6e46d", - "type": "eql", - "version": 7 - } - }, "rule_name": "Binary Content Copy via Cmd.exe", "sha256": "9ef3f604c40a90763ae7818ac31b2169a1d0f2b10c955d5bb5df363016648099", "type": "eql", @@ -4382,80 +2981,30 @@ "version": 2 }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "Uncommon Registry Persistence Change", - "sha256": "44240eefb782b212aa0e92aa499c5c53a15dd47c2d5ccd8d5bbd7e730a2ced0d", - "type": "eql", - "version": 112 - } - }, "rule_name": "Uncommon Registry Persistence Change", "sha256": "b7dac84100da5dd86f5b3db2e97a9c0d5bbc086be021a8d71d6801723d7317ee", "type": "eql", "version": 213 }, "54a81f68-5f2a-421e-8eed-f888278bb712": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 107, - "rule_name": "Exchange Mailbox Export via PowerShell", - "sha256": "e09d7504c58220644bf1c098939cbcec1d55363c7d058a31754ae18efb66dc74", - "type": "query", - "version": 9 - } - }, "rule_name": "Exchange Mailbox Export via PowerShell", "sha256": "204ae09b3fad4e478789727bf76c2cd45d4b667c9a0d7a140a83d9c4d85bfe12", "type": "query", "version": 210 }, "54c3d186-0461-4dc3-9b33-2dc5c7473936": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 211, - "rule_name": "Network Logon Provider Registry Modification", - "sha256": "c1d15e3f87d0c06656e38903de062e3f17bdbd3884c26fd330cb747036019545", - "type": "eql", - "version": 114 - } - }, "rule_name": "Network Logon Provider Registry Modification", "sha256": "dccddc93820e882a05daa4e44e2f269398b302098bbe00d5c1571ffd86581be4", "type": "eql", "version": 214 }, "55c2bf58-2a39-4c58-a384-c8b1978153c2": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Windows Service Installed via an Unusual Client", - "sha256": "24bc059a551799ed770e0ee2992748c8016fcfa722ee640541fdedaa89f5f742", - "type": "eql", - "version": 113 - } - }, "rule_name": "Windows Service Installed via an Unusual Client", "sha256": "b10f3813eb60fb8a4796ca8688b2974490c44a482dfe032445b15a89e06b3e21", "type": "eql", "version": 213 }, "55d551c6-333b-4665-ab7e-5d14a59715ce": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 208, - "rule_name": "PsExec Network Connection", - "sha256": "b8614692008af5d487ed9f78c60675e92dacc3a24fce20a66b3c3b9fd0567f66", - "type": "eql", - "version": 109 - } - }, "rule_name": "PsExec Network Connection", "sha256": "90e3f23709d14c16e8714247d3a94ee747ed3ba8514e76d2416f0bd1e9b650d5", "type": "eql", @@ -4468,16 +3017,6 @@ "version": 2 }, "56004189-4e69-4a39-b4a9-195329d226e9": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 106, - "rule_name": "Unusual Process Spawned by a Host", - "sha256": "20041d45b1675b29ac029036acb9a791d296507da6fc2d342c22e8ae9d37add9", - "type": "machine_learning", - "version": 8 - } - }, "rule_name": "Unusual Process Spawned by a Host", "sha256": "3910654eec2497e6c45f9eba623296d166de75f2bf26bf5f27f652de0fe602b3", "type": "machine_learning", @@ -4486,19 +3025,12 @@ "5610b192-7f18-11ee-825b-f661ea17fbcd": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 103, "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", "sha256": "ec566f4e3388dd1ab9134b4f1fd960d63dab606c6ad5802edbbc41f539136c3f", "type": "eql", "version": 5 - }, - "8.14": { - "max_allowable_version": 204, - "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", - "sha256": "ec566f4e3388dd1ab9134b4f1fd960d63dab606c6ad5802edbbc41f539136c3f", - "type": "eql", - "version": 106 } }, "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", @@ -4507,16 +3039,6 @@ "version": 207 }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 206, - "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", - "sha256": "844fb3c0e49c833039ab4433243235fa41c2d67fe700084b9c97c8c5d547ccf1", - "type": "query", - "version": 109 - } - }, "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", "sha256": "030111f201bee8e956cb3823673b4ed80b1ede153ea729464affed575da4b983", "type": "query", @@ -4541,16 +3063,6 @@ "version": 105 }, "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "PowerShell PSReflect Script", - "sha256": "9075bac2c658f9cd09ae5480d64a0005ed4877f273b113b12c5c9d38098e5c35", - "type": "query", - "version": 112 - } - }, "rule_name": "PowerShell PSReflect Script", "sha256": "60ce649f4376763aa71d2a2bbe3126251aafabb204c1bd51614fab34b09fccd7", "type": "query", @@ -4581,80 +3093,30 @@ "version": 103 }, "577ec21e-56fe-4065-91d8-45eb8224fe77": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "PowerShell MiniDump Script", - "sha256": "e3e3e2fe5144a3499378aee5b2b69396812d7753cec0e05000a5910187f5684b", - "type": "query", - "version": 110 - } - }, "rule_name": "PowerShell MiniDump Script", "sha256": "0c2a7186e2aa5916c5889d9d75731f00059da7f8d8306ea8e6cc5ba810f49a4a", "type": "query", "version": 210 }, "57bccf1d-daf5-4e1a-9049-ff79b5254704": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 105, - "rule_name": "File Staged in Root Folder of Recycle Bin", - "sha256": "314fd493ccc29a7d204cbc4bd9b1fee4617aab19751fa9b6d304348f028bc6eb", - "type": "eql", - "version": 6 - } - }, "rule_name": "File Staged in Root Folder of Recycle Bin", "sha256": "1acdc9f8e087369826ba6e49c673137f4634a9a62b94bccf201c13d8d3ce0932", "type": "eql", "version": 106 }, "57bfa0a9-37c0-44d6-b724-54bf16787492": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 102, - "rule_name": "DNS Global Query Block List Modified or Disabled", - "sha256": "7d36f22f3ea3b4008813322aadd11c5d337d890ad99892df41b2e3154c755ed8", - "type": "eql", - "version": 4 - } - }, "rule_name": "DNS Global Query Block List Modified or Disabled", "sha256": "c1df3f0030e17676949facaed1368a9f13c67cca442f5b94af0920ed85092de8", "type": "eql", "version": 204 }, "581add16-df76-42bb-af8e-c979bfb39a59": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 212, - "rule_name": "Deleting Backup Catalogs with Wbadmin", - "sha256": "6165559b4653bf1ee1706a1331a547f918100b0ced5790793d5e5ba4d729ede0", - "type": "eql", - "version": 114 - } - }, "rule_name": "Deleting Backup Catalogs with Wbadmin", "sha256": "dbac24b6bdcc3636908b11a2fea993e83836aa3541740fc494bfcba3de51d345", "type": "eql", "version": 315 }, "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 211, - "rule_name": "RDP Enabled via Registry", - "sha256": "cc3b7feb0e1ccaa779028782f8c1ca3d74ab3205d07bed48fd41e36f7a0e35a1", - "type": "eql", - "version": 112 - } - }, "rule_name": "RDP Enabled via Registry", "sha256": "8aee0c8639f2f4bee943504b9828ddebae9944ff41119c3a2b4d0fdaa1354f6c", "type": "eql", @@ -4715,16 +3177,6 @@ "version": 103 }, "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 208, - "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", - "sha256": "195101291410db100f83b2bbb0bb45a23a5d3c84f0b3cc59e3e80543531dd5e1", - "type": "eql", - "version": 110 - } - }, "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", "sha256": "0803f03287c0303a478d35d524621cf58ec5e09afe472fe968a33d05b1f8e025", "type": "eql", @@ -4755,16 +3207,6 @@ "version": 107 }, "5aee924b-6ceb-4633-980e-1bde8cdb40c5": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 208, - "rule_name": "Potential Secure File Deletion via SDelete Utility", - "sha256": "b6aed219192c8865a107b6529d4d67d837edb4ed446fb8d026683108c4fbcd30", - "type": "eql", - "version": 109 - } - }, "rule_name": "Potential Secure File Deletion via SDelete Utility", "sha256": "f9cda122a401560f226e7216339accbcc62094bdba84a4debe35fbdecaf48970", "type": "eql", @@ -4801,16 +3243,6 @@ "version": 6 }, "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 213, - "rule_name": "Suspicious PrintSpooler Service Executable File Creation", - "sha256": "35874a6b3415659603a51352ab4aafe03d8e2d816f25c4f343115687e555aa00", - "type": "new_terms", - "version": 115 - } - }, "rule_name": "Suspicious PrintSpooler Service Executable File Creation", "sha256": "4dcc839828bb5d7e479b5816322bbc8808ee054bc913c811cd9690d54c57ca6b", "type": "new_terms", @@ -4847,32 +3279,12 @@ "version": 1 }, "5c602cba-ae00-4488-845d-24de2b6d8055": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 102, - "rule_name": "PowerShell Script with Veeam Credential Access Capabilities", - "sha256": "5ae470e75de9bdbb84070a55c7cfbd9143654a72f9e9193782aea6145b12fd1e", - "type": "query", - "version": 4 - } - }, "rule_name": "PowerShell Script with Veeam Credential Access Capabilities", "sha256": "d4ae42e3bddc23b1b5b75d60e725076a3baf37caeae03e0794a91fa47346aa02", "type": "query", "version": 104 }, "5c6f4c58-b381-452a-8976-f1b1c6aa0def": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 112, - "rule_name": "FirstTime Seen Account Performing DCSync", - "sha256": "7183be4ca315578faaa377e9a60195ad188e37db8da8a104b351536251c77267", - "type": "new_terms", - "version": 14 - } - }, "rule_name": "FirstTime Seen Account Performing DCSync", "sha256": "fbe46096710062783651447c684d4a0479eccefab66ff761ebd9bfef6428eff8", "type": "new_terms", @@ -4909,48 +3321,18 @@ "version": 109 }, "5cd55388-a19c-47c7-8ec4-f41656c2fded": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 208, - "rule_name": "Outbound Scheduled Task Activity via PowerShell", - "sha256": "881e17596c2ce4e314625942adb04235a12e70f19501ddbf53391bfe02dd03f9", - "type": "eql", - "version": 110 - } - }, "rule_name": "Outbound Scheduled Task Activity via PowerShell", "sha256": "9861068f16d7c13e90230fde674392101cfe9ae5e74dbda9522097093911536f", "type": "eql", "version": 210 }, "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "User Added to Privileged Group", - "sha256": "70bef882918b9abe618227f6f577a2900d5d565d841c12e47a5347e679d614d3", - "type": "eql", - "version": 112 - } - }, "rule_name": "User Added to Privileged Group", "sha256": "ed8120399b57c0837fa2a1b39a25528509b6f5683cb379f1e4fa6e37f0133c19", "type": "eql", "version": 212 }, "5cf6397e-eb91-4f31-8951-9f0eaa755a31": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 108, - "rule_name": "Persistence via PowerShell profile", - "sha256": "e2a9084a8e3062415cf21a33d22098b3e31cd354006e57075af67e820641af92", - "type": "eql", - "version": 10 - } - }, "rule_name": "Persistence via PowerShell profile", "sha256": "0f950647d4f0916286902132be8dcaec3f65ee3132b998b43e7eeb93677cafe5", "type": "eql", @@ -4963,32 +3345,12 @@ "version": 109 }, "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 208, - "rule_name": "Suspicious Execution via Scheduled Task", - "sha256": "975967ec3e4989e05b906196e1492ea1f24ac1162211d54845e8c1f682036f71", - "type": "eql", - "version": 110 - } - }, "rule_name": "Suspicious Execution via Scheduled Task", "sha256": "9ea148fb05f1ad8bad2d0c5e98ede34ed27187dca9e159ef7197a3c8afe8882d", "type": "eql", "version": 211 }, "5d676480-9655-4507-adc6-4eec311efff8": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 101, - "rule_name": "Unsigned DLL loaded by DNS Service", - "sha256": "8f2d6fb941f3e9f2fe599164f806804b1b09b4c08131d79eb3e7ecaab5034c05", - "type": "eql", - "version": 4 - } - }, "rule_name": "Unsigned DLL loaded by DNS Service", "sha256": "0e908a21b5f00f708db56a1f494aafbe52a203ae6f332d5e4e763103aa53e03d", "type": "eql", @@ -5031,16 +3393,6 @@ "version": 4 }, "5f2f463e-6997-478c-8405-fb41cc283281": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 101, - "rule_name": "Potential File Download via a Headless Browser", - "sha256": "4d8ace1351c9ae35691f8b6021a49e99b73411ceef1141b2991a256639c06fc2", - "type": "eql", - "version": 3 - } - }, "rule_name": "Potential File Download via a Headless Browser", "sha256": "8fdd339fa138d8d7b032a8bc819f24702be2d259fc4e97147f80ae3ab81d8bae", "type": "eql", @@ -5071,16 +3423,6 @@ "version": 207 }, "610949a1-312f-4e04-bb55-3a79b8c95267": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 207, - "rule_name": "Unusual Process Network Connection", - "sha256": "be0a23cd5db1b1e9744ba6f8cfcbf419e70e2759108952394b4fd53a17da615c", - "type": "eql", - "version": 108 - } - }, "rule_name": "Unusual Process Network Connection", "sha256": "03650e968a078c275a50bd1b08d8a8390430cdb53c2723595bb0b572350387ee", "type": "eql", @@ -5093,32 +3435,12 @@ "version": 204 }, "61766ef9-48a5-4247-ad74-3349de7eb2ad": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 103, - "rule_name": "Interactive Logon by an Unusual Process", - "sha256": "132f771ca6058156fbc2c515ad591010a1372d2130f37e7a4b0526d53e0d792f", - "type": "eql", - "version": 6 - } - }, "rule_name": "Interactive Logon by an Unusual Process", "sha256": "1b2b6ec043b9c401900e0918a2fb67d9490780c167321cd5734b6bdd6147069d", "type": "eql", "version": 106 }, "61ac3638-40a3-44b2-855a-985636ca985e": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 212, - "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", - "sha256": "4674c3f02c5b785102dd9e8a442c1cb0f8c3692d1e1ab3997c6c1e52679754b8", - "type": "query", - "version": 114 - } - }, "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", "sha256": "0c8aca13cd27121eb75ba5494b65fc5c53151b4d7a12f3f830916d156f260a95", "type": "query", @@ -5131,16 +3453,6 @@ "version": 100 }, "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 211, - "rule_name": "AdminSDHolder SDProp Exclusion Added", - "sha256": "2df55d0ae697d20c47f22d5c616f9c06bb6c4c9fbac2aebb282caa3d9f7e4e1b", - "type": "eql", - "version": 113 - } - }, "rule_name": "AdminSDHolder SDProp Exclusion Added", "sha256": "d6c2af1422e393b85f9523ce6397c2b4b28e15dfb8af6ee48a91d496db20160e", "type": "eql", @@ -5149,19 +3461,12 @@ "621e92b6-7e54-11ee-bdc0-f661ea17fbcd": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 104, "rule_name": "Multiple Okta Sessions Detected for a Single User", "sha256": "f472608d534083bdf5f50a92951a81599a2b3dce40e413de960019aa9f7435f5", "type": "threshold", "version": 6 - }, - "8.14": { - "max_allowable_version": 205, - "rule_name": "Multiple Okta Sessions Detected for a Single User", - "sha256": "aee13957217142915e900a15702f1683ba54b1c488d13e92b73e3d8e866779df", - "type": "threshold", - "version": 107 } }, "rule_name": "Multiple Okta Sessions Detected for a Single User", @@ -5170,16 +3475,6 @@ "version": 208 }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 206, - "rule_name": "Incoming DCOM Lateral Movement via MSHTA", - "sha256": "facf2b369187ce8da1649950be8b3e38f3c4c1ec81f490fa646827baf5d2427a", - "type": "eql", - "version": 108 - } - }, "rule_name": "Incoming DCOM Lateral Movement via MSHTA", "sha256": "2b2a1dca315b2ba3e10a64bdd41f6a67b6cb64924ac2ef44668a7ec80657d775", "type": "eql", @@ -5192,16 +3487,6 @@ "version": 103 }, "62a70f6f-3c37-43df-a556-f64fa475fba2": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Account Configured with Never-Expiring Password", - "sha256": "7d8a44d4634bce7a7e5cbf983f840157836ac6945cc140dda1a4f4a3b3b0717d", - "type": "query", - "version": 112 - } - }, "rule_name": "Account Configured with Never-Expiring Password", "sha256": "0a9b61cf366ce557e1ff625d9c47759506bc34f141b9ebf3602cf3e96b781ef0", "type": "eql", @@ -5250,16 +3535,6 @@ "version": 3 }, "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 207, - "rule_name": "Network Connection via Signed Binary", - "sha256": "66192fcde84de1d9b0e809854015279f1016447b2e2de3d0f3f81aad88df91bf", - "type": "eql", - "version": 109 - } - }, "rule_name": "Network Connection via Signed Binary", "sha256": "dbff3c36a4ce01428dd306c519a48b7816f503173ba63ff090c31c9719748cc6", "type": "eql", @@ -5296,16 +3571,6 @@ "version": 100 }, "65432f4a-e716-4cc1-ab11-931c4966da2d": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 100, - "rule_name": "MsiExec Service Child Process With Network Connection", - "sha256": "0dec5c209de4432366d522c8479caa203fc027282bbca7df21df60a9a9ff41e1", - "type": "eql", - "version": 2 - } - }, "rule_name": "MsiExec Service Child Process With Network Connection", "sha256": "159c5871496b2240dc1edfc09db683fb7932c924589e736eb32c5a80fd21b0a7", "type": "eql", @@ -5332,19 +3597,12 @@ "6649e656-6f85-11ef-8876-f661ea17fbcc": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 103, "rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", "sha256": "45313bcc54d11c7433f8c8ef41f60e3119084e324e71751db6bb9fb549a3f1b4", "type": "new_terms", "version": 5 - }, - "8.14": { - "max_allowable_version": 204, - "rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", - "sha256": "45313bcc54d11c7433f8c8ef41f60e3119084e324e71751db6bb9fb549a3f1b4", - "type": "new_terms", - "version": 106 } }, "rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", @@ -5353,16 +3611,6 @@ "version": 206 }, "665e7a4f-c58e-4fc6-bc83-87a7572670ac": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 206, - "rule_name": "WebServer Access Logs Deleted", - "sha256": "3d41e0a751de0eefc517ae323b3602930bdfa24fbf61b7c15235e4be117511ac", - "type": "eql", - "version": 108 - } - }, "rule_name": "WebServer Access Logs Deleted", "sha256": "c437c24eaca8d8d4b1fbd92c21ca0f8dd61115f3a64e0c02f1e23aa0e428060f", "type": "eql", @@ -5393,16 +3641,6 @@ "version": 209 }, "670b3b5a-35e5-42db-bd36-6c5b9b4b7313": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 112, - "rule_name": "Modification of the msPKIAccountCredentials", - "sha256": "a2b0e85ea8b810a2ed22188f8d14303a6077c51b2edeaf8e5f5007a0c9644381", - "type": "query", - "version": 15 - } - }, "rule_name": "Modification of the msPKIAccountCredentials", "sha256": "23fbdf47b000d9debd0a1f9c2fff328a61097abfdc687038b0f05997e55b3dca", "type": "query", @@ -5411,19 +3649,12 @@ "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 308, "rule_name": "Attempt to Modify an Okta Policy", "sha256": "5f3b2cab91a23497765bc0fae4150faf15cabcee773619d90db0cd3edbdb1473", "type": "query", "version": 210 - }, - "8.14": { - "max_allowable_version": 409, - "rule_name": "Attempt to Modify an Okta Policy", - "sha256": "5f3b2cab91a23497765bc0fae4150faf15cabcee773619d90db0cd3edbdb1473", - "type": "query", - "version": 311 } }, "rule_name": "Attempt to Modify an Okta Policy", @@ -5440,19 +3671,12 @@ "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 308, "rule_name": "Attempt to Revoke Okta API Token", "sha256": "2beaa220e872f7c47a050dd650ebe4576eafc89a94944115406a4f6b6692a213", "type": "query", "version": 210 - }, - "8.14": { - "max_allowable_version": 409, - "rule_name": "Attempt to Revoke Okta API Token", - "sha256": "2beaa220e872f7c47a050dd650ebe4576eafc89a94944115406a4f6b6692a213", - "type": "query", - "version": 311 } }, "rule_name": "Attempt to Revoke Okta API Token", @@ -5479,16 +3703,6 @@ "version": 100 }, "6839c821-011d-43bd-bd5b-acff00257226": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 208, - "rule_name": "Image File Execution Options Injection", - "sha256": "8107c66fd0a677b8966bf0f40409dfdac75050d7a2372a8e4ba10ce0350e6dfd", - "type": "eql", - "version": 111 - } - }, "rule_name": "Image File Execution Options Injection", "sha256": "bebbfc9c058cfc51931d5709b857995da179d43ad8e786073c42d4d74c29ef69", "type": "eql", @@ -5503,19 +3717,12 @@ "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 307, "rule_name": "Okta ThreatInsight Threat Suspected Promotion", "sha256": "465ed6fbfaa4576c8e9945c4d9ae53d4c2bcee360bb998f6c0ba5454d2c5a4bd", "type": "query", "version": 209 - }, - "8.14": { - "max_allowable_version": 408, - "rule_name": "Okta ThreatInsight Threat Suspected Promotion", - "sha256": "465ed6fbfaa4576c8e9945c4d9ae53d4c2bcee360bb998f6c0ba5454d2c5a4bd", - "type": "query", - "version": 310 } }, "rule_name": "Okta ThreatInsight Threat Suspected Promotion", @@ -5524,16 +3731,6 @@ "version": 410 }, "68921d85-d0dc-48b3-865f-43291ca2c4f2": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", - "sha256": "fb1c6b89350f0562319e1eaccabc46a2a855fb936516da145a6c640de6692808", - "type": "eql", - "version": 113 - } - }, "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", "sha256": "78ed8e3ec78e07b57adeb31da14d9a43326b9262e57f55869c0c2faa91708238", "type": "eql", @@ -5546,16 +3743,6 @@ "version": 207 }, "689b9d57-e4d5-4357-ad17-9c334609d79a": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 207, - "rule_name": "Scheduled Task Created by a Windows Script", - "sha256": "a55f600e7c4e20a4be4404040ef2bc40bd6288c5aa54fc3a6d52c192f117858e", - "type": "eql", - "version": 109 - } - }, "rule_name": "Scheduled Task Created by a Windows Script", "sha256": "c0988d5971ae4b85ecac42dfbe57eb1514ddc1c13df5f2bba07ca1f2097e2414", "type": "eql", @@ -5568,16 +3755,6 @@ "version": 209 }, "68ad737b-f90a-4fe5-bda6-a68fa460044e": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 101, - "rule_name": "Suspicious Access to LDAP Attributes", - "sha256": "3f6e6dde427189d7e561da47cb689604201870715612cc80e8bc8f4247d1a7c6", - "type": "eql", - "version": 4 - } - }, "rule_name": "Suspicious Access to LDAP Attributes", "sha256": "40a07077d685e3bd7b6fb4cd8efdaeb95c30a8b4ecd82ce33d742d4269742948", "type": "eql", @@ -5590,16 +3767,6 @@ "version": 1 }, "68d56fdc-7ffa-4419-8e95-81641bd6f845": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", - "sha256": "88f491fbc91172a9ce530e464d3e41d098720ae427782544b68895129cdc1564", - "type": "eql", - "version": 111 - } - }, "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", "sha256": "dd1cccfa31ef19b5a08923452387349ef94bd64771d07f0bea725ec4a9d462f8", "type": "eql", @@ -5630,16 +3797,6 @@ "version": 3 }, "69c251fb-a5d6-4035-b5ec-40438bd829ff": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "Modification of Boot Configuration", - "sha256": "ccaafef97b4bdf8ae36b9c2337353a7b352d18f0aeb421cddbace9a8b130b15e", - "type": "eql", - "version": 112 - } - }, "rule_name": "Modification of Boot Configuration", "sha256": "319d1711a4cf9b2d08557794a1e701ac31b3fddfd811565218a3292242b453ac", "type": "eql", @@ -5664,32 +3821,12 @@ "version": 3 }, "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "Unusual Service Host Child Process - Childless Service", - "sha256": "5f2f1310bff01d3a4c1ca2605ab01c632f85b21d4078a06cb88c4ffeabc174ff", - "type": "eql", - "version": 111 - } - }, "rule_name": "Unusual Service Host Child Process - Childless Service", "sha256": "f463a7fe6e3b83f613bbd5fe19c3341fc1281b264a8b32289a081c9e9f5748cf", "type": "eql", "version": 311 }, "6aace640-e631-4870-ba8e-5fdda09325db": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "9c37ce484fd50f922517f40b9bd1a5a55b402537ccb8f7e8f0b06c3b83261bf7", - "type": "eql", - "version": 113 - } - }, "rule_name": "Exporting Exchange Mailbox via PowerShell", "sha256": "28e4dd54ff6cf9610c2e7f5c8963ff1fb97cfa3c8d66f651ac36754556828b43", "type": "eql", @@ -5714,16 +3851,6 @@ "version": 209 }, "6bed021a-0afb-461c-acbe-ffdb9574d3f3": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 207, - "rule_name": "Remote Computer Account DnsHostName Update", - "sha256": "574bda4d46d48399ba9e29a6e639b33f8f103bb7c85f9e7c935581bb3c63ca37", - "type": "eql", - "version": 110 - } - }, "rule_name": "Remote Computer Account DnsHostName Update", "sha256": "29d396b355d7151b61a62895b2862782dd3172ec6fc4a54b25fcdd98c3adb3c1", "type": "eql", @@ -5736,16 +3863,6 @@ "version": 4 }, "6cd1779c-560f-4b68-a8f1-11009b27fe63": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 207, - "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", - "sha256": "545b3d224a0f1f8ebeb0d9f6ca6077c60c57b650d6a3daa51b4a8b30de55da39", - "type": "eql", - "version": 109 - } - }, "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", "sha256": "7d551332f1288a1e8d53bccfab142a72143c5e61a950b05be6f4f8711ba883c5", "type": "eql", @@ -5764,16 +3881,6 @@ "version": 1 }, "6d448b96-c922-4adb-b51c-b767f1ea5b76": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Unusual Process For a Windows Host", - "sha256": "a84737464ef6658f7587d12e88f77356e079d797986616813ffb6be47e2abaa0", - "type": "machine_learning", - "version": 112 - } - }, "rule_name": "Unusual Process For a Windows Host", "sha256": "557a4432fcdb67fea0e8dd2558d19664cf507405b6db1317a0c399e9808e851d", "type": "machine_learning", @@ -5792,16 +3899,6 @@ "version": 103 }, "6e1a2cc4-d260-11ed-8829-f661ea17fbcc": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 107, - "rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution", - "sha256": "3e70cb8e8c6dafe24f60de10cdfcbe05df8d323ef0caf42790714990ebee78c0", - "type": "new_terms", - "version": 9 - } - }, "rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution", "sha256": "5c822663f4adb4fbe774488dea9f1151737198a06f47eee9a57d3a0cb174fc52", "type": "new_terms", @@ -5814,32 +3911,12 @@ "version": 2 }, "6e40d56f-5c0e-4ac6-aece-bee96645b172": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 207, - "rule_name": "Anomalous Process For a Windows Population", - "sha256": "aa536cbc660cc56dffc7bd3cbb4098aacc6c96df9edb4d4dbe8f33414448b4d3", - "type": "machine_learning", - "version": 109 - } - }, "rule_name": "Anomalous Process For a Windows Population", "sha256": "f51d97afdd1733e5fc284af1e741adc641483e82eab7f5fefd10f0447b2654d8", "type": "machine_learning", "version": 209 }, "6e9130a5-9be6-48e5-943a-9628bfc74b18": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "AdminSDHolder Backdoor", - "sha256": "43aaf38f234d7186a1f9dca4f91a364e5afa675e3cade497946daf63f3b20ada", - "type": "query", - "version": 112 - } - }, "rule_name": "AdminSDHolder Backdoor", "sha256": "6e6ec5cdbeea619a81df6a042f482c3b30c3e7c536872c640acea2464572e55d", "type": "query", @@ -5852,32 +3929,12 @@ "version": 209 }, "6ea41894-66c3-4df7-ad6b-2c5074eb3df8": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 208, - "rule_name": "Potential Windows Error Manager Masquerading", - "sha256": "736e277394bca054547364d6d99541019679fc36129d52d20115c635cea06701", - "type": "eql", - "version": 110 - } - }, "rule_name": "Potential Windows Error Manager Masquerading", "sha256": "8c0b8e6ae4907a14420c8dc8d06917470f29f360f9604118f6220115e981bef3", "type": "eql", "version": 210 }, "6ea55c81-e2ba-42f2-a134-bccf857ba922": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 213, - "rule_name": "Security Software Discovery using WMIC", - "sha256": "6d179ca370610d0b32e8d97afeb4610e7efea1ad82eefdd0c4d5eeca33d29549", - "type": "eql", - "version": 115 - } - }, "rule_name": "Security Software Discovery using WMIC", "sha256": "1eabbe231f6dd025a57eddc91f5f0ab86ba82b348af4ccf02cfd3cd114f7a38b", "type": "eql", @@ -5896,16 +3953,6 @@ "version": 109 }, "6f024bde-7085-489b-8250-5957efdf1caf": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 101, - "rule_name": "Active Directory Group Modification by SYSTEM", - "sha256": "525d8781dc9e163d70a8889b89be269f79c5df5c44403c7e5d713b19ce001c82", - "type": "eql", - "version": 4 - } - }, "rule_name": "Active Directory Group Modification by SYSTEM", "sha256": "0bf67b434c4aa3cd9d1f354605959c5e1dffd1040f5cfa17fe20664cb2be546c", "type": "eql", @@ -5920,19 +3967,12 @@ "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 103, "rule_name": "First Occurrence of Okta User Session Started via Proxy", "sha256": "8e24f0277992e974a8ec25803576d40f21206d6466ecaa82e2df16fab17d5dd8", "type": "new_terms", "version": 5 - }, - "8.14": { - "max_allowable_version": 204, - "rule_name": "First Occurrence of Okta User Session Started via Proxy", - "sha256": "8e24f0277992e974a8ec25803576d40f21206d6466ecaa82e2df16fab17d5dd8", - "type": "new_terms", - "version": 106 } }, "rule_name": "First Occurrence of Okta User Session Started via Proxy", @@ -5965,16 +4005,6 @@ "version": 209 }, "708c9d92-22a3-4fe0-b6b9-1f861c55502d": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 102, - "rule_name": "Suspicious Execution via MSIEXEC", - "sha256": "c4f5fe8318695f565656b31a0fdcf38991cdd94e72a60ba5abb460557280dd27", - "type": "eql", - "version": 3 - } - }, "rule_name": "Suspicious Execution via MSIEXEC", "sha256": "ebca825d8f82f3442cf31f625828e5423889ecb4f613cd0a3a06c3e0ca9cd8a4", "type": "eql", @@ -6005,32 +4035,12 @@ "version": 210 }, "71bccb61-e19b-452f-b104-79a60e546a95": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 214, - "rule_name": "Unusual File Creation - Alternate Data Stream", - "sha256": "021ab9fdaf96cad949b46c2810f09637e27d34d4870bb4544afe5e33d4fcc8fa", - "type": "eql", - "version": 116 - } - }, "rule_name": "Unusual File Creation - Alternate Data Stream", "sha256": "25b753cd927ee68be264ce3804a09298ae399947fa04077161f80d8f6db87aec", "type": "eql", "version": 316 }, "71c5cb27-eca5-4151-bb47-64bc3f883270": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "Suspicious RDP ActiveX Client Loaded", - "sha256": "4465fa5b7551e881e3e5b66b1cfae96e4f8459191b87e2266b1fc1998c26d690", - "type": "eql", - "version": 111 - } - }, "rule_name": "Suspicious RDP ActiveX Client Loaded", "sha256": "d39c0a65fabb51bbd9bbf21cda120d03b4b1891934c8d8298addd7d3585b1ccb", "type": "eql", @@ -6063,19 +4073,12 @@ "729aa18d-06a6-41c7-b175-b65b739b1181": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 308, "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", "sha256": "ac791f5dd84722e6c346e3b3a523b739bbce0ddb484f53d49ed5d1a2ebfe7c7b", "type": "query", "version": 210 - }, - "8.14": { - "max_allowable_version": 409, - "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", - "sha256": "ac791f5dd84722e6c346e3b3a523b739bbce0ddb484f53d49ed5d1a2ebfe7c7b", - "type": "query", - "version": 311 } }, "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", @@ -6096,16 +4099,6 @@ "version": 3 }, "730ed57d-ae0f-444f-af50-78708b57edd5": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 102, - "rule_name": "Suspicious JetBrains TeamCity Child Process", - "sha256": "172c7bb001f289281c519a30ba17e66fad2c3a149e5493bc5d33d6253730f818", - "type": "eql", - "version": 5 - } - }, "rule_name": "Suspicious JetBrains TeamCity Child Process", "sha256": "06f872b67e1eb6c769298d8362435abcb5d3cbec2d6484e626e95d8d0eebaa6e", "type": "eql", @@ -6124,16 +4117,6 @@ "version": 3 }, "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 211, - "rule_name": "Potential Modification of Accessibility Binaries", - "sha256": "491014d84ab03e206e7acd9755d0269b2830a9b3f9c44913c29682c433c740a6", - "type": "eql", - "version": 113 - } - }, "rule_name": "Potential Modification of Accessibility Binaries", "sha256": "46384078f361759cefe252f2ab0c88a0782b3c678d19dbdf8f572efaf67b2044", "type": "eql", @@ -6194,16 +4177,6 @@ "version": 205 }, "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 111, - "rule_name": "Access to a Sensitive LDAP Attribute", - "sha256": "4d4b321e49dadb001df32d6acd71103bd41b71124f92b855ea4335c99dfa105a", - "type": "eql", - "version": 14 - } - }, "rule_name": "Access to a Sensitive LDAP Attribute", "sha256": "a481e442047e2b0adc22745dfd2fcc05baaec9637cbbde9e2dc5b3b8f7eb0c67", "type": "eql", @@ -6216,16 +4189,6 @@ "version": 212 }, "76ddb638-abf7-42d5-be22-4a70b0bf7241": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 205, - "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", - "sha256": "d7ae7c609b2c09df86e03eb23c9f3d9c19a114f3e9e69d99121828e0555ea7ff", - "type": "eql", - "version": 107 - } - }, "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", "sha256": "e1e295f294c6b07c1e080468d6318856c5ebf7271e5bac171df35c63b4086c15", "type": "eql", @@ -6238,32 +4201,12 @@ "version": 11 }, "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "bb7f0c41faf746a3298480bfc47800f229539f64b5ce87b3bf40574b2c3dca0a", - "type": "eql", - "version": 113 - } - }, "rule_name": "Potential Remote Desktop Tunneling Detected", "sha256": "7b98f60a9095e9ab2e48250d69832e4648e68f34c1d3245986714e9962af987c", "type": "eql", "version": 417 }, "770e0c4d-b998-41e5-a62e-c7901fd7f470": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 212, - "rule_name": "Enumeration Command Spawned via WMIPrvSE", - "sha256": "e5462ca4e56f7f3ff1144cc8980d76abdfa350e122d9e02fdbc203194900825b", - "type": "eql", - "version": 115 - } - }, "rule_name": "Enumeration Command Spawned via WMIPrvSE", "sha256": "92e73275ccad86dd30136bc621226630dc7342e41bd2362a9687ce807ef9be5d", "type": "eql", @@ -6324,16 +4267,6 @@ "version": 209 }, "78de1aeb-5225-4067-b8cc-f4a1de8a8546": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 100, - "rule_name": "Suspicious ScreenConnect Client Child Process", - "sha256": "beba3270fb78600264fbe41ac386fb2d7c7f6877563ed96e2b7ca2778bbd1b7f", - "type": "eql", - "version": 5 - } - }, "rule_name": "Suspicious ScreenConnect Client Child Process", "sha256": "efd692c82b20a2d4682c25d2683573ec65e8729402445a561baac25768ee5d1a", "type": "eql", @@ -6389,32 +4322,12 @@ "version": 1 }, "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 108, - "rule_name": "Potential File Transfer via Certreq", - "sha256": "c1f7d50618580187b015a4aadd76a9e484eb5bb8ce8143e052cb8118a678c4d1", - "type": "eql", - "version": 11 - } - }, "rule_name": "Potential File Transfer via Certreq", "sha256": "0622888a853c207510e5f9385fd4b78d4d47616cd4c3bc8b7fdb9e5bbd0260b3", "type": "eql", "version": 212 }, "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 211, - "rule_name": "Potential Shadow Credentials added to AD Object", - "sha256": "42853b04a39893088bdb0ebf5c479305c2f34e5352c3ccfa65ef5146efc6e8a4", - "type": "query", - "version": 113 - } - }, "rule_name": "Potential Shadow Credentials added to AD Object", "sha256": "af8023c96394cc43f92cf51e13e0cacc0d93158f5241c62ad651a238d3c617c1", "type": "query", @@ -6457,16 +4370,6 @@ "version": 207 }, "7b8bfc26-81d2-435e-965c-d722ee397ef1": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 213, - "rule_name": "Windows Network Enumeration", - "sha256": "2bd4c58be4ce436e2d00994654b5252ddc7e40ee04cda79c22e1632ab1dcb486", - "type": "eql", - "version": 114 - } - }, "rule_name": "Windows Network Enumeration", "sha256": "344dca0a521891ded14c0fa6218e8d742b0d0c478d220c1433bf97273df3b42f", "type": "eql", @@ -6475,7 +4378,7 @@ "7b981906-86b7-4544-8033-c30ec6eb45fc": { "min_stack_version": "8.16", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 100, "rule_name": "SELinux Configuration Creation or Renaming", "sha256": "7b361ea07b92064cb854e35573c5988af529ce6fb75a264cdd27ff53b0963e28", @@ -6489,16 +4392,6 @@ "version": 102 }, "7ba58110-ae13-439b-8192-357b0fcfa9d7": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 307, - "rule_name": "Suspicious LSASS Access via MalSecLogon", - "sha256": "9abb27e289a572393ecc8c26044e5a71196cc1d77d152f84fbee7138251de7de", - "type": "eql", - "version": 209 - } - }, "rule_name": "Suspicious LSASS Access via MalSecLogon", "sha256": "bb2e07eec501f5e296c694526b219607dca9e18bad1a4d862fd1cab9bac5fe08", "type": "eql", @@ -6559,23 +4452,12 @@ "version": 4 }, "7e23dfef-da2c-4d64-b11d-5f285b638853": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 102, - "rule_name": "Microsoft Management Console File from Unusual Path", - "sha256": "1cc5185969e04329ea04aa4bf8d5d1e3a8d47fa9e0ac1f47e3012111ef6c91be", - "type": "eql", - "version": 6 - } - }, "rule_name": "Microsoft Management Console File from Unusual Path", "sha256": "1932d2c6a7574c3d3dcd32ba76e9193f88aa77d2be7e5591e0616b44a0172290", "type": "eql", "version": 309 }, "7e763fd1-228a-4d43-be88-3ffc14cd7de1": { - "min_stack_version": "8.14", "rule_name": "File with Right-to-Left Override Character (RTLO) Created/Executed", "sha256": "e03b56ad3cc6e1d81845996b6bf137225573011b20ba352bde3cfbb18e4479f6", "type": "eql", @@ -6588,16 +4470,6 @@ "version": 103 }, "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 208, - "rule_name": "Suspicious WMIC XSL Script Execution", - "sha256": "1fcee1562ccb772f6a7729303e250ead257201a219aa8ffee182b66f784076d3", - "type": "eql", - "version": 110 - } - }, "rule_name": "Suspicious WMIC XSL Script Execution", "sha256": "a12e4767a30ca28c3ddc986cf3c77848cd65ddfce15fd96b7577dab2afff5122", "type": "eql", @@ -6640,16 +4512,6 @@ "version": 4 }, "8025db49-c57c-4fc0-bd86-7ccd6d10a35a": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 102, - "rule_name": "Potential PowerShell Obfuscated Script", - "sha256": "1106414c1ef42b911e2c96ae0a545a86614b9a568aa9742419c22b0a71a0e879", - "type": "query", - "version": 4 - } - }, "rule_name": "Potential PowerShell Obfuscated Script", "sha256": "f81754824afd09978cc7c486a795db468b2056bf7fad5883848582f85a47c031", "type": "query", @@ -6662,16 +4524,6 @@ "version": 2 }, "808291d3-e918-4a3a-86cd-73052a0c9bdc": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 103, - "rule_name": "Suspicious Troubleshooting Pack Cabinet Execution", - "sha256": "f3e0f53c321d7760c971547d90245085ba16e37bb4a6cbbb16a17e495f180f1d", - "type": "eql", - "version": 5 - } - }, "rule_name": "Suspicious Troubleshooting Pack Cabinet Execution", "sha256": "cd00aafb325b718b74940c08fcc167b018b79db66f6d2ecb94b54f5fd3a55d1d", "type": "eql", @@ -6696,16 +4548,6 @@ "version": 5 }, "818e23e6-2094-4f0e-8c01-22d30f3506c6": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "PowerShell Script Block Logging Disabled", - "sha256": "e35e69e41855d8858d5ae3ebe2faaa97f0b2ec25d6211a2998a8ea57f7b9f7bc", - "type": "eql", - "version": 110 - } - }, "rule_name": "PowerShell Script Block Logging Disabled", "sha256": "79d56380a744abb989063bf3baad2ba31b19b1d7ceb2de2be8234bf921051f81", "type": "eql", @@ -6718,32 +4560,12 @@ "version": 100 }, "81fe9dc6-a2d7-4192-a2d8-eed98afc766a": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", - "sha256": "efc3d78e44e73f61be6817f00d4df5af584ce5e02e96ca5fb45a45d84d771116", - "type": "query", - "version": 113 - } - }, "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", "sha256": "446a5437935aff86d9b2c78df79189e0201a991a36436313898a59f7706245e6", "type": "query", "version": 315 }, "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 107, - "rule_name": "Temporarily Scheduled Task Creation", - "sha256": "f3147338285b65e5fc2727bb5e244417230a438c509b93732c76fc659df7a77e", - "type": "eql", - "version": 10 - } - }, "rule_name": "Temporarily Scheduled Task Creation", "sha256": "4e4089ee80c9f3fe5c661058d288082e4d02074f2e92640bf2a14b63fdec41a8", "type": "eql", @@ -6786,16 +4608,6 @@ "version": 100 }, "83bf249e-4348-47ba-9741-1202a09556ad": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 100, - "rule_name": "Suspicious Windows Powershell Arguments", - "sha256": "d97f88a21e5ef203f235aaa22174e05b7a3af6d503f8955c63fbad955ab56a5b", - "type": "eql", - "version": 3 - } - }, "rule_name": "Suspicious Windows Powershell Arguments", "sha256": "bcd9044616fb4c41c855119819ab2ed72243d4d248199226a9d6287def186883", "type": "eql", @@ -6814,16 +4626,6 @@ "version": 4 }, "846fe13f-6772-4c83-bd39-9d16d4ad1a81": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 106, - "rule_name": "Microsoft Exchange Transport Agent Install Script", - "sha256": "6c50456e5c405b545f31c8c93d71b2f1614b64bd732ca548127db4db6230c412", - "type": "query", - "version": 7 - } - }, "rule_name": "Microsoft Exchange Transport Agent Install Script", "sha256": "20a8c64cf10a599a57a3f2adcde2cd11f433b594347d5f01e75ddc591af6b8cb", "type": "query", @@ -6842,16 +4644,6 @@ "version": 105 }, "84da2554-e12a-11ec-b896-f661ea17fbcd": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 212, - "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", - "sha256": "ed8b2a515385353dbfff6d484b45000dd49af48e2b5abc8e44406fa955d7225e", - "type": "eql", - "version": 114 - } - }, "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", "sha256": "0aeabad8b6360ffeb8fa1b4e1f3b623d7b0ade5cde31301f7321c1463ec7fa9c", "type": "eql", @@ -6912,16 +4704,6 @@ "version": 110 }, "871ea072-1b71-4def-b016-6278b505138d": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 213, - "rule_name": "Enumeration of Administrator Accounts", - "sha256": "f8c272cacf74e41908905fbe517ec45ff817e7a6f81d7a2cc3997687c84ad708", - "type": "eql", - "version": 115 - } - }, "rule_name": "Enumeration of Administrator Accounts", "sha256": "b50e5bd6eb867aa0c8f17a52fb8f577cdd31f5d5f75f4be9e1d462d4222d22e5", "type": "eql", @@ -6970,32 +4752,12 @@ "version": 108 }, "891cb88e-441a-4c3e-be2d-120d99fe7b0d": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 207, - "rule_name": "Suspicious WMI Image Load from MS Office", - "sha256": "8809aba8865764ab7fa1c657c37778c6657378dc4f2cfb4c6127be5e794149ed", - "type": "eql", - "version": 109 - } - }, "rule_name": "Suspicious WMI Image Load from MS Office", "sha256": "53a213d8996a7876b24f56a45cbd4b7f95f660de24ee6058b95deef9899d84c9", "type": "eql", "version": 209 }, "894326d2-56c0-4342-b553-4abfaf421b5b": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 102, - "rule_name": "Potential WPAD Spoofing via DNS Record Creation", - "sha256": "e247d1c92d0054f5c3a3d6aa1d7d50053e63ec57610f92bf623e1c665d5fef72", - "type": "eql", - "version": 5 - } - }, "rule_name": "Potential WPAD Spoofing via DNS Record Creation", "sha256": "097ecbe7691d20f9769066582286b7b4cf5089fcc6870e7167267a94faf759d8", "type": "eql", @@ -7020,16 +4782,6 @@ "version": 211 }, "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 207, - "rule_name": "Command Prompt Network Connection", - "sha256": "95c1cb5499a597411e4e3b7103680f9d8fb49cf5fc8cb6f354b9483142545adc", - "type": "eql", - "version": 109 - } - }, "rule_name": "Command Prompt Network Connection", "sha256": "f36e46aabd03a9e82d6e55f6c98dcd0a0f0ae620cd00b0ba0f21e7518a759e2d", "type": "eql", @@ -7050,19 +4802,12 @@ "8a0fbd26-867f-11ee-947c-f661ea17fbcd": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 105, "rule_name": "Potential Okta MFA Bombing via Push Notifications", "sha256": "0a419be8ba1ef4b746cee1fe87e2a2459a10566938e2b5114a985c15c294088a", "type": "eql", "version": 7 - }, - "8.14": { - "max_allowable_version": 206, - "rule_name": "Potential Okta MFA Bombing via Push Notifications", - "sha256": "0a419be8ba1ef4b746cee1fe87e2a2459a10566938e2b5114a985c15c294088a", - "type": "eql", - "version": 108 } }, "rule_name": "Potential Okta MFA Bombing via Push Notifications", @@ -7083,16 +4828,6 @@ "version": 106 }, "8a1d4831-3ce6-4859-9891-28931fa6101d": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 207, - "rule_name": "Suspicious Execution from a Mounted Device", - "sha256": "cd861b1c03ef17e10978c9c1e342be58e0362cd9eef31c85cb7b40568cf5fa52", - "type": "eql", - "version": 109 - } - }, "rule_name": "Suspicious Execution from a Mounted Device", "sha256": "ddcebc2310acf9c6471b9345d63edcd418123b3e163cca09175bc75defd47755", "type": "eql", @@ -7101,19 +4836,12 @@ "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 308, "rule_name": "Attempt to Deactivate an Okta Network Zone", "sha256": "8206b3e0f7284ae1caf2453d9befae81b545dea65fad93c30bf6b827be016118", "type": "query", "version": 210 - }, - "8.14": { - "max_allowable_version": 409, - "rule_name": "Attempt to Deactivate an Okta Network Zone", - "sha256": "8206b3e0f7284ae1caf2453d9befae81b545dea65fad93c30bf6b827be016118", - "type": "query", - "version": 311 } }, "rule_name": "Attempt to Deactivate an Okta Network Zone", @@ -7140,32 +4868,12 @@ "version": 106 }, "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 208, - "rule_name": "Executable File Creation with Multiple Extensions", - "sha256": "79486f56c33d6afd1cec4fbf8dc404d0f0e9fc38b19572051d537f800d601ed5", - "type": "eql", - "version": 110 - } - }, "rule_name": "Executable File Creation with Multiple Extensions", "sha256": "c15790a8f71b15dd684b959f65fa22034a2fafcf821c26c0a2771f727b0c088d", "type": "eql", "version": 310 }, "8b4f0816-6a65-4630-86a6-c21c179c0d09": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "Enable Host Network Discovery via Netsh", - "sha256": "91cdd11fc144f89b569a54e7275f2028a431bf4b3f898c924be4ca038ed1e1db", - "type": "eql", - "version": 112 - } - }, "rule_name": "Enable Host Network Discovery via Netsh", "sha256": "5e8971df8497f0c448f35992264db5351dcb8c2fd6a7a53ed18fea0eec89b727", "type": "eql", @@ -7184,16 +4892,6 @@ "version": 105 }, "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Unusual Child Process of dns.exe", - "sha256": "911e718531c11fae196314f279f6f059a3a14dee38701be164c18c20a69be5a8", - "type": "eql", - "version": 113 - } - }, "rule_name": "Unusual Child Process of dns.exe", "sha256": "867b10d1207fb72a4c80df7516090d981653a229fe0961a03d278b07a8e8b269", "type": "eql", @@ -7248,16 +4946,6 @@ "version": 103 }, "8e2485b6-a74f-411b-bf7f-38b819f3a846": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 102, - "rule_name": "Potential WSUS Abuse for Lateral Movement", - "sha256": "cc8123040408a5a7b8824468814a4a6152edc5a53ce52f8d4a21411633b35e12", - "type": "eql", - "version": 5 - } - }, "rule_name": "Potential WSUS Abuse for Lateral Movement", "sha256": "523a79457ebd120192055f51dd87edc16265da30254315d5d7fda6729362e1a1", "type": "eql", @@ -7270,16 +4958,6 @@ "version": 4 }, "8eec4df1-4b4b-4502-b6c3-c788714604c9": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 104, - "rule_name": "Bitsadmin Activity", - "sha256": "96da24c5865af45e8f97dda18459a22901c821608d0882b14b8d21d20c5db1f3", - "type": "eql", - "version": 6 - } - }, "rule_name": "Bitsadmin Activity", "sha256": "b26871ba275b05a8a536baa79c0e3200e9624866b75d442ef29859ec0e3574f9", "type": "eql", @@ -7292,16 +4970,6 @@ "version": 1 }, "8f242ffb-b191-4803-90ec-0f19942e17fd": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 102, - "rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation", - "sha256": "b3f6fd62337753431592f0b819d7b43364bec6c27449bda2d19dedddedc22d07", - "type": "eql", - "version": 5 - } - }, "rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation", "sha256": "4bc16ba3becb47c564ddf8155c01f3fb0d4c5ede2cb27e19c359d7d715b65a25", "type": "eql", @@ -7314,16 +4982,6 @@ "version": 109 }, "8f919d4b-a5af-47ca-a594-6be59cd924a4": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 206, - "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", - "sha256": "fcce93128b54c854991bf62a7016a112b1eae5e6fa8d95fc7f0ce183c1695e49", - "type": "eql", - "version": 108 - } - }, "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", "sha256": "c4aa90522a7d5aa3b88d0036b85d17990ea683e84e7567bc8c9393ae0bc21e42", "type": "eql", @@ -7372,16 +5030,6 @@ "version": 1 }, "90babaa8-5216-4568-992d-d4a01a105d98": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 103, - "rule_name": "InstallUtil Activity", - "sha256": "e5667b196187758d6237ff6bf5f23a6f6e1aeb96192193c9497c622982907440", - "type": "eql", - "version": 5 - } - }, "rule_name": "InstallUtil Activity", "sha256": "d3506c72c7907f32e455ea418eabeca0f6cba286dd09633a0ab16fa9b324c357", "type": "eql", @@ -7436,48 +5084,18 @@ "version": 102 }, "92984446-aefb-4d5e-ad12-598042ca80ba": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 107, - "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", - "sha256": "85b4d7774d3dfb59ebe89003974ca0946860cd98d777fdd46fbdb3ebfa77815f", - "type": "query", - "version": 9 - } - }, "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", "sha256": "ce443a1e91f6122b9fe1c883d2642db0c14a654bf43b938bb85505d24adddda4", "type": "query", "version": 210 }, "92a6faf5-78ec-4e25-bea1-73bacc9b59d9": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 108, - "rule_name": "A scheduled task was created", - "sha256": "b1fa6b0fe20d2fd8ffedb8e8b14ef7d3b57c533ea32c88b2841028986b3bf6f7", - "type": "eql", - "version": 11 - } - }, "rule_name": "A scheduled task was created", "sha256": "249deafe81ed265426800418a9a92b7d725e73e8f846b33cbcc9f4055e6b220c", "type": "eql", "version": 111 }, "92d3a04e-6487-4b62-892d-70e640a590dc": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 103, - "rule_name": "Potential Evasion via Windows Filtering Platform", - "sha256": "b0a73c7ef98e6c64fd9209a4d9dd91fd447c52af2d20f698ea91c6b7221d922e", - "type": "eql", - "version": 6 - } - }, "rule_name": "Potential Evasion via Windows Filtering Platform", "sha256": "9e98be89300ce747f2919cfb437c25751c974c69e9de7111a7de7a59bc9c493e", "type": "eql", @@ -7508,16 +5126,6 @@ "version": 211 }, "93c1ce76-494c-4f01-8167-35edfb52f7b1": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 206, - "rule_name": "Encoded Executable Stored in the Registry", - "sha256": "de92e4d989f9d5610e757c673fbdc4c456231b4ef81e7f4504698b6c264f9962", - "type": "eql", - "version": 110 - } - }, "rule_name": "Encoded Executable Stored in the Registry", "sha256": "35de6ffd8fbe84e6ab25ad60ed8b87c3a2cc1e96bff7daa9699c9e6123acbcc9", "type": "eql", @@ -7548,16 +5156,6 @@ "version": 3 }, "94a401ba-4fa2-455c-b7ae-b6e037afc0b7": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 108, - "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", - "sha256": "46c457a7a1a2443ebb06f362b2f728a3fa9ea4f0c6261d4bdc32a7de7e92ab6e", - "type": "eql", - "version": 12 - } - }, "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", "sha256": "3ca2f8aaffac020eba3dfe8981e8cac731522b3d81551575b2e84370c8c9c9e9", "type": "eql", @@ -7566,19 +5164,12 @@ "94e734c0-2cda-11ef-84e1-f661ea17fbce": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 102, "rule_name": "Multiple Okta User Authentication Events with Client Address", "sha256": "81219dd2b471c66d9005d11edc88ba7fb5ab4f7f886b8417e1d3dab37f366606", "type": "esql", "version": 4 - }, - "8.14": { - "max_allowable_version": 202, - "rule_name": "Multiple Okta User Authentication Events with Client Address", - "sha256": "81219dd2b471c66d9005d11edc88ba7fb5ab4f7f886b8417e1d3dab37f366606", - "type": "esql", - "version": 104 } }, "rule_name": "Multiple Okta User Authentication Events with Client Address", @@ -7593,16 +5184,6 @@ "version": 107 }, "951779c2-82ad-4a6c-82b8-296c1f691449": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 103, - "rule_name": "Potential PowerShell Pass-the-Hash/Relay Script", - "sha256": "30e9709aa596d9469d905ec6593683478b4eeb9a2d40edb724b0c2e5f1ba6bd2", - "type": "query", - "version": 5 - } - }, "rule_name": "Potential PowerShell Pass-the-Hash/Relay Script", "sha256": "d44b1b9ef878285d8dd07da49ecf77844b4892d271d1ebd4ac6631939dd3857e", "type": "query", @@ -7615,32 +5196,12 @@ "version": 2 }, "954ee7c8-5437-49ae-b2d6-2960883898e9": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "Remote Scheduled Task Creation", - "sha256": "48228fde14a00d80993e815c4517cda88186986de1c72b6ab1503cfbced929f8", - "type": "eql", - "version": 110 - } - }, "rule_name": "Remote Scheduled Task Creation", "sha256": "555f7495d3ea6078d6af2f97c818cae349e64b883f0521ec5b62889f19a47c7a", "type": "eql", "version": 210 }, "959a7353-1129-4aa7-9084-30746b256a70": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", - "sha256": "ec182387ccb79ee33c05281674fdc60fea9112866634a0782d814363c238711c", - "type": "query", - "version": 110 - } - }, "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", "sha256": "6dc0584fa3dc988eb1f19f71ae64b7dfdfded3c1db4e5a6a80bb43bcf8778753", "type": "query", @@ -7649,19 +5210,12 @@ "95b99adc-2cda-11ef-84e1-f661ea17fbce": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 102, "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", "sha256": "a085a6ef8490d83757962f54f7be99b6c5ef0cec9446e6dc1eb1f17ce5848d85", "type": "esql", "version": 4 - }, - "8.14": { - "max_allowable_version": 202, - "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", - "sha256": "a085a6ef8490d83757962f54f7be99b6c5ef0cec9446e6dc1eb1f17ce5848d85", - "type": "esql", - "version": 104 } }, "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", @@ -7690,19 +5244,12 @@ "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 307, "rule_name": "Attempt to Create Okta API Token", "sha256": "8b9151616759ad5ef0331c84d359b1fac9dd5625d8bccc8ccfc29b6edec463ec", "type": "query", "version": 209 - }, - "8.14": { - "max_allowable_version": 408, - "rule_name": "Attempt to Create Okta API Token", - "sha256": "8b9151616759ad5ef0331c84d359b1fac9dd5625d8bccc8ccfc29b6edec463ec", - "type": "query", - "version": 310 } }, "rule_name": "Attempt to Create Okta API Token", @@ -7723,16 +5270,6 @@ "version": 209 }, "97020e61-e591-4191-8a3b-2861a2b887cd": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 107, - "rule_name": "SeDebugPrivilege Enabled by a Suspicious Process", - "sha256": "1a312776aa0b8db999e00c4e025deb6da554ec3738734de8d788a6e8c2d8b957", - "type": "eql", - "version": 10 - } - }, "rule_name": "SeDebugPrivilege Enabled by a Suspicious Process", "sha256": "fd2dab81de38537fa82851e66cba9cbe80121418b4151135a71506229f41bd19", "type": "eql", @@ -7777,19 +5314,12 @@ "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 311, "rule_name": "Potentially Successful MFA Bombing via Push Notifications", "sha256": "c3895c292a7d6d01c0202991f5bd5c8286f59782f74ce2d31d2e5154428be6e1", "type": "eql", "version": 213 - }, - "8.14": { - "max_allowable_version": 412, - "rule_name": "Potentially Successful MFA Bombing via Push Notifications", - "sha256": "c3895c292a7d6d01c0202991f5bd5c8286f59782f74ce2d31d2e5154428be6e1", - "type": "eql", - "version": 314 } }, "rule_name": "Potentially Successful MFA Bombing via Push Notifications", @@ -7798,16 +5328,6 @@ "version": 414 }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "Suspicious Zoom Child Process", - "sha256": "89aac019d039da3e9cc8d5a90ad24c527336df5dcb17667cd41e0bee861b36af", - "type": "eql", - "version": 114 - } - }, "rule_name": "Suspicious Zoom Child Process", "sha256": "8e2d7ddbc2af722c230fd0a23e1428cc5fb0493d0382e9e124410a5087628899", "type": "eql", @@ -7856,16 +5376,6 @@ "version": 104 }, "98843d35-645e-4e66-9d6a-5049acd96ce1": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 103, - "rule_name": "Indirect Command Execution via Forfiles/Pcalua", - "sha256": "8f278d6cccbc4ea629a93950010eaec7cf14434d52853ef5918623c532fa1fbf", - "type": "eql", - "version": 5 - } - }, "rule_name": "Indirect Command Execution via Forfiles/Pcalua", "sha256": "52f62bfbdb63f99ed6802e2dd419d04a89be011d0af0805d94a0e58280834400", "type": "eql", @@ -7902,32 +5412,12 @@ "version": 109 }, "994e40aa-8c85-43de-825e-15f665375ee8": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 109, - "rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", - "sha256": "f9bab10027d4eaff5c7cadc5613cfdfe2caf71917f01c2298779b3693e458905", - "type": "eql", - "version": 11 - } - }, "rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", "sha256": "aff8ce3c97b8657b94418ecea700cdbd08933e40dae51fc4cac6978e212ebbae", "type": "eql", "version": 111 }, "9960432d-9b26-409f-972b-839a959e79e2": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 309, - "rule_name": "Potential Credential Access via LSASS Memory Dump", - "sha256": "d1a480f7832f8712d06096eb7dd3d5ff5ebd8c57a23ccb530abd85f8523c12ad", - "type": "eql", - "version": 211 - } - }, "rule_name": "Potential Credential Access via LSASS Memory Dump", "sha256": "c655401d4db3c1c8925fad88f4c58efa5897f96092a4eb5e5f39f19ee391aa73", "type": "eql", @@ -7970,32 +5460,12 @@ "version": 210 }, "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 208, - "rule_name": "Suspicious Explorer Child Process", - "sha256": "dd9f2215be389c33f7a237f9116f9ebfcdc92de051c6babfea314a2664c84bd0", - "type": "eql", - "version": 110 - } - }, "rule_name": "Suspicious Explorer Child Process", "sha256": "e26c452a699c5910201336b89c6df67ad2e167129b2cad1f19a687282dc07362", "type": "eql", "version": 310 }, "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "Scheduled Tasks AT Command Enabled", - "sha256": "a89728e7de28de1f41f89eae6884b7434dbd8f948cd682f6a0621a4cd7027067", - "type": "eql", - "version": 111 - } - }, "rule_name": "Scheduled Tasks AT Command Enabled", "sha256": "bb1dc73390bf4205bc5518949d88f85a8ab64938716323d47e6c8a36817c07a2", "type": "eql", @@ -8014,16 +5484,6 @@ "version": 207 }, "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 211, - "rule_name": "Persistence via WMI Event Subscription", - "sha256": "1ca4124ab56004a70f6da7a9a4d37c4f17b4b6f6dae275a42b309b567ba942ab", - "type": "eql", - "version": 114 - } - }, "rule_name": "Persistence via WMI Event Subscription", "sha256": "7813df08730563638f4d24c630eaa2b5dfa818903e6017334b38afc51984e497", "type": "eql", @@ -8036,16 +5496,6 @@ "version": 6 }, "9c260313-c811-4ec8-ab89-8f6530e0246c": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "Hosts File Modified", - "sha256": "9857acc6de8b05c65a249bb32fb2aa5bb50283f5ac6aa34dfc4285a8a1abb5e2", - "type": "eql", - "version": 110 - } - }, "rule_name": "Hosts File Modified", "sha256": "6c8889d19257e8545d39010b01b1e721000f32d09695add926dd4b13d378b84b", "type": "eql", @@ -8058,16 +5508,6 @@ "version": 2 }, "9c865691-5599-447a-bac9-b3f2df5f9a9d": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 108, - "rule_name": "Remote Scheduled Task Creation via RPC", - "sha256": "16a3342d1003ae1b974b870f7a8388dbc7041f06704202c476621831405e4ad9", - "type": "eql", - "version": 11 - } - }, "rule_name": "Remote Scheduled Task Creation via RPC", "sha256": "13c9045416c8248f845b761d980512aab51c64c5413e295c18c59953eb5438e9", "type": "eql", @@ -8080,16 +5520,6 @@ "version": 3 }, "9ccf3ce0-0057-440a-91f5-870c6ad39093": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "Command Shell Activity Started via RunDLL32", - "sha256": "97790052feabd6d8d92049481818933f920d5128b459958b23b4f454788e1926", - "type": "eql", - "version": 111 - } - }, "rule_name": "Command Shell Activity Started via RunDLL32", "sha256": "d16970d52f5665857e15296e8ce24758baf698ceafc64a1ac5355b5c221c2692", "type": "eql", @@ -8108,96 +5538,36 @@ "version": 100 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 310, - "rule_name": "Microsoft Build Engine Started by a Script Process", - "sha256": "c6feee8b5f84305767251a5980243998d9d4ba2743ad9874895791e3fa10e948", - "type": "new_terms", - "version": 212 - } - }, "rule_name": "Microsoft Build Engine Started by a Script Process", "sha256": "c42cd52eb73933b7ba7eb1c1c25bfca2e8215a4e3c8f773c16584bfd38174c1e", "type": "new_terms", "version": 313 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "3bd8a686c90d2b907e79cb8d81ba383c30178ea847082f7fe1759d803be174af", - "type": "eql", - "version": 114 - } - }, "rule_name": "Microsoft Build Engine Started by a System Process", "sha256": "3c4a04e50ac49b7af2d68bbf893ab9bded4c25fdb56571258a632a4a4a0bc7cf", "type": "eql", "version": 314 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 212, - "rule_name": "Microsoft Build Engine Using an Alternate Name", - "sha256": "1658b389087bc7cd6ee91ffc89a1714168b562dd44451d4c4d6f72702036b9a4", - "type": "eql", - "version": 114 - } - }, "rule_name": "Microsoft Build Engine Using an Alternate Name", "sha256": "ba5fd2330dd1b6032d2553050acd7351a5e7cd9c1f74152c0fc5a78d0732b6ae", "type": "eql", "version": 214 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "Potential Credential Access via Trusted Developer Utility", - "sha256": "0bb18ca3b493310ba23b616de3d39cfba94773b53140eafec03abd781a5897c2", - "type": "eql", - "version": 111 - } - }, "rule_name": "Potential Credential Access via Trusted Developer Utility", "sha256": "aef7f15ace1ec416d8e85249577e2301f49840b905843d141189269d3f904f75", "type": "eql", "version": 211 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 313, - "rule_name": "Microsoft Build Engine Started an Unusual Process", - "sha256": "fdb27be4ce2b9a135b03186611685488a9d4a989738c3edd28687e83b9f7e349", - "type": "new_terms", - "version": 216 - } - }, "rule_name": "Microsoft Build Engine Started an Unusual Process", "sha256": "0a3531614c20fc9734ed5511346286cf1814c660d2dd86e7ca61b414d1052ec7", "type": "new_terms", "version": 316 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 206, - "rule_name": "Process Injection by the Microsoft Build Engine", - "sha256": "6e08e0961e8712e3fa798614ceba20842f1fd9e78569f3efb5b0236bd2ffaadf", - "type": "eql", - "version": 108 - } - }, "rule_name": "Process Injection by the Microsoft Build Engine", "sha256": "93adb711b7a1ad99c4215e7623c63eeeb35de931e53749d3abbbe7aeb344d334", "type": "eql", @@ -8234,16 +5604,6 @@ "version": 212 }, "9f962927-1a4f-45f3-a57b-287f2c7029c1": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 214, - "rule_name": "Potential Credential Access via DCSync", - "sha256": "b5ad0d7ace8669b1eea8d9a58c38cb027d236901af048b6f308e8b921b7fb4a0", - "type": "eql", - "version": 116 - } - }, "rule_name": "Potential Credential Access via DCSync", "sha256": "a931d7b18207e55bd0c94cf0011568c27d08e2cfafba8ce17542ec209e78e426", "type": "eql", @@ -8262,16 +5622,6 @@ "version": 313 }, "a02cb68e-7c93-48d1-93b2-2c39023308eb": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 108, - "rule_name": "A scheduled task was updated", - "sha256": "24db103856c5596c20cce21e7e92ea1d20a82b95691be3b31c7718f15984c193", - "type": "eql", - "version": 11 - } - }, "rule_name": "A scheduled task was updated", "sha256": "dd983fdaa73edf71a2cc567f3fa7189cb995df66ceb66751f6047036d45700ea", "type": "eql", @@ -8290,16 +5640,6 @@ "version": 106 }, "a13167f1-eec2-4015-9631-1fee60406dcf": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 206, - "rule_name": "InstallUtil Process Making Network Connections", - "sha256": "009c0f45c6d544d656f91b1a17dc4ca36d2fa5cda90732b95d8cc0840b82684f", - "type": "eql", - "version": 108 - } - }, "rule_name": "InstallUtil Process Making Network Connections", "sha256": "3826d8c2ea0005de5c96f492c5dd896a58db738ff754a638c848dacf6514d220", "type": "eql", @@ -8312,32 +5652,12 @@ "version": 211 }, "a16612dd-b30e-4d41-86a0-ebe70974ec00": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 206, - "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", - "sha256": "5fa1a396391aee8e4f152b75cbd71a7944b0a4850e20e3496a5de3f463d46031", - "type": "eql", - "version": 110 - } - }, "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", "sha256": "2e3cb26c1d0f253e34915465fd896789a7056d7faeafad6435baa712f4d4358c", "type": "eql", "version": 210 }, "a1699af0-8e1e-4ed0-8ec1-89783538a061": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 107, - "rule_name": "Windows Subsystem for Linux Distribution Installed", - "sha256": "60b4da3686af1892886ef1568adc3da363b41fa02069a8ad5f02c1f13fc5e375", - "type": "eql", - "version": 9 - } - }, "rule_name": "Windows Subsystem for Linux Distribution Installed", "sha256": "ab452a27753833a9982fac9a2797499691153c3fcc51357315acc246796bce7f", "type": "eql", @@ -8368,16 +5688,6 @@ "version": 7 }, "a22a09c2-2162-4df0-a356-9aacbeb56a04": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "DNS-over-HTTPS Enabled via Registry", - "sha256": "06f788f98600e28f36873cfa890ce266317a1b101169c481fb3099d9c0e35eae", - "type": "eql", - "version": 112 - } - }, "rule_name": "DNS-over-HTTPS Enabled via Registry", "sha256": "ad7b4900548730f045e3b58898846a5953e28138ddc81ea4b2cb5e8f7bc4f30c", "type": "eql", @@ -8402,32 +5712,12 @@ "version": 108 }, "a2d04374-187c-4fd9-b513-3ad4e7fdd67a": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 108, - "rule_name": "PowerShell Mailbox Collection Script", - "sha256": "9da52a8d28edcb2f709109145e35bbb279d16227c6d4836c727a6764e3fffd58", - "type": "query", - "version": 9 - } - }, "rule_name": "PowerShell Mailbox Collection Script", "sha256": "806757feca7a5f09ea78d6c4344a5b4961a51dbbd7c9779b0fa1d3e24e2f4087", "type": "query", "version": 109 }, "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 207, - "rule_name": "Execution via local SxS Shared Module", - "sha256": "c70b5b61b3ea697efa1bbf34aede51b77d26f0af37f29414c403967c589fa37a", - "type": "eql", - "version": 109 - } - }, "rule_name": "Execution via local SxS Shared Module", "sha256": "0411088910bff1036ccad0a0a7e3e47b669f970b76031d73843f1a6ee00aa168", "type": "eql", @@ -8494,16 +5784,6 @@ "version": 8 }, "a624863f-a70d-417f-a7d2-7a404638d47f": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 212, - "rule_name": "Suspicious MS Office Child Process", - "sha256": "5c80f53958876a026ffb64b1eeee262e9fc7df01ceba845b9e2d9690744fc22a", - "type": "eql", - "version": 114 - } - }, "rule_name": "Suspicious MS Office Child Process", "sha256": "a68523228ec0fc453c23646ced21d0b57a3417cebc9b74d4232992adf3b96a38", "type": "eql", @@ -8534,16 +5814,6 @@ "version": 114 }, "a7e7bfa3-088e-4f13-b29e-3986e0e756b8": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Credential Acquisition via Registry Hive Dumping", - "sha256": "f94eed7bd541165126c32c94597db40548996aafff6604d4461961c9daa182ee", - "type": "eql", - "version": 112 - } - }, "rule_name": "Credential Acquisition via Registry Hive Dumping", "sha256": "341a50ecd0f4ebb8543687abbf979227065c91bcd013a47d4f135107b26ecf89", "type": "eql", @@ -8604,16 +5874,6 @@ "version": 206 }, "a9b05c3b-b304-4bf9-970d-acdfaef2944c": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 208, - "rule_name": "Persistence via Hidden Run Key Detected", - "sha256": "521b0deac4fa27230216cb8daf48bee86c9bbef64c5b0dc90d5dbd5acbb31f0e", - "type": "eql", - "version": 110 - } - }, "rule_name": "Persistence via Hidden Run Key Detected", "sha256": "3408526e0c0dac93e7765ada0f10c56843aec79f4e3c80ff93f5afb3ec32e96a", "type": "eql", @@ -8638,16 +5898,6 @@ "version": 214 }, "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 212, - "rule_name": "Remotely Started Services via RPC", - "sha256": "c5ae21879f28fadb1daca353f3c354f8f96a89ebe15eb191af73bbe85a2e1b0f", - "type": "eql", - "version": 114 - } - }, "rule_name": "Remotely Started Services via RPC", "sha256": "470c7c8413962fc0f844e61a7bf6314d1a2eb8517d76b793b627d1ab6c0ee1cc", "type": "eql", @@ -8684,16 +5934,6 @@ "version": 3 }, "abae61a8-c560-4dbd-acca-1e1438bff36b": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 205, - "rule_name": "Unusual Windows Process Calling the Metadata Service", - "sha256": "83e5654634806cf836873526072beb4a411dbe215b4be002f799dc0eb0866d82", - "type": "machine_learning", - "version": 107 - } - }, "rule_name": "Unusual Windows Process Calling the Metadata Service", "sha256": "62b3cce8bb0d092c2759ebc4697ef92d744a740ec8e418ac7370a52052d0d04a", "type": "machine_learning", @@ -8706,16 +5946,6 @@ "version": 109 }, "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 211, - "rule_name": "Suspicious WerFault Child Process", - "sha256": "5a3182ca2012152d9bd5c912111d82b1f3214a893d6da8417d00cde83cc42f7b", - "type": "eql", - "version": 114 - } - }, "rule_name": "Suspicious WerFault Child Process", "sha256": "2093382d45530ceba2ddf764b031af27fef9087e0b6f90f1e6cb535a04e5798b", "type": "eql", @@ -8728,32 +5958,12 @@ "version": 104 }, "ac5a2759-5c34-440a-b0c4-51fe674611d6": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 100, - "rule_name": "Outlook Home Page Registry Modification", - "sha256": "9e311415c8086b3934da0eeaa5ccac777e192f9c2c9953b705e3368c14fad664", - "type": "eql", - "version": 2 - } - }, "rule_name": "Outlook Home Page Registry Modification", "sha256": "cf576e47d585c50b59b5886c7f0802f74deb1e56177dc7478d66d1e3a7379fa6", "type": "eql", "version": 202 }, "ac6bc744-e82b-41ad-b58d-90654fa4ebfb": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 100, - "rule_name": "WPS Office Exploitation via DLL Hijack", - "sha256": "f0b9a400aad8092fd6bd78cf6124173e5d87d3a8d40fb37af54e7611a60734de", - "type": "eql", - "version": 2 - } - }, "rule_name": "WPS Office Exploitation via DLL Hijack", "sha256": "6d20396d3b2ba5db4a1fd80aca9c645d4b789dcb0d39161b5dfe9b1d4f1f216b", "type": "eql", @@ -8772,16 +5982,6 @@ "version": 8 }, "ac96ceb8-4399-4191-af1d-4feeac1f1f46": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "Potential Invoke-Mimikatz PowerShell Script", - "sha256": "73aa4e201e1220c47c689009c0c24f4ef6a0dcdab57655d7f25c5525472d28b4", - "type": "query", - "version": 111 - } - }, "rule_name": "Potential Invoke-Mimikatz PowerShell Script", "sha256": "e75ecddee03f0ecd4c9052ef2974471d669da03a7d25fd6c4c46ad39537304b6", "type": "query", @@ -8806,32 +6006,12 @@ "version": 109 }, "acf738b5-b5b2-4acc-bad9-1e18ee234f40": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 207, - "rule_name": "Suspicious Managed Code Hosting Process", - "sha256": "71cf5c81124dd45113bcb530642c295387bd2b68ee1236cb2a3e8e2f0f0aca2a", - "type": "eql", - "version": 109 - } - }, "rule_name": "Suspicious Managed Code Hosting Process", "sha256": "88a18ab3c5f799879b46bf994ced31f7d53b1188b29318f70d67e7f1fe7bc832", "type": "eql", "version": 310 }, "ad0d2742-9a49-11ec-8d6b-acde48001122": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 208, - "rule_name": "Signed Proxy Execution via MS Work Folders", - "sha256": "ce99c263910efa69241137ea09accded8b37ab436213bd6a80d3c8736c01d957", - "type": "eql", - "version": 110 - } - }, "rule_name": "Signed Proxy Execution via MS Work Folders", "sha256": "877b82511a776fabb258c7294666c134b9fe2720c4b3adb773f6332473caf911", "type": "eql", @@ -8862,16 +6042,6 @@ "version": 1 }, "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 211, - "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", - "sha256": "e36bc47e8ad58d550eb0511c38b7e7ebe9f68e088ec6215f78f7a2780d0f4e24", - "type": "query", - "version": 113 - } - }, "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", "sha256": "014ab6a9d47a402634c60580acfcdbc73e02eda99e30868cdb84bd27f75bfe59", "type": "query", @@ -8908,16 +6078,6 @@ "version": 107 }, "ae8a142c-6a1d-4918-bea7-0b617e99ecfa": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 104, - "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", - "sha256": "e98a3d6c4df8d691ad52d2e09453788cdd9059b5d1d1417f8c27adb82ad82604", - "type": "eql", - "version": 6 - } - }, "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", "sha256": "6457c55cd14c40cf20aaa69545261b5acc6f52e94266a412cc7eae717c18f7d6", "type": "eql", @@ -8942,16 +6102,6 @@ "version": 6 }, "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 207, - "rule_name": "Local Scheduled Task Creation", - "sha256": "153a680562c2db766ddc13960ff0b1b1d40590dbbf944177fdb07680c4695cbe", - "type": "eql", - "version": 109 - } - }, "rule_name": "Local Scheduled Task Creation", "sha256": "1865a666788e5f1135f4e2809b5054429a200bcdac8bff00717593f7f3331386", "type": "eql", @@ -8988,16 +6138,6 @@ "version": 1 }, "b0638186-4f12-48ac-83d2-47e686d08e82": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 101, - "rule_name": "Netsh Helper DLL", - "sha256": "ae6521e56ff6823f52f0061b21556a43efe712f7fd43485bcc1e437849bb0c4d", - "type": "eql", - "version": 3 - } - }, "rule_name": "Netsh Helper DLL", "sha256": "8b1858525694ec6e7adb1eb4300cdd4ad1e6e4721418a4c30ff5567d37ed66f4", "type": "eql", @@ -9022,16 +6162,6 @@ "version": 100 }, "b2318c71-5959-469a-a3ce-3a0768e63b9c": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 105, - "rule_name": "Potential Network Share Discovery", - "sha256": "e984a3d3d48ac2c527b8cc9639ad36794477d63017e31f65023ddef04404f01d", - "type": "eql", - "version": 7 - } - }, "rule_name": "Potential Network Share Discovery", "sha256": "a59215d5f80a3d3ca3e4611cfe0f4266d000c7ac58879ddd30ba94193e0ba79a", "type": "eql", @@ -9056,16 +6186,6 @@ "version": 207 }, "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 207, - "rule_name": "Network Connection via Compiled HTML File", - "sha256": "8eed8d54357b27cc75f72fb6d8bfbf8329b2bd2a0c09b43187d7132a3a6e195c", - "type": "eql", - "version": 109 - } - }, "rule_name": "Network Connection via Compiled HTML File", "sha256": "7399a81fb47d057bd4c83b8a488b4fe9e614fe9fbca03daa78018eac37dcc058", "type": "eql", @@ -9084,32 +6204,12 @@ "version": 3 }, "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 212, - "rule_name": "Suspicious Endpoint Security Parent Process", - "sha256": "bb3314617957ebc4e0040f77083a7b5191ad7d4aac12c6f8e24d76b9157acc0d", - "type": "eql", - "version": 116 - } - }, "rule_name": "Suspicious Endpoint Security Parent Process", "sha256": "7619c7c7851d86a7c00dd33358f2a195e219abc5a71877a14e1d058f089679dd", "type": "eql", "version": 315 }, "b43570de-a908-4f7f-8bdb-b2df6ffd8c80": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 108, - "rule_name": "Code Signing Policy Modification Through Built-in tools", - "sha256": "827b2e6312c74d28a9c2c605507eb0ece093b284e60e26bfc9107c6733929d1b", - "type": "eql", - "version": 11 - } - }, "rule_name": "Code Signing Policy Modification Through Built-in tools", "sha256": "8747c38dc0c5c1f095c574509b9f5f8f8559565e457678aa2382014c1f360627", "type": "eql", @@ -9128,16 +6228,6 @@ "version": 207 }, "b483365c-98a8-40c0-92d8-0458ca25058a": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 104, - "rule_name": "At.exe Command Lateral Movement", - "sha256": "a1aa72dc7cf218498b4bd3cb3adceb831db178df81c7bcd254159323dda53cc1", - "type": "eql", - "version": 6 - } - }, "rule_name": "At.exe Command Lateral Movement", "sha256": "7bdc29998a4df28f2c5f145fb8616a73d22bd40857000f5ff345f304a82ece97", "type": "eql", @@ -9146,19 +6236,12 @@ "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 308, "rule_name": "Attempt to Delete an Okta Policy", "sha256": "c8c6556d38f9955cc734b183b4e55614674315ba1a83737244551d638477aa88", "type": "query", "version": 210 - }, - "8.14": { - "max_allowable_version": 409, - "rule_name": "Attempt to Delete an Okta Policy", - "sha256": "c8c6556d38f9955cc734b183b4e55614674315ba1a83737244551d638477aa88", - "type": "query", - "version": 311 } }, "rule_name": "Attempt to Delete an Okta Policy", @@ -9173,32 +6256,12 @@ "version": 7 }, "b5877334-677f-4fb9-86d5-a9721274223b": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 211, - "rule_name": "Clearing Windows Console History", - "sha256": "d42b2a9e2f10c1fcdb5ef9f4e61976c421ed73777e0d9e8ce2cf19cd049ea169", - "type": "eql", - "version": 113 - } - }, "rule_name": "Clearing Windows Console History", "sha256": "2c520e669cc319fbcea530b0ae4bbdb5e0957465b447349c216ff5b15b51309c", "type": "eql", "version": 314 }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 211, - "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", - "sha256": "efddb07094d4112b3fe52e056949b21c437249bb7173dcd0184fef80a1591834", - "type": "eql", - "version": 113 - } - }, "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", "sha256": "05e2efb7276a733c2adf3681d0ffd4d02f6b6f275d68f93d23b7bab0f37be852", "type": "eql", @@ -9217,48 +6280,18 @@ "version": 108 }, "b64b183e-1a76-422d-9179-7b389513e74d": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "Windows Script Interpreter Executing Process via WMI", - "sha256": "60fa1c1f92316dff5dbafafb8828c4493eb084e0a892fef14665afb65d337269", - "type": "eql", - "version": 111 - } - }, "rule_name": "Windows Script Interpreter Executing Process via WMI", "sha256": "972276704cff979323a1023ba183a94c4a7811ffb359898829ab87df4c85a032", "type": "eql", "version": 211 }, "b661f86d-1c23-4ce7-a59e-2edbdba28247": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 101, - "rule_name": "Potential Veeam Credential Access Command", - "sha256": "4e3ae75a438564e128dbbe0d7dfbb9db97cbd49cea4ca9c060dffec9d64e974b", - "type": "eql", - "version": 4 - } - }, "rule_name": "Potential Veeam Credential Access Command", "sha256": "185217c47b57dc0e942f3d4acda3ec10d274848c91c1261ea8eadf3faec9e687", "type": "eql", "version": 205 }, "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 101, - "rule_name": "Potential Privilege Escalation via Service ImagePath Modification", - "sha256": "84cb2fa184205ec6c7b5ebef44c3cf43d7a24ecba9aec4c0f148e7a5973fe61e", - "type": "eql", - "version": 3 - } - }, "rule_name": "Potential Privilege Escalation via Service ImagePath Modification", "sha256": "ea54cd3fdb16046632a7a7a59ce1c225ff10aa9102c2044d0a293ea1b71c04d0", "type": "eql", @@ -9273,19 +6306,12 @@ "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 308, "rule_name": "Attempt to Deactivate an Okta Policy", "sha256": "bab968eb40f5ad626342a32f0e22e901245c3618d0f488c7dbc51fd7db2ce2c7", "type": "query", "version": 210 - }, - "8.14": { - "max_allowable_version": 409, - "rule_name": "Attempt to Deactivate an Okta Policy", - "sha256": "bab968eb40f5ad626342a32f0e22e901245c3618d0f488c7dbc51fd7db2ce2c7", - "type": "query", - "version": 311 } }, "rule_name": "Attempt to Deactivate an Okta Policy", @@ -9302,19 +6328,12 @@ "b8075894-0b62-46e5-977c-31275da34419": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 307, "rule_name": "Administrator Privileges Assigned to an Okta Group", "sha256": "0041448b174d360c353186f2289154e2647e516ccf083b80c30bbe9a7e80e4f5", "type": "query", "version": 209 - }, - "8.14": { - "max_allowable_version": 408, - "rule_name": "Administrator Privileges Assigned to an Okta Group", - "sha256": "0041448b174d360c353186f2289154e2647e516ccf083b80c30bbe9a7e80e4f5", - "type": "query", - "version": 310 } }, "rule_name": "Administrator Privileges Assigned to an Okta Group", @@ -9329,80 +6348,30 @@ "version": 3 }, "b8386923-b02c-4b94-986a-d223d9b01f88": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 107, - "rule_name": "PowerShell Invoke-NinjaCopy script", - "sha256": "5378b4cd6c7252bdbb61701c4637a20d365562603144a04e17b271ccfaa83a21", - "type": "query", - "version": 8 - } - }, "rule_name": "PowerShell Invoke-NinjaCopy script", "sha256": "654522097bfb8fcc73d4d0e47d8cd853307040171bb5ba29d706f26e17879552", "type": "query", "version": 108 }, "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 207, - "rule_name": "Creation or Modification of Domain Backup DPAPI private key", - "sha256": "07495ad3087d7d941d4ac6b44ccb6b4afffd0b7a10b6cd91e41dc91e2c8bf5df", - "type": "eql", - "version": 110 - } - }, "rule_name": "Creation or Modification of Domain Backup DPAPI private key", "sha256": "f6b6199880ad069f381932ed419cc9eb6a89a0bdd3a8643c23bdf0f8ec1375b6", "type": "eql", "version": 413 }, "b86afe07-0d98-4738-b15d-8d7465f95ff5": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 205, - "rule_name": "Network Connection via MsXsl", - "sha256": "6fa622d8cf25c559993ee681c4c59fe4875676f7a1e75fae7f9837ae73c39837", - "type": "eql", - "version": 107 - } - }, "rule_name": "Network Connection via MsXsl", "sha256": "1d3c54055176ee07cd35f819d276249cbef1c3a9d0f0f4e1baa830336b20aaf7", "type": "eql", "version": 207 }, "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 104, - "rule_name": "Kirbi File Creation", - "sha256": "c10cf18764bba367c5dc4f521024dc94ef68710285c6f90a067c4237780913a5", - "type": "eql", - "version": 8 - } - }, "rule_name": "Kirbi File Creation", "sha256": "4657563a7e924aa8d3e22e93a3d7b63359d96a5f3fca0bcc8b2acf48620e8517", "type": "eql", "version": 312 }, "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 208, - "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", - "sha256": "58aa89bc163a9683f9b49afe3a23214fc5db86e93510a6cec8b716e16e93cbe1", - "type": "eql", - "version": 110 - } - }, "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", "sha256": "5279287a7c569096f588da6a81739ad2b52940bb1fde4b4cdfc5e18d4c91a8f7", "type": "eql", @@ -9427,16 +6396,6 @@ "version": 5 }, "b9554892-5e0e-424b-83a0-5aef95aa43bf": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Group Policy Abuse for Privilege Addition", - "sha256": "afa94a71cd99d31b1c816a7710f3e00e86c7854df6db0f251d9194ed981a82b7", - "type": "eql", - "version": 112 - } - }, "rule_name": "Group Policy Abuse for Privilege Addition", "sha256": "0dbd728ccdee18242ce73777503e932ab66219ba7271621060c5b98633ac1107", "type": "eql", @@ -9449,16 +6408,6 @@ "version": 113 }, "b9960fef-82c6-4816-befa-44745030e917": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "SolarWinds Process Disabling Services via Registry", - "sha256": "30d3fcfb86a4c9e23c5563059dc2df4b75f106ceedf2a7f57f7731cb984430bc", - "type": "eql", - "version": 112 - } - }, "rule_name": "SolarWinds Process Disabling Services via Registry", "sha256": "8448fdad37a26284d2c146a1c6f84be4345849b97567a3c0faf586e92b59aada", "type": "eql", @@ -9471,16 +6420,6 @@ "version": 103 }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 205, - "rule_name": "Unusual Windows Network Activity", - "sha256": "cd715d2616e427081beaa901230dba625ab6c14e52d0571ae643a92f04c77435", - "type": "machine_learning", - "version": 107 - } - }, "rule_name": "Unusual Windows Network Activity", "sha256": "006889f0bed32a73ed4d97e42325e7b69cd13e35ed45d30f6b58a091b6f54973", "type": "machine_learning", @@ -9499,16 +6438,6 @@ "version": 4 }, "baa5d22c-5e1c-4f33-bfc9-efa73bb53022": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 208, - "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", - "sha256": "998cfcfee5231e24bd5fb08c5921e0c9915f8d4b9db65d1b7daaa574cbf601af", - "type": "eql", - "version": 110 - } - }, "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", "sha256": "bf12d588236251e2feda39ddb4621aab72de0d06c0cc78366cfb8cde48293fc9", "type": "eql", @@ -9605,48 +6534,18 @@ "version": 6 }, "bd2c86a0-8b61-4457-ab38-96943984e889": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 214, - "rule_name": "PowerShell Keylogging Script", - "sha256": "0a89a374c16157d812750b375b94189e976d23406e4d8b78579bfa2b3128dd7e", - "type": "query", - "version": 115 - } - }, "rule_name": "PowerShell Keylogging Script", "sha256": "0f29bd06ba330170b8afdddc3f4b34a22926ac6b7ad0ed8cb91586055464778b", "type": "query", "version": 215 }, "bd3d058d-5405-4cee-b890-337f09366ba2": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 104, - "rule_name": "Potential Defense Evasion via CMSTP.exe", - "sha256": "1a4b9e6b364c8dab7b70af95029c1837cef25faa14161bce57283c750b0f6c1b", - "type": "eql", - "version": 6 - } - }, "rule_name": "Potential Defense Evasion via CMSTP.exe", "sha256": "e90bca644b9c4deecb5cb69654940894035152e5ce6d74f3c45b3193ff56aa8b", "type": "eql", "version": 107 }, "bd7eefee-f671-494e-98df-f01daf9e5f17": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 206, - "rule_name": "Suspicious Print Spooler Point and Print DLL", - "sha256": "e65486c1eace3f2cba2f77b32a8523d31ee20a81635805ba14e9344aff57dabc", - "type": "eql", - "version": 109 - } - }, "rule_name": "Suspicious Print Spooler Point and Print DLL", "sha256": "f993d429934670b2858130841325ed6efbed63e48d06218e4b98f59688c119b2", "type": "eql", @@ -9659,48 +6558,18 @@ "version": 9 }, "bdcf646b-08d4-492c-870a-6c04e3700034": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 208, - "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", - "sha256": "ca3c535c19bcb70517a067c7f2fee45d4cda7183c15f51ff65edc5558f9180d4", - "type": "eql", - "version": 111 - } - }, "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", "sha256": "c81455cfc1549f0c20acc4d63b70b45f4a82f73a2589aa193d0eae48dcbc4fd4", "type": "eql", "version": 211 }, "bdfaddc4-4438-48b4-bc43-9f5cf8151c46": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 100, - "rule_name": "Execution via Windows Command Debugging Utility", - "sha256": "b7d2b3d62bcd3f5f072a3d0eee1d7ffc41c8ab186328c6e58ec190d567786da5", - "type": "eql", - "version": 3 - } - }, "rule_name": "Execution via Windows Command Debugging Utility", "sha256": "7fd0fad617863a3fa3b7d26140f49d61db07e3841a2112fde8231db1a9c55ae3", "type": "eql", "version": 105 }, "bdfebe11-e169-42e3-b344-c5d2015533d3": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 106, - "rule_name": "Suspicious Windows Process Cluster Spawned by a Host", - "sha256": "a2ccf5e3e960c49d64850d992659f30b31d2b4619143f6ace9586298ada41e55", - "type": "machine_learning", - "version": 8 - } - }, "rule_name": "Suspicious Windows Process Cluster Spawned by a Host", "sha256": "9b8577a62bbfbbcec6a5aba3c11a4d4901222b6a7403c548c74dda4a01e5f84a", "type": "machine_learning", @@ -9713,16 +6582,6 @@ "version": 5 }, "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "Searching for Saved Credentials via VaultCmd", - "sha256": "b92d79f08cb700838477ef425e6e82c0645fa7621fc8db3acfcacbe1b383f49c", - "type": "eql", - "version": 113 - } - }, "rule_name": "Searching for Saved Credentials via VaultCmd", "sha256": "7b9b7c2ada7e7e5ed1ccf83734701f53aa579ce4df309fba3aacddb16a8eb9fa", "type": "eql", @@ -9747,16 +6606,6 @@ "version": 5 }, "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 212, - "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", - "sha256": "7378116f20ca82f38e2d2d44d954660fb4b53cc6eae4276a1084e6a27ae5cf7f", - "type": "eql", - "version": 113 - } - }, "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", "sha256": "c192bb9bb98950970b96a09228a47f17bdfee85d936315b127f88960a07f9fa9", "type": "eql", @@ -9769,16 +6618,6 @@ "version": 109 }, "c0429aa8-9974-42da-bfb6-53a0a515a145": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", - "sha256": "7e6ca9dcd52afbbcb0b9a55e6aa6e2769fa1ec0eea2be911c612512a3d980c07", - "type": "eql", - "version": 111 - } - }, "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", "sha256": "b27fd36d7d58fc1103502201694ebb4f9711505eb7be212b1970a49aa4018803", "type": "eql", @@ -9803,16 +6642,6 @@ "version": 104 }, "c124dc1b-cef2-4d01-8d74-ff6b0d5096b6": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 102, - "rule_name": "PowerShell Script with Windows Defender Tampering Capabilities", - "sha256": "5c39497f70b4e79c852ff920c53d16372dc40b66f86e903ce98d506347d5aca2", - "type": "query", - "version": 3 - } - }, "rule_name": "PowerShell Script with Windows Defender Tampering Capabilities", "sha256": "c69692ff49a09d554d7fc41a0fd751809ead60f0421d0cbc79902c7dd1b8350e", "type": "query", @@ -9855,16 +6684,6 @@ "version": 5 }, "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Microsoft IIS Connection Strings Decryption", - "sha256": "fc1b233c930cf034d1c534a92b4ee42fffb15b398da01bad0b93741527b11b4d", - "type": "eql", - "version": 113 - } - }, "rule_name": "Microsoft IIS Connection Strings Decryption", "sha256": "d68e0ca9ae67ed1ba16a2c62ee6dca41fa25ad178352a45fb29e08d0920c6c66", "type": "eql", @@ -9889,16 +6708,6 @@ "version": 4 }, "c2d90150-0133-451c-a783-533e736c12d7": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 207, - "rule_name": "Mshta Making Network Connections", - "sha256": "1df29ad5d0ca0a28702b68944cb3950151ce264faeed1d0cac6cdc59be122b4b", - "type": "eql", - "version": 109 - } - }, "rule_name": "Mshta Making Network Connections", "sha256": "35ebb1787e73b188c74759108e7580f588b69fec28e602e40297dbe2e08a1709", "type": "eql", @@ -9923,16 +6732,6 @@ "version": 1 }, "c3b915e0-22f3-4bf7-991d-b643513c722f": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 206, - "rule_name": "Persistence via BITS Job Notify Cmdline", - "sha256": "2f351a320cf7736fa0382f0a514fc587d7a9a6e9df3e0fa798996b1378845e86", - "type": "eql", - "version": 109 - } - }, "rule_name": "Persistence via BITS Job Notify Cmdline", "sha256": "aadadca71e75e01e994ff9148f368bfd7b277c1ddfdae04d6f9ea3aecf1e2ce2", "type": "eql", @@ -9945,32 +6744,12 @@ "version": 105 }, "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "Mounting Hidden or WebDav Remote Shares", - "sha256": "7da7deae7aaaaa19159214551ee72b6c0cf82a2eca4ae8edb3eaefe8aa0a69a8", - "type": "eql", - "version": 113 - } - }, "rule_name": "Mounting Hidden or WebDav Remote Shares", "sha256": "efd529afc416fb90d5b3370adef9ee8b8e42b1a423035ef86d017b22629b1de0", "type": "eql", "version": 313 }, "c4818812-d44f-47be-aaef-4cfb2f9cc799": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 206, - "rule_name": "Suspicious Print Spooler File Deletion", - "sha256": "04b3ecf212987b57bdaedbb14a301b6f913473e5abb301dc94b6371c56d73567", - "type": "eql", - "version": 108 - } - }, "rule_name": "Suspicious Print Spooler File Deletion", "sha256": "1ad69e32d7a2cf3559f0ee82cc8620601c5d764ba5c054292e16e4f9e5953fbf", "type": "eql", @@ -9983,16 +6762,6 @@ "version": 4 }, "c55badd3-3e61-4292-836f-56209dc8a601": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 105, - "rule_name": "Attempted Private Key Access", - "sha256": "ca0b00b33c8214c0a733b6e9ab2291c4a4e2bc92103a928da8778c792f66d428", - "type": "eql", - "version": 7 - } - }, "rule_name": "Attempted Private Key Access", "sha256": "e6610e9bc8709d63404f439099e2274b94e6feaf5c4d781d3cba8797f41bb218", "type": "eql", @@ -10005,32 +6774,12 @@ "version": 1 }, "c5677997-f75b-4cda-b830-a75920514096": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 105, - "rule_name": "Service Path Modification via sc.exe", - "sha256": "a2d3d1147504ad2b3c7930bba24c2055e523d84b2feeb737211417cb72d8eb56", - "type": "eql", - "version": 7 - } - }, "rule_name": "Service Path Modification via sc.exe", "sha256": "4b544e89f0c85e979ed5572561c0781ae88708e037117d8963541ef94eb070ec", "type": "eql", "version": 107 }, "c57f8579-e2a5-4804-847f-f2732edc5156": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 208, - "rule_name": "Potential Remote Desktop Shadowing Activity", - "sha256": "f23375e5d2e676c1e1abe448a171c858dc5ad2300e66ef5c599e7e8325cb3390", - "type": "eql", - "version": 110 - } - }, "rule_name": "Potential Remote Desktop Shadowing Activity", "sha256": "71cec7c47c2c7d46230f68fe874142b0c1e36dec0aa4bec9023d29d4c4f23a15", "type": "eql", @@ -10043,48 +6792,18 @@ "version": 105 }, "c5c9f591-d111-4cf8-baec-c26a39bc31ef": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 207, - "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", - "sha256": "7e9ee856f86f121f008eb8a3304b4955828d5b4d5333a47de3f36d478e0562e7", - "type": "eql", - "version": 109 - } - }, "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", "sha256": "0fc2faa2b6a15a4dcf2d5aa403a414c13d8d9f33fc943f74616e6d4f067d98a8", "type": "eql", "version": 209 }, "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 208, - "rule_name": "Installation of Custom Shim Databases", - "sha256": "e23bdb57b42ec1bbefbace5a408e8ede22db9bd8be59fae66e1ed6803db76173", - "type": "eql", - "version": 110 - } - }, "rule_name": "Installation of Custom Shim Databases", "sha256": "322920ea0c3accf1a5852f8ffd6d3e8861e45f262314f49ba54569768ea085f9", "type": "eql", "version": 310 }, "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Microsoft Build Engine Started by an Office Application", - "sha256": "4daab056bff3e4d5ae1ad7c4643448ae6fa836f83f095a5cc615f506cad68e8c", - "type": "eql", - "version": 113 - } - }, "rule_name": "Microsoft Build Engine Started by an Office Application", "sha256": "ecf12cfbacf7d550b987fe63d6114222e641aeb764b32e4823d6c7712bc2c185", "type": "eql", @@ -10103,16 +6822,6 @@ "version": 2 }, "c6453e73-90eb-4fe7-a98c-cde7bbfc504a": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 212, - "rule_name": "Remote File Download via MpCmdRun", - "sha256": "67e77129c5ce0eb04df88c0d64d4f387ef1de59bc03f8d9e7eb11e9c050cd0c0", - "type": "eql", - "version": 115 - } - }, "rule_name": "Remote File Download via MpCmdRun", "sha256": "d63b7af246369d52debf0c9e1196c9abfa1b1d3b7b127b2cb53e0bcf7587d0d8", "type": "eql", @@ -10133,19 +6842,12 @@ "c749e367-a069-4a73-b1f2-43a3798153ad": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 308, "rule_name": "Attempt to Delete an Okta Network Zone", "sha256": "dad15ba894bcc5ff04c6d29ad18348d0ae785598205d8bfce378e6652e599f4b", "type": "query", "version": 210 - }, - "8.14": { - "max_allowable_version": 409, - "rule_name": "Attempt to Delete an Okta Network Zone", - "sha256": "dad15ba894bcc5ff04c6d29ad18348d0ae785598205d8bfce378e6652e599f4b", - "type": "query", - "version": 311 } }, "rule_name": "Attempt to Delete an Okta Network Zone", @@ -10156,19 +6858,12 @@ "c74fd275-ab2c-4d49-8890-e2943fa65c09": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 307, "rule_name": "Attempt to Modify an Okta Application", "sha256": "759198a89c60e9ee7a73bbd3954fd8b6224469a0a0e9f9ba0f9006b461325f05", "type": "query", "version": 209 - }, - "8.14": { - "max_allowable_version": 408, - "rule_name": "Attempt to Modify an Okta Application", - "sha256": "759198a89c60e9ee7a73bbd3954fd8b6224469a0a0e9f9ba0f9006b461325f05", - "type": "query", - "version": 310 } }, "rule_name": "Attempt to Modify an Okta Application", @@ -10189,16 +6884,6 @@ "version": 1 }, "c7894234-7814-44c2-92a9-f7d851ea246a": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 206, - "rule_name": "Unusual Network Connection via DllHost", - "sha256": "1cd890b963ab7a701f5a6c45943d20f22cb173ff36b6ca80955b13239be44860", - "type": "eql", - "version": 108 - } - }, "rule_name": "Unusual Network Connection via DllHost", "sha256": "dad569a0e953afbb3adc4424aa091610da67d623add251f2f923f920cdba014c", "type": "eql", @@ -10211,16 +6896,6 @@ "version": 205 }, "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Unusual File Modification by dns.exe", - "sha256": "a3a91a39decef3a359f4dc95bc8be0401664ca49546b526ad694a3154ce425b6", - "type": "eql", - "version": 112 - } - }, "rule_name": "Unusual File Modification by dns.exe", "sha256": "5055c42206d7d3df32f4241bed3b12ec940e263d0cf696d8de05ee4a4b71193a", "type": "eql", @@ -10275,32 +6950,12 @@ "version": 12 }, "c8b150f0-0164-475b-a75e-74b47800a9ff": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 212, - "rule_name": "Suspicious Startup Shell Folder Modification", - "sha256": "b02f2bf5fccfed2accfb810dd6c38be499cc9fd52c4d23309848eb8170f374a8", - "type": "eql", - "version": 115 - } - }, "rule_name": "Suspicious Startup Shell Folder Modification", "sha256": "ef305abdbae7d8f1ecfb6ca40a4142dd81af12b9b5cdd154e063c7a98a5d8589", "type": "eql", "version": 314 }, "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 211, - "rule_name": "Disabling Windows Defender Security Settings via PowerShell", - "sha256": "e9d9ba83d54f62f31234ba17fcc63773d044a09d7ccbdfb8a1a86e2031ae84a8", - "type": "eql", - "version": 114 - } - }, "rule_name": "Disabling Windows Defender Security Settings via PowerShell", "sha256": "5e0e2e0eaa91c13f7ba154969ad792a7747c7a6c7ba3ea9093aaaf1d4d0ded69", "type": "eql", @@ -10375,19 +7030,12 @@ "cc382a2e-7e52-11ee-9aac-f661ea17fbcd": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 101, "rule_name": "Multiple Okta Client Addresses for a Single User Session", "sha256": "1fd88b6e7c9bf6b2176da46f28e40a91cff9746a635071e899bf47a6176021a5", "type": "threshold", "version": 2 - }, - "8.14": { - "max_allowable_version": 303, - "rule_name": "Multiple Device Token Hashes for Single Okta Session", - "sha256": "7a54288765d90440a1d3da5ea46ee1746323c6b4268a456262dce90422b820cd", - "type": "esql", - "version": 205 } }, "rule_name": "Multiple Device Token Hashes for Single Okta Session", @@ -10416,19 +7064,12 @@ "cc92c835-da92-45c9-9f29-b4992ad621a0": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 309, "rule_name": "Attempt to Deactivate an Okta Policy Rule", "sha256": "710c62d83fdaa016127ed9e29d989f772587c9eab5f3cf3062bacc34d969a8f2", "type": "query", "version": 211 - }, - "8.14": { - "max_allowable_version": 410, - "rule_name": "Attempt to Deactivate an Okta Policy Rule", - "sha256": "710c62d83fdaa016127ed9e29d989f772587c9eab5f3cf3062bacc34d969a8f2", - "type": "query", - "version": 312 } }, "rule_name": "Attempt to Deactivate an Okta Policy Rule", @@ -10451,19 +7092,12 @@ "cd16fb10-0261-46e8-9932-a0336278cdbe": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 308, "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", "sha256": "6b030bb11fda77cb9c68d2328306b80b13f3d9a055aa8504740c09a98e57139d", "type": "query", "version": 210 - }, - "8.14": { - "max_allowable_version": 409, - "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", - "sha256": "6b030bb11fda77cb9c68d2328306b80b13f3d9a055aa8504740c09a98e57139d", - "type": "query", - "version": 311 } }, "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", @@ -10498,19 +7132,12 @@ "cd89602e-9db0-48e3-9391-ae3bf241acd8": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 310, "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", "sha256": "48fedc9e649a01c172f18890a7ad9521f25b3c6d743edaaccebba5be9cb4e759", "type": "eql", "version": 212 - }, - "8.14": { - "max_allowable_version": 411, - "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", - "sha256": "48fedc9e649a01c172f18890a7ad9521f25b3c6d743edaaccebba5be9cb4e759", - "type": "eql", - "version": 313 } }, "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", @@ -10521,19 +7148,12 @@ "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 309, "rule_name": "Okta User Session Impersonation", "sha256": "384b87d73752bb34af3573330f4217d16470de86054bb4c2c698c6434d47cdde", "type": "query", "version": 211 - }, - "8.14": { - "max_allowable_version": 410, - "rule_name": "Okta User Session Impersonation", - "sha256": "384b87d73752bb34af3573330f4217d16470de86054bb4c2c698c6434d47cdde", - "type": "query", - "version": 312 } }, "rule_name": "Okta User Session Impersonation", @@ -10542,16 +7162,6 @@ "version": 412 }, "cde1bafa-9f01-4f43-a872-605b678968b0": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 110, - "rule_name": "Potential PowerShell HackTool Script by Function Names", - "sha256": "a02aef3d53b50e1841dd01ee25f506dc63a897f003265f8678ef3f82fa618670", - "type": "query", - "version": 13 - } - }, "rule_name": "Potential PowerShell HackTool Script by Function Names", "sha256": "ab4ec07b2bdd59f75529ab2b6f8e58098bad8f3f8a08c9e0b2261cf7500d3015", "type": "query", @@ -10576,16 +7186,6 @@ "version": 2 }, "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "sha256": "0d3af72ea1eb174dd4aa290ec7c8e3e240acb51358169eb0529e77b099a7dfca", - "type": "eql", - "version": 113 - } - }, "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", "sha256": "d60cc4622721041fc7781551bd3d381428fc01276aa7e8a1055f90a75d27b878", "type": "eql", @@ -10616,16 +7216,6 @@ "version": 2 }, "cff92c41-2225-4763-b4ce-6f71e5bda5e6": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 213, - "rule_name": "Execution from Unusual Directory - Command Line", - "sha256": "4f9cf9d0307112c1578c481ffc975559438e8151e1dfaf9597d21d7a66cea7fa", - "type": "eql", - "version": 116 - } - }, "rule_name": "Execution from Unusual Directory - Command Line", "sha256": "cb9333ce51666fab48bb330cb9fac7bda9376ec73b3a039aae1a81ad7a112a43", "type": "eql", @@ -10650,32 +7240,12 @@ "version": 3 }, "d0e159cf-73e9-40d1-a9ed-077e3158a855": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Registry Persistence via AppInit DLL", - "sha256": "4bb55e1f7ac32a17597deba9c24186c785abfcd6953b10305a596ff29a27dd63", - "type": "eql", - "version": 112 - } - }, "rule_name": "Registry Persistence via AppInit DLL", "sha256": "0d395b1f9a4f028fc752ec37396aaea0a8b3896f2ac3318fe2edbd6daae092f7", "type": "eql", "version": 312 }, "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 211, - "rule_name": "Symbolic Link to Shadow Copy Created", - "sha256": "29b901e2e2a500cc3e5930938d94b49c5b7f44fe6564aadc087f290832d6d74a", - "type": "eql", - "version": 114 - } - }, "rule_name": "Symbolic Link to Shadow Copy Created", "sha256": "8993357af0c7f71ea5a6211f75cf96089c4c9ec88913377fe9c9baf72aaf6e4f", "type": "eql", @@ -10712,64 +7282,24 @@ "version": 107 }, "d31f183a-e5b1-451b-8534-ba62bca0b404": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 211, - "rule_name": "Disabling User Account Control via Registry Modification", - "sha256": "34bc05c49fe69684173e6c0af5c4c6df3091c20e5dbbf5a9dd943525aba4fed7", - "type": "eql", - "version": 112 - } - }, "rule_name": "Disabling User Account Control via Registry Modification", "sha256": "daa4ee75ef9d319d9fe60c708f314fa2358cc48334270374e0b5c8222d5352ab", "type": "eql", "version": 312 }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 213, - "rule_name": "Clearing Windows Event Logs", - "sha256": "43df104be9f108fd08b8d71599f09bd2a9e4f98e5df1e6d8b0c41786bf127629", - "type": "eql", - "version": 115 - } - }, "rule_name": "Clearing Windows Event Logs", "sha256": "400229c7fa25221d2fd2db218ffe282f8d4d597d85d9cf9cf783ce03e28a1159", "type": "eql", "version": 316 }, "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 106, - "rule_name": "Remote Windows Service Installed", - "sha256": "1f3ebacad2b755fcdf9e30e67395eb3ae6c0947abedc632542b5b4eb17039d93", - "type": "eql", - "version": 9 - } - }, "rule_name": "Remote Windows Service Installed", "sha256": "295c3ce74dc2067ec71ab0fff5dac7193d4fd70509c1e5281c190b6af90aefd1", "type": "eql", "version": 109 }, "d3551433-782f-4e22-bbea-c816af2d41c6": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 103, - "rule_name": "WMI WBEMTEST Utility Execution", - "sha256": "5a91c133bc777a7e2499b024f42ebe1be6983609c8f38e00a4d81924dc72acc8", - "type": "eql", - "version": 5 - } - }, "rule_name": "WMI WBEMTEST Utility Execution", "sha256": "aa88ac4bf872c3c3928d2121657a6b88338d937fe1a3813231c8f20a5cf966c3", "type": "eql", @@ -10790,19 +7320,12 @@ "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 307, "rule_name": "Attempt to Delete an Okta Application", "sha256": "08df81b97dfa133653055496f11e710598c74c28c4fdaf0efd0a3f3ea2cfe666", "type": "query", "version": 209 - }, - "8.14": { - "max_allowable_version": 408, - "rule_name": "Attempt to Delete an Okta Application", - "sha256": "08df81b97dfa133653055496f11e710598c74c28c4fdaf0efd0a3f3ea2cfe666", - "type": "query", - "version": 310 } }, "rule_name": "Attempt to Delete an Okta Application", @@ -10847,16 +7370,6 @@ "version": 5 }, "d563aaba-2e72-462b-8658-3e5ea22db3a6": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 207, - "rule_name": "Privilege Escalation via Windir Environment Variable", - "sha256": "517d28ddbcd9550ac85394cdac2cee0844bc448d4be9b4e4aa81be52e1275002", - "type": "eql", - "version": 110 - } - }, "rule_name": "Privilege Escalation via Windir Environment Variable", "sha256": "60b8eec12452b573096d484a711a30dba4b444661e967528e029b47d6ee84f62", "type": "eql", @@ -10865,19 +7378,12 @@ "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 308, "rule_name": "Attempt to Delete an Okta Policy Rule", "sha256": "6f347c2a22c881f591ab308ee4e149bb0d2460d463ea37ee64dd2a3445863f2c", "type": "query", "version": 210 - }, - "8.14": { - "max_allowable_version": 409, - "rule_name": "Attempt to Delete an Okta Policy Rule", - "sha256": "6f347c2a22c881f591ab308ee4e149bb0d2460d463ea37ee64dd2a3445863f2c", - "type": "query", - "version": 311 } }, "rule_name": "Attempt to Delete an Okta Policy Rule", @@ -10886,16 +7392,6 @@ "version": 411 }, "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 206, - "rule_name": "Service Command Lateral Movement", - "sha256": "0d07056086afc2ae7fc3933f654811d9b31cbcf86939f52cea27261c807c0b8c", - "type": "eql", - "version": 108 - } - }, "rule_name": "Service Command Lateral Movement", "sha256": "e767e2798904e06d27a494fdecd4eec49bb912ec8b0c6940d3992927ef6354e1", "type": "eql", @@ -10926,16 +7422,6 @@ "version": 100 }, "d68e95ad-1c82-4074-a12a-125fe10ac8ba": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 113, - "rule_name": "System Information Discovery via Windows Command Shell", - "sha256": "272699ab944dda3fb2374c7f0cba8b4585ace10fee2a21b12b9c6215519c3c29", - "type": "eql", - "version": 15 - } - }, "rule_name": "System Information Discovery via Windows Command Shell", "sha256": "a8b94f958358ecb558c04272526096c255c70adfcfc23e85dc392fb9523b761a", "type": "eql", @@ -10948,32 +7434,12 @@ "version": 207 }, "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Modification of WDigest Security Provider", - "sha256": "a44e75aa48733736e80047d4c1c565d7ba7683ae2f63255605eb0a8fc3fd8d5e", - "type": "eql", - "version": 111 - } - }, "rule_name": "Modification of WDigest Security Provider", "sha256": "b9a559838a1a99dc2394f88550d8bf2acd150203179bbe5aa432e9d0d8569049", "type": "eql", "version": 211 }, "d72e33fc-6e91-42ff-ac8b-e573268c5a87": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 211, - "rule_name": "Command Execution via SolarWinds Process", - "sha256": "cc15c76a2369027ba3e6633b87d7a3839f5365946de2dcfe4ec1b82a982e4641", - "type": "eql", - "version": 114 - } - }, "rule_name": "Command Execution via SolarWinds Process", "sha256": "9f589cbf31fdc71f8e4c57f7cd8dc4956c30179ae4df20fba67d41e87e071ada", "type": "eql", @@ -11040,64 +7506,24 @@ "version": 210 }, "d93e61db-82d6-4095-99aa-714988118064": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 101, - "rule_name": "NTDS Dump via Wbadmin", - "sha256": "0ec890060837395012ad0a162820039feccc988f8395fc1078f45daf4bc7abb3", - "type": "eql", - "version": 4 - } - }, "rule_name": "NTDS Dump via Wbadmin", "sha256": "2d9145c7d1b3795172c0ec1ad4721ccc4055fe6b14d51880f6dd59c2e1498e5d", "type": "eql", "version": 205 }, "d99a037b-c8e2-47a5-97b9-170d076827c4": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 211, - "rule_name": "Volume Shadow Copy Deletion via PowerShell", - "sha256": "9b8ad5964185c38f5bff7a86e3f4cef521ba3f743dafbe475f84111b6c97c473", - "type": "eql", - "version": 113 - } - }, "rule_name": "Volume Shadow Copy Deletion via PowerShell", "sha256": "1574ae43ff903032be7747f88500fcab7396be626f95da26921145560ab5d488", "type": "eql", "version": 314 }, "d9ffc3d6-9de9-4b29-9395-5757d0695ecf": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 100, - "rule_name": "Suspicious Windows Command Shell Arguments", - "sha256": "fbe7d02b10b540aff7b825dc36b8716bf16c7de4668ecbad5001a3239c6c5166", - "type": "eql", - "version": 3 - } - }, "rule_name": "Suspicious Windows Command Shell Arguments", "sha256": "bb3b92db48376983d30d61f54bdabb41250c33883d13ac5920d416e91b08a827", "type": "eql", "version": 203 }, "da7733b1-fe08-487e-b536-0a04c6d8b0cd": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 110, - "rule_name": "Code Signing Policy Modification Through Registry", - "sha256": "fc23e41a7d22a46223a5b1ed558336101405e6adad108127504e440c44d82a19", - "type": "eql", - "version": 12 - } - }, "rule_name": "Code Signing Policy Modification Through Registry", "sha256": "0ac7d1624e694cec67982400a822b5692087df342748f9d9b10eebc1de8ffe03", "type": "eql", @@ -11110,16 +7536,6 @@ "version": 6 }, "da87eee1-129c-4661-a7aa-57d0b9645fad": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 109, - "rule_name": "Suspicious Service was Installed in the System", - "sha256": "9a42aaff1236e24c34e84e08efd9a7e42009c0c63b347d4fe373822df560b886", - "type": "eql", - "version": 12 - } - }, "rule_name": "Suspicious Service was Installed in the System", "sha256": "b047f4e0b3115a5cae6311130cf82c3c278d25ed4dd930e2f697a0d9d9e7f0d0", "type": "eql", @@ -11132,16 +7548,6 @@ "version": 100 }, "daafdf96-e7b1-4f14-b494-27e0d24b11f6": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 105, - "rule_name": "Potential Pass-the-Hash (PtH) Attempt", - "sha256": "6d19402e85f66e45583b1eeb0c1b22e5641e069db1d10342a0bde8f44b0fae5d", - "type": "new_terms", - "version": 8 - } - }, "rule_name": "Potential Pass-the-Hash (PtH) Attempt", "sha256": "7e22a1c442db7cad59d546607a489f1c7050f79fd38503b21f27303ba5241f7e", "type": "new_terms", @@ -11154,32 +7560,12 @@ "version": 105 }, "db65f5ba-d1ef-4944-b9e8-7e51060c2b42": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 102, - "rule_name": "Network-Level Authentication (NLA) Disabled", - "sha256": "f070b0885fd560dca726ee750baad0826feb31d8d40ccb087eb224a1ea7abfbc", - "type": "eql", - "version": 4 - } - }, "rule_name": "Network-Level Authentication (NLA) Disabled", "sha256": "6512a9d12fa4ef27519126e321762a291e72b255d30192405b4cb411001266c6", "type": "eql", "version": 204 }, "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 106, - "rule_name": "Execution via Windows Subsystem for Linux", - "sha256": "9aadc22b5ec9cea06ee0b9088f5ccbd36a3306d609eac169139751b082504d50", - "type": "eql", - "version": 9 - } - }, "rule_name": "Execution via Windows Subsystem for Linux", "sha256": "029980f0576e49caacd25ad0de41f0b2408bc96f253c336d6cec15df9a3314ce", "type": "eql", @@ -11222,16 +7608,6 @@ "version": 2 }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Volume Shadow Copy Deletion via WMIC", - "sha256": "976ac05caaa7708302cfafccd5edd0af529b333c3550b12e398506b43b82e625", - "type": "eql", - "version": 113 - } - }, "rule_name": "Volume Shadow Copy Deletion via WMIC", "sha256": "d4fcd570b5466abc21101a20f25749dd7c2c72e8392e316c2f2f7841c0b635b4", "type": "eql", @@ -11244,32 +7620,12 @@ "version": 209 }, "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 102, - "rule_name": "Suspicious Execution from INET Cache", - "sha256": "40d55e7663cb9633996f2dd6c03729438145e69e0239b0e638f5ee1a40d4281d", - "type": "eql", - "version": 5 - } - }, "rule_name": "Suspicious Execution from INET Cache", "sha256": "6a5c4edf3847efdf6dd62e8a6de3c4eb4741877eac727dd8af8aa473666167c2", "type": "eql", "version": 206 }, "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 107, - "rule_name": "Attempt to Install Kali Linux via WSL", - "sha256": "26b7b9e5fd76bd0fa239139c7322893447787d8462f784bd120a62794e64b358", - "type": "eql", - "version": 10 - } - }, "rule_name": "Attempt to Install Kali Linux via WSL", "sha256": "40b3e43ae452b8ba4364d1c4d0c6b7a79485a65182d891ec986426cc31129bd4", "type": "eql", @@ -11294,16 +7650,6 @@ "version": 1 }, "ddab1f5f-7089-44f5-9fda-de5b11322e77": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "NullSessionPipe Registry Modification", - "sha256": "84f5b0cc9b45784f5f3268b1f1cd252e3e460a30225570b04bd90ed819e7cd75", - "type": "eql", - "version": 112 - } - }, "rule_name": "NullSessionPipe Registry Modification", "sha256": "e723d0b3254745f488ccac62bb67e6d2f069196659d17cf778fb42a524933135", "type": "eql", @@ -11316,16 +7662,6 @@ "version": 4 }, "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Unusual Child Process from a System Virtual Process", - "sha256": "d8c2c36ac62b1821bf4164411d30ffcb97ae6b3ec8b2736dffe412305fa71633", - "type": "eql", - "version": 114 - } - }, "rule_name": "Unusual Child Process from a System Virtual Process", "sha256": "8a6ba13f0dda67fe805dbee6d884a1189538027f029d6401919c7a92c9ed24ab", "type": "eql", @@ -11350,16 +7686,6 @@ "version": 9 }, "df197323-72a8-46a9-a08e-3f5b04a4a97a": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 205, - "rule_name": "Unusual Windows User Calling the Metadata Service", - "sha256": "92bb89bd0e84c9232dcf024b09b211d04bf914a34e8ebcfcc2700c0f9f4154f6", - "type": "machine_learning", - "version": 107 - } - }, "rule_name": "Unusual Windows User Calling the Metadata Service", "sha256": "e7e813348ed80c496689f948ecd7de5edfefb9f63b906114a57bb6798b9253ae", "type": "machine_learning", @@ -11396,16 +7722,6 @@ "version": 100 }, "dffbd37c-d4c5-46f8-9181-5afdd9172b4c": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 102, - "rule_name": "Potential privilege escalation via CVE-2022-38028", - "sha256": "f14455fd6ea9bdc73123f4c69cb12843cfcbe7747b51b622198eb087bb953f08", - "type": "eql", - "version": 4 - } - }, "rule_name": "Potential privilege escalation via CVE-2022-38028", "sha256": "2b622d8bb5228a5ab103d2c5197eab64a8c1a0977cbc0594097fe979c66d2034", "type": "eql", @@ -11424,32 +7740,12 @@ "version": 103 }, "e052c845-48d0-4f46-8a13-7d0aba05df82": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 207, - "rule_name": "KRBTGT Delegation Backdoor", - "sha256": "be3e036bd85d0139f9025316971ebdafff2b115de3d7e46ecf4a12fc2b17fb34", - "type": "eql", - "version": 110 - } - }, "rule_name": "KRBTGT Delegation Backdoor", "sha256": "cabb2f1ee545a8afab4bdfae8d8fbb983de8802e1eaec837f32286aad16a00e2", "type": "eql", "version": 210 }, "e0881d20-54ac-457f-8733-fe0bc5d44c55": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 108, - "rule_name": "System Service Discovery through built-in Windows Utilities", - "sha256": "71df05db291794ae655d563c9f6cc812bb3c8ebd1f3b076fb3103cc1a9af152b", - "type": "eql", - "version": 10 - } - }, "rule_name": "System Service Discovery through built-in Windows Utilities", "sha256": "edb551d4e6634b6ecd115cc56d888b82abb68d7b87cc04db6f15ca884e5b3c91", "type": "eql", @@ -11458,19 +7754,12 @@ "e08ccd49-0380-4b2b-8d71-8000377d6e49": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 310, "rule_name": "Attempts to Brute Force an Okta User Account", "sha256": "9b77e22fb6460cbdb3e85d6b43d58ba16119cf9ce64692958b30fc4ed9657bc5", "type": "threshold", "version": 212 - }, - "8.14": { - "max_allowable_version": 411, - "rule_name": "Attempts to Brute Force an Okta User Account", - "sha256": "9b77e22fb6460cbdb3e85d6b43d58ba16119cf9ce64692958b30fc4ed9657bc5", - "type": "threshold", - "version": 313 } }, "rule_name": "Attempts to Brute Force an Okta User Account", @@ -11533,16 +7822,6 @@ "version": 105 }, "e26f042e-c590-4e82-8e05-41e81bd822ad": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 211, - "rule_name": "Suspicious .NET Reflection via PowerShell", - "sha256": "aceeffb1d2d30da61a5c975b4c978c1a8dd0687ddac7214c80ae21c9067eadfc", - "type": "query", - "version": 114 - } - }, "rule_name": "Suspicious .NET Reflection via PowerShell", "sha256": "ed908ff078c5a2e7569fc9967c30cc040397ed9122a09287031c0a4e5d04e377", "type": "query", @@ -11573,32 +7852,12 @@ "version": 3 }, "e2e0537d-7d8f-4910-a11d-559bcf61295a": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 107, - "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", - "sha256": "59e0f66055f6ca2de75fc83f80895d38b0544cb232a27c17b5ad274d18842db7", - "type": "eql", - "version": 10 - } - }, "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", "sha256": "a3074187de9cbb825e91c16b2cf56280f48b19fbb58b6e294f6e007a3ebe7b47", "type": "eql", "version": 211 }, "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 211, - "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", - "sha256": "a78175d51ef889c2e09cfd59e2c1dd26ee7b7467cde848968753b8be8402a5ff", - "type": "eql", - "version": 112 - } - }, "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", "sha256": "a02677e7cd9c71dad3cf902389ff330aa11d7e30af8f5186022a8942cbd0a39b", "type": "eql", @@ -11617,16 +7876,6 @@ "version": 103 }, "e3343ab9-4245-4715-b344-e11c56b0a47f": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Process Activity via Compiled HTML File", - "sha256": "820ccc16d8a4a8f7fc46cc17069ec359a736b3d3803d156ed511f05a771b7416", - "type": "eql", - "version": 114 - } - }, "rule_name": "Process Activity via Compiled HTML File", "sha256": "02f5e8471f2ec0c5b618a104a190faf75c17cbac5c9d84ac619dd6dbc1ceaee5", "type": "eql", @@ -11645,16 +7894,6 @@ "version": 104 }, "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 206, - "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", - "sha256": "15425280f466c2729b02c0af122c6c595b30165cd51c4f683fee546070d396a0", - "type": "eql", - "version": 108 - } - }, "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", "sha256": "151650631c31a43c201b4eaea3749b4f13790dd576c4420057b75b9cd51c740b", "type": "eql", @@ -11667,16 +7906,6 @@ "version": 216 }, "e468f3f6-7c4c-45bb-846a-053738b3fe5d": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 104, - "rule_name": "First Time Seen NewCredentials Logon Process", - "sha256": "9041b77e8259e34d407916d77afca09bc12083780a68fa76b3ab0f545ec0a85b", - "type": "new_terms", - "version": 7 - } - }, "rule_name": "First Time Seen NewCredentials Logon Process", "sha256": "7f8cbe7c809f5f6439380cc95e39d43499010dcce8d9d9e5c86366cd832ca302", "type": "new_terms", @@ -11685,19 +7914,12 @@ "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 308, "rule_name": "Attempt to Modify an Okta Network Zone", "sha256": "e088d4ca612ade27d31a69dd5614c2f742ce616cc3e7fa7dd0f87acfabc6968b", "type": "query", "version": 210 - }, - "8.14": { - "max_allowable_version": 409, - "rule_name": "Attempt to Modify an Okta Network Zone", - "sha256": "e088d4ca612ade27d31a69dd5614c2f742ce616cc3e7fa7dd0f87acfabc6968b", - "type": "query", - "version": 311 } }, "rule_name": "Attempt to Modify an Okta Network Zone", @@ -11706,32 +7928,12 @@ "version": 411 }, "e4e31051-ee01-4307-a6ee-b21b186958f4": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 205, - "rule_name": "Service Creation via Local Kerberos Authentication", - "sha256": "5c7d57bc4534a2a0e0954dc8aac857d465f5fe162da03efd1c900a9ac9680bcf", - "type": "eql", - "version": 108 - } - }, "rule_name": "Service Creation via Local Kerberos Authentication", "sha256": "a46f14f105c573fc3663af37227e949ac9d8ff5771cfe823163a5b5a839f60ba", "type": "eql", "version": 208 }, "e514d8cd-ed15-4011-84e2-d15147e059f1": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 212, - "rule_name": "Kerberos Pre-authentication Disabled for User", - "sha256": "e4f8a8d92eb2a30728e395c24a0e1fefe6b75222d110fcf1b87cd80b2dccc30a", - "type": "query", - "version": 114 - } - }, "rule_name": "Kerberos Pre-authentication Disabled for User", "sha256": "f7c403156a8b86200d6bd124b68887764d5362fc6b53b8468bccd221b4d9fe55", "type": "eql", @@ -11764,19 +7966,12 @@ "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 307, "rule_name": "Possible Okta DoS Attack", "sha256": "555778fe474de3773a42ba94313153209ce4209e51a196813715a3ddfa835ff8", "type": "query", "version": 209 - }, - "8.14": { - "max_allowable_version": 408, - "rule_name": "Possible Okta DoS Attack", - "sha256": "555778fe474de3773a42ba94313153209ce4209e51a196813715a3ddfa835ff8", - "type": "query", - "version": 310 } }, "rule_name": "Possible Okta DoS Attack", @@ -11803,16 +7998,6 @@ "version": 4 }, "e7125cea-9fe1-42a5-9a05-b0792cf86f5a": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 206, - "rule_name": "Execution of Persistent Suspicious Program", - "sha256": "8e916c6e5e28236cf4e78bb6c9a7cb8991800d108c6dce8a147b6196ae27b89c", - "type": "eql", - "version": 108 - } - }, "rule_name": "Execution of Persistent Suspicious Program", "sha256": "745553dd4b4f167afb3f9d8aa2a73cb88e8a9984dbee97b741c011740ea72306", "type": "eql", @@ -11821,19 +8006,12 @@ "e72f87d0-a70e-4f8d-8443-a6407bc34643": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 205, "rule_name": "Suspicious WMI Event Subscription Created", "sha256": "0eb9b50416c959551b3b273ef5326ae8b96145ec4ea717bee0033ea99d133af6", "type": "eql", "version": 107 - }, - "8.14": { - "max_allowable_version": 305, - "rule_name": "Suspicious WMI Event Subscription Created", - "sha256": "123c8d391974a063625df859c1b10d7a95232b0f02f302c5097d70074e697164", - "type": "eql", - "version": 207 } }, "rule_name": "Suspicious WMI Event Subscription Created", @@ -11854,16 +8032,6 @@ "version": 4 }, "e760c72b-bb1f-44f0-9f0d-37d51744ee75": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 100, - "rule_name": "Unusual Execution via Microsoft Common Console File", - "sha256": "0bea98ee6e9ce10eac166784de0d4aeceb2b4e690051357201bb91cffc7e5edb", - "type": "eql", - "version": 2 - } - }, "rule_name": "Unusual Execution via Microsoft Common Console File", "sha256": "8b9fb79800f9757717537734e0e8fd81eb27c77c51f3bea4933b4026af77e360", "type": "eql", @@ -11888,48 +8056,18 @@ "version": 3 }, "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 211, - "rule_name": "Service Control Spawned via Script Interpreter", - "sha256": "e9a897b3d6e54d43b0c0b67f4ddcda48e4a01a450374c5953fbfc9e6a13c0568", - "type": "eql", - "version": 114 - } - }, "rule_name": "Service Control Spawned via Script Interpreter", "sha256": "88531315d5644d775abd814a7f79203b41a18642843ce25dbd7516e740d6ed2a", "type": "eql", "version": 215 }, "e86da94d-e54b-4fb5-b96c-cecff87e8787": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 208, - "rule_name": "Installation of Security Support Provider", - "sha256": "b539da6b7c1b1227bdb42936daceee9540ba7d0f3605ee4daa85bd0c836ac05a", - "type": "eql", - "version": 110 - } - }, "rule_name": "Installation of Security Support Provider", "sha256": "d3e972fca563427e3d76bb4395afc5f71c455501294696f9dc6df982b1d28abe", "type": "eql", "version": 310 }, "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 106, - "rule_name": "Host Files System Changes via Windows Subsystem for Linux", - "sha256": "e8fd6440c6d6d88986539c259693d1ee14c53bbebd9bce21eab23ced642d5c02", - "type": "eql", - "version": 8 - } - }, "rule_name": "Host Files System Changes via Windows Subsystem for Linux", "sha256": "a50076fcb40d588e056f081e1168588950939d6c95a97f2facfed56882ce6f9e", "type": "eql", @@ -11950,19 +8088,12 @@ "e90ee3af-45fc-432e-a850-4a58cf14a457": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 310, "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", "sha256": "11687f3cbf71206899bfb40ed8a027202830df829f70f0e59b649de19c51b3a4", "type": "threshold", "version": 212 - }, - "8.14": { - "max_allowable_version": 411, - "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", - "sha256": "11687f3cbf71206899bfb40ed8a027202830df829f70f0e59b649de19c51b3a4", - "type": "threshold", - "version": 313 } }, "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", @@ -11983,16 +8114,6 @@ "version": 5 }, "e94262f2-c1e9-4d3f-a907-aeab16712e1a": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Unusual Executable File Creation by a System Critical Process", - "sha256": "6ef104d85ec9575226338908f304d5def68a7412883399913f6bb68378d6decb", - "type": "eql", - "version": 112 - } - }, "rule_name": "Unusual Executable File Creation by a System Critical Process", "sha256": "2ec2b40b6d719512b8aedec3c65efa2e1ce6b38aa2dfb387edf32b43516c9421", "type": "eql", @@ -12029,16 +8150,6 @@ "version": 100 }, "ea09ff26-3902-4c53-bb8e-24b7a5d029dd": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 106, - "rule_name": "Unusual Process Spawned by a Parent Process", - "sha256": "9305b82ec96b801a1ce3d03306069610691b62051ca30252e654c38b624f7c55", - "type": "machine_learning", - "version": 8 - } - }, "rule_name": "Unusual Process Spawned by a Parent Process", "sha256": "263dc5090dd778a47400fbeb93a47512defec5bc3e78d7bdd173ab8dd1c95910", "type": "machine_learning", @@ -12069,32 +8180,12 @@ "version": 104 }, "eb44611f-62a8-4036-a5ef-587098be6c43": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 105, - "rule_name": "PowerShell Script with Webcam Video Capture Capabilities", - "sha256": "0df8fef46aadb6e55f99fcb160c20a7c50b5b97687a0ae824409284676656051", - "type": "query", - "version": 7 - } - }, "rule_name": "PowerShell Script with Webcam Video Capture Capabilities", "sha256": "34b8cb6cbafa6c8284ce99c7c6cc95be28e2423a480b5e56d46de73e21ecb72a", "type": "query", "version": 107 }, "eb610e70-f9e6-4949-82b9-f1c5bcd37c39": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 212, - "rule_name": "PowerShell Kerberos Ticket Request", - "sha256": "1eca5c1ab4882b5bcf2dd344dafbd75a680f7fd7cb7bceb1c7c448fe80765bbb", - "type": "query", - "version": 113 - } - }, "rule_name": "PowerShell Kerberos Ticket Request", "sha256": "d7f6edb6af54dfc5d3bce2f5f8cd4bd2b869f751dbfe299e4cff67a302c6cae8", "type": "query", @@ -12120,48 +8211,18 @@ "version": 212 }, "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 208, - "rule_name": "Mimikatz Memssp Log File Detected", - "sha256": "91956d073fa6d286f31807a9450036536a930c0aaa7838a91e4ce882353f6140", - "type": "eql", - "version": 110 - } - }, "rule_name": "Mimikatz Memssp Log File Detected", "sha256": "b5e1dca924f5d9acc2bbfe1082785ef9458b056c40140e162d7526060d6bdbdb", "type": "eql", "version": 412 }, "ebf1adea-ccf2-4943-8b96-7ab11ca173a5": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "IIS HTTP Logging Disabled", - "sha256": "3195012ac10b6acb9ebb4755275fdac561d8f506d8cef35b17fd47c2ab509787", - "type": "eql", - "version": 112 - } - }, "rule_name": "IIS HTTP Logging Disabled", "sha256": "1a2121317ae7d1b300b92ea3307889c9851bd10a65e714b8f37ba6fbf52f179f", "type": "eql", "version": 313 }, "ebfe1448-7fac-4d59-acea-181bd89b1f7f": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 211, - "rule_name": "Process Execution from an Unusual Directory", - "sha256": "076b7a80f89f6a6f1a3081a38ce953a5acf2175da6922f04cbe0f6d6a55b0356", - "type": "eql", - "version": 115 - } - }, "rule_name": "Process Execution from an Unusual Directory", "sha256": "789d46c9447286758f21fbcf2f6f2d2c30de369ac38a78bbbd0d8a8518e422aa", "type": "eql", @@ -12210,16 +8271,6 @@ "version": 103 }, "eda499b8-a073-4e35-9733-22ec71f57f3a": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 212, - "rule_name": "AdFind Command Activity", - "sha256": "d60af1f28f9f81685a9aa0c7a36a0cb1c35ba51859da6d4ebddbc8bb02ac9907", - "type": "eql", - "version": 114 - } - }, "rule_name": "AdFind Command Activity", "sha256": "b05a29a436ac542b88bb1e6c8d05c378015f4988803a39a6e5f4c0be47607513", "type": "eql", @@ -12228,19 +8279,12 @@ "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 308, "rule_name": "Attempt to Deactivate an Okta Application", "sha256": "16079a140012eb657c5c76c259629f9baab9f15ea6434d1329b8a947a2622c94", "type": "query", "version": 210 - }, - "8.14": { - "max_allowable_version": 409, - "rule_name": "Attempt to Deactivate an Okta Application", - "sha256": "16079a140012eb657c5c76c259629f9baab9f15ea6434d1329b8a947a2622c94", - "type": "query", - "version": 311 } }, "rule_name": "Attempt to Deactivate an Okta Application", @@ -12249,16 +8293,6 @@ "version": 411 }, "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 212, - "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "58dd0e1e34abe8443249ad67198996b183471f4fc2f883d57058fd29a584325c", - "type": "eql", - "version": 115 - } - }, "rule_name": "ImageLoad via Windows Update Auto Update Client", "sha256": "36fe3eb7700258bcd9214dcd215ae71c9a1def542f197f5e822450a297d327b9", "type": "eql", @@ -12273,19 +8307,12 @@ "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 205, "rule_name": "Okta FastPass Phishing Detection", "sha256": "3a4e694a70d98f4075ad70e8cbc4c5820745c5ea03ab7103f18015a3cc68dc24", "type": "query", "version": 107 - }, - "8.14": { - "max_allowable_version": 306, - "rule_name": "Okta FastPass Phishing Detection", - "sha256": "3a4e694a70d98f4075ad70e8cbc4c5820745c5ea03ab7103f18015a3cc68dc24", - "type": "query", - "version": 208 } }, "rule_name": "Okta FastPass Phishing Detection", @@ -12294,16 +8321,6 @@ "version": 308 }, "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 208, - "rule_name": "Unusual Print Spooler Child Process", - "sha256": "5bc2e722e6fb7b61ce923befd4ce4b3a3d8fdacf1290dba7ec5ea911760c53e8", - "type": "eql", - "version": 111 - } - }, "rule_name": "Unusual Print Spooler Child Process", "sha256": "e9bd712f3f743bd51f11e419a9ab89603ed0cf358d4fc912e877907e172a2080", "type": "eql", @@ -12346,16 +8363,6 @@ "version": 3 }, "ef862985-3f13-4262-a686-5f357bbb9bc2": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 212, - "rule_name": "Whoami Process Activity", - "sha256": "b020b8f8487dff043ed4f8e013dc6aee3af6d55ecfbd53cb47b9537f140e9427", - "type": "eql", - "version": 114 - } - }, "rule_name": "Whoami Process Activity", "sha256": "311d843fda11fcbf852fdb41fc87dd280481e8bd3d0b7319527aba5059fe4954", "type": "eql", @@ -12368,16 +8375,6 @@ "version": 5 }, "f036953a-4615-4707-a1ca-dc53bf69dcd5": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 207, - "rule_name": "Unusual Child Processes of RunDLL32", - "sha256": "23beebafef0bf295f6aaf5f99044dc15f8db23dfc7a6f68d46c1cb7a9416c43b", - "type": "eql", - "version": 109 - } - }, "rule_name": "Unusual Child Processes of RunDLL32", "sha256": "6f3bb7099a9a769fb898a67560799db56ad58c5624c016b1d46a98b1bd12e651", "type": "eql", @@ -12392,19 +8389,12 @@ "f06414a6-f2a4-466d-8eba-10f85e8abf71": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 307, "rule_name": "Administrator Role Assigned to an Okta User", "sha256": "27066b5e84a225f2e379be5ede390f38f9c8187a9c43da195fe70a2e028f5ba6", "type": "query", "version": 209 - }, - "8.14": { - "max_allowable_version": 408, - "rule_name": "Administrator Role Assigned to an Okta User", - "sha256": "27066b5e84a225f2e379be5ede390f38f9c8187a9c43da195fe70a2e028f5ba6", - "type": "query", - "version": 310 } }, "rule_name": "Administrator Role Assigned to an Okta User", @@ -12455,16 +8445,6 @@ "version": 3 }, "f243fe39-83a4-46f3-a3b6-707557a102df": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 104, - "rule_name": "Service Path Modification", - "sha256": "06058f2cf2dfe450db263b15625ad4168b83e231f35bec57b51213ffbd1be599", - "type": "eql", - "version": 5 - } - }, "rule_name": "Service Path Modification", "sha256": "a707712ab1a8884c4ac8dd000630745507c22979577802994c2e9d0ab4b5e091", "type": "eql", @@ -12496,32 +8476,12 @@ "version": 2 }, "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 208, - "rule_name": "SIP Provider Modification", - "sha256": "3171aedb786a6c4346ca2d6e875c736ea14d23e12331aeea3c994e5dca963238", - "type": "eql", - "version": 111 - } - }, "rule_name": "SIP Provider Modification", "sha256": "e0ac3c29d4a3e05055331a8c99eae6dec675fdf4637d6585c80557b3dc879681", "type": "eql", "version": 311 }, "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "LSASS Memory Dump Creation", - "sha256": "f8cbd6a379d828f24d80c53ac9f923bccfcf5f6db7532cf8567c55c09446dae2", - "type": "eql", - "version": 112 - } - }, "rule_name": "LSASS Memory Dump Creation", "sha256": "accf15ffd7f736c713d38e6f024889430d4031685a6588588249bb092332d720", "type": "eql", @@ -12546,16 +8506,6 @@ "version": 6 }, "f3475224-b179-4f78-8877-c2bd64c26b88": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "WMI Incoming Lateral Movement", - "sha256": "bf322fd08b8f2bfd47228ee56470b9301a500aa181f75f9594d50ed79033e3a5", - "type": "eql", - "version": 111 - } - }, "rule_name": "WMI Incoming Lateral Movement", "sha256": "0362f87f30104a3705ec25a5424fbfe8a39cde9dc0337cda33dfc8426b0522bb", "type": "eql", @@ -12586,7 +8536,6 @@ "version": 8 }, "f401a0e3-5eeb-4591-969a-f435488e7d12": { - "min_stack_version": "8.14", "rule_name": "Remote Desktop File Opened from Suspicious Path", "sha256": "ee6f8d0f53cd74d79393a04a0a83fb95d10b020160092e227b0db1f484289f16", "type": "eql", @@ -12599,16 +8548,6 @@ "version": 8 }, "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 207, - "rule_name": "Persistence via Microsoft Office AddIns", - "sha256": "d8fa297a02bd05755728ee6202070fef2ebc8f2f5ae3d46617d78034d80e24bd", - "type": "eql", - "version": 109 - } - }, "rule_name": "Persistence via Microsoft Office AddIns", "sha256": "67cc9ea0dae5af83aac83f80454998408a24eeb1e521ae441963e51278f54b7a", "type": "eql", @@ -12621,16 +8560,6 @@ "version": 4 }, "f494c678-3c33-43aa-b169-bb3d5198c41d": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 212, - "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", - "sha256": "9c9490d04847aa87bb7ecf37a56631b96d3e56c1a3fb00b8c6b2fc5739161f46", - "type": "query", - "version": 114 - } - }, "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", "sha256": "bec893fc82f770985073646d905e8d123ff1994906b7c611522639f92f1361cb", "type": "query", @@ -12667,16 +8596,6 @@ "version": 8 }, "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 211, - "rule_name": "Windows Script Executing PowerShell", - "sha256": "f655edd21d9ffc790dddeea99c917b3ff512004a2bce04fff2d18e285cb7554c", - "type": "eql", - "version": 112 - } - }, "rule_name": "Windows Script Executing PowerShell", "sha256": "70e912c507ffd352948a3b3477a1ad50a61cbbd2effc94c80291e684c151ed1c", "type": "eql", @@ -12689,48 +8608,18 @@ "version": 4 }, "f580bf0a-2d23-43bb-b8e1-17548bb947ec": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 107, - "rule_name": "Rare SMB Connection to the Internet", - "sha256": "1a52a9efcabc5597110829afe735c6831cc9b2e64ed6169e8e81459e8669c83c", - "type": "new_terms", - "version": 9 - } - }, "rule_name": "Rare SMB Connection to the Internet", "sha256": "b913881e92e1a38bf6737390fd81a1138292cbd48aa0fb8c2d3c85957650ad7a", "type": "new_terms", "version": 209 }, "f5861570-e39a-4b8a-9259-abd39f84cb97": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 106, - "rule_name": "WRITEDAC Access on Active Directory Object", - "sha256": "7985f5aefba2ea64d65352cb9a8eafeb6764e30498ccb6d629242be6c5b979ab", - "type": "query", - "version": 8 - } - }, "rule_name": "WRITEDAC Access on Active Directory Object", "sha256": "f743162d208f76da7f2a978f2cb537ce0f8849dfe5a42af3ab46246b6bd8371b", "type": "query", "version": 108 }, "f59668de-caa0-4b84-94c1-3a1549e1e798": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 106, - "rule_name": "WMIC Remote Command", - "sha256": "03ff2581fa827afb289f1ed2f6e5aaa30032940c26bdf3b8d440b729539d3e53", - "type": "eql", - "version": 8 - } - }, "rule_name": "WMIC Remote Command", "sha256": "733c3aee481bf3891f180a572bda3b7c68d7c19d1d7a3989c0def03ae9fe0933", "type": "eql", @@ -12743,16 +8632,6 @@ "version": 108 }, "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 106, - "rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process", - "sha256": "a3bc6cca188a55aa33021f1b9c7d396bdde78a3350f1c4fabb974a4fcffa5ca4", - "type": "machine_learning", - "version": 8 - } - }, "rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process", "sha256": "b133ffedcacb83e511e320e25d6f4afc9f2d638fa12afbe470fab88a6009d07a", "type": "machine_learning", @@ -12771,16 +8650,6 @@ "version": 3 }, "f63c8e3c-d396-404f-b2ea-0379d3942d73": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "Windows Firewall Disabled via PowerShell", - "sha256": "b677759be5d31d2da13e1a1902fc4d9047723a793205cdaf229d6fe6c9ac5088", - "type": "eql", - "version": 110 - } - }, "rule_name": "Windows Firewall Disabled via PowerShell", "sha256": "af1f6d2bf1fa3cfb4d9c71f51f507b819781648a109443ee036b66be24aca5b9", "type": "eql", @@ -12793,16 +8662,6 @@ "version": 3 }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "Delete Volume USN Journal with Fsutil", - "sha256": "4b55ce8144feb04c19f2449fa5a4c724ce26861e85a8ff9d63ba91fc24c90ae9", - "type": "eql", - "version": 111 - } - }, "rule_name": "Delete Volume USN Journal with Fsutil", "sha256": "605f5f70bc621228a60d3f975abc644f00df34913b0b363cc8cec5d226e082c1", "type": "eql", @@ -12851,16 +8710,6 @@ "version": 2 }, "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 211, - "rule_name": "Persistent Scripts in the Startup Directory", - "sha256": "3bb11d5684b0514f8d1a5326d1645b8787ea37ae7731db6df5e7d94945f6ef1c", - "type": "eql", - "version": 113 - } - }, "rule_name": "Persistent Scripts in the Startup Directory", "sha256": "0265f205075afb8a44fcc9339b9b8e7819b11ee960a7fcadff4ef19c40407944", "type": "eql", @@ -12873,16 +8722,6 @@ "version": 4 }, "f81ee52c-297e-46d9-9205-07e66931df26": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 208, - "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", - "sha256": "e36c1fdb2b34568b5431017b6d35a86a116bc34c7b9af52fbfeaf4548233dac3", - "type": "eql", - "version": 110 - } - }, "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", "sha256": "fc3a25445b0ecc88878661c840092042b33a21a6b66a2307253219ea04c67913", "type": "eql", @@ -12901,16 +8740,6 @@ "version": 5 }, "f874315d-5188-4b4a-8521-d1c73093a7e4": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 211, - "rule_name": "Modification of AmsiEnable Registry Key", - "sha256": "ed1762609d805dc2007ca323d72bbe93b721d54a113d04206e0fda5abb3ce0fd", - "type": "eql", - "version": 112 - } - }, "rule_name": "Modification of AmsiEnable Registry Key", "sha256": "0514fd1665b1dca73aee98091741b1265ecf43a5d052dae60fc15595c8f553bc", "type": "eql", @@ -12924,32 +8753,12 @@ "version": 3 }, "f8822053-a5d2-46db-8c96-d460b12c36ac": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 103, - "rule_name": "Potential Active Directory Replication Account Backdoor", - "sha256": "29c2ae7b2d50ee5ef2f2bcf97f7765c9e3fd3285a0a90abc25a099698c75201d", - "type": "query", - "version": 6 - } - }, "rule_name": "Potential Active Directory Replication Account Backdoor", "sha256": "6ba1bf053fdf699e3aec2f40f34fc6e5a4213ec85fc037f203b85e7f7e59a4d9", "type": "query", "version": 106 }, "f909075d-afc7-42d7-b399-600b94352fd9": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 100, - "rule_name": "Untrusted DLL Loaded by Azure AD Sync Service", - "sha256": "e26f15abdf56aa1b61415ba7dc51da814455d36335a30451a9089c7e28074d99", - "type": "eql", - "version": 2 - } - }, "rule_name": "Untrusted DLL Loaded by Azure AD Sync Service", "sha256": "2e15e1eb9f168cbe35162f3f54f7fafe7bd69c93f20be54a0724c2a79542ebd7", "type": "eql", @@ -12974,32 +8783,12 @@ "version": 9 }, "f97504ac-1053-498f-aeaa-c6d01e76b379": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 101, - "rule_name": "Browser Extension Install", - "sha256": "13264d82b596b30f4a39bca88800139df7d59f7e5714ac3294aecb8adb693f2b", - "type": "eql", - "version": 3 - } - }, "rule_name": "Browser Extension Install", "sha256": "420b3c2fb3cad25f5312065eb38e2944b8220eac1111dba2dd1088b95141b687", "type": "eql", "version": 203 }, "f9790abf-bd0c-45f9-8b5f-d0b74015e029": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 109, - "rule_name": "Privileged Account Brute Force", - "sha256": "47b50b29f44c12811728607a941a9e0e41788b4bf9a46e739700c9b40261cd5f", - "type": "eql", - "version": 12 - } - }, "rule_name": "Privileged Account Brute Force", "sha256": "ed7080268b9fbed899ea78e7e762a2895ae5e18afed44aa1df3c997525874bf6", "type": "eql", @@ -13008,19 +8797,12 @@ "f994964f-6fce-4d75-8e79-e16ccc412588": { "min_stack_version": "8.15", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 307, "rule_name": "Suspicious Activity Reported by Okta User", "sha256": "fa7f7c30177462dd01a22cc1653006645eec2ec9550c0e05cf9b058786f7fe47", "type": "query", "version": 209 - }, - "8.14": { - "max_allowable_version": 408, - "rule_name": "Suspicious Activity Reported by Okta User", - "sha256": "fa7f7c30177462dd01a22cc1653006645eec2ec9550c0e05cf9b058786f7fe47", - "type": "query", - "version": 310 } }, "rule_name": "Suspicious Activity Reported by Okta User", @@ -13029,16 +8811,6 @@ "version": 410 }, "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Remote File Copy to a Hidden Share", - "sha256": "51e2f2e64af9db1e8aff099e445cf685c9af9929b2a4dc5c5e041d2cd8d6caa9", - "type": "eql", - "version": 114 - } - }, "rule_name": "Remote File Copy to a Hidden Share", "sha256": "f44d655cddfab574bad8ba3b58410fce4204c988aae453914b18474b396ea244", "type": "eql", @@ -13057,16 +8829,6 @@ "version": 9 }, "fa488440-04cc-41d7-9279-539387bf2a17": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 108, - "rule_name": "Suspicious Antimalware Scan Interface DLL", - "sha256": "e416bd900c26017a9a2e60990ee7ae09ced3df13618bbbc45b29fb2340de74d1", - "type": "eql", - "version": 11 - } - }, "rule_name": "Suspicious Antimalware Scan Interface DLL", "sha256": "d4eaa3dfb8b078f3a464ad91d4dcd5424f2faf343c977d6dd7df44cc08e87065", "type": "eql", @@ -13085,16 +8847,6 @@ "version": 105 }, "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 207, - "rule_name": "Network Connection via Registration Utility", - "sha256": "b4eed2ddeb40f2bbedc702c4789e5748c0f303fb263208a2bdcd2974c12346b5", - "type": "eql", - "version": 109 - } - }, "rule_name": "Network Connection via Registration Utility", "sha256": "c04bf7494ed4c20a8a87bbe9bb3f2876b8e92b7af292dfac1b2d2f847593dcad", "type": "eql", @@ -13131,16 +8883,6 @@ "version": 2 }, "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 208, - "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", - "sha256": "59543020be10655d8e81766d6a80fb95792cda6820556f739905cb54943ddbce", - "type": "eql", - "version": 110 - } - }, "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", "sha256": "afa60af2586a1e3458855aa64f4d3fbbfe063c3f35b3abc5a840d616f77d9841", "type": "eql", @@ -13177,48 +8919,18 @@ "version": 100 }, "fd4a992d-6130-4802-9ff8-829b89ae801f": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 210, - "rule_name": "Potential Application Shimming via Sdbinst", - "sha256": "1ddee753094159e636e994613c0a04ccd3e560927f3709a93fe7d8eff775b79e", - "type": "eql", - "version": 113 - } - }, "rule_name": "Potential Application Shimming via Sdbinst", "sha256": "ecad7f4f5f9d2d94f799155a9d4edf26afe515204c3d70ccf998bb5c38a05820", "type": "eql", "version": 314 }, "fd70c98a-c410-42dc-a2e3-761c71848acf": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 209, - "rule_name": "Suspicious CertUtil Commands", - "sha256": "379008bb580fbcb724bd44937e0f2111250767511073c4d6fe5bf58915e22fa7", - "type": "eql", - "version": 112 - } - }, "rule_name": "Suspicious CertUtil Commands", "sha256": "b78d113de0bcc2d10346ef3dcedc2bb6f2425ad39eb45da5c6599ebf70360488", "type": "eql", "version": 313 }, "fd7a6052-58fa-4397-93c3-4795249ccfa2": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 317, - "rule_name": "Svchost spawning Cmd", - "sha256": "a61a30ecc9514cb3b5eb1f9d31f97e104e4a51cffd65cbe67fad341835938bfe", - "type": "new_terms", - "version": 220 - } - }, "rule_name": "Svchost spawning Cmd", "sha256": "70083ab8bb26ab3862c4b0f8f287939374e513aa751728554cde9ac66f4f0565", "type": "new_terms", @@ -13237,48 +8949,18 @@ "version": 14 }, "fddff193-48a3-484d-8d35-90bb3d323a56": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 106, - "rule_name": "PowerShell Kerberos Ticket Dump", - "sha256": "87b8915f4df4e07283d519a5459b89600a2e9018c07136f10a454968ecec7522", - "type": "query", - "version": 8 - } - }, "rule_name": "PowerShell Kerberos Ticket Dump", "sha256": "21800d17e1a701df364ecf5e4dc921c47a9978bd53f4290052756476349613b3", "type": "query", "version": 108 }, "fe25d5bc-01fa-494a-95ff-535c29cc4c96": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 106, - "rule_name": "PowerShell Script with Password Policy Discovery Capabilities", - "sha256": "549dac6c269368c82ba41a9b89a211dab398c0448459487fd6c8c7d2b19c4cf9", - "type": "query", - "version": 7 - } - }, "rule_name": "PowerShell Script with Password Policy Discovery Capabilities", "sha256": "8c11dd82f0841066ff7939242c462d6f9ae4ab6375851532b649a5cc2c186c9b", "type": "query", "version": 107 }, "fe794edd-487f-4a90-b285-3ee54f2af2d3": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 213, - "rule_name": "Microsoft Windows Defender Tampering", - "sha256": "1f2195434989e3990924d92909511eadf813d2f24724f6cb94b7aab7d20bfada", - "type": "eql", - "version": 114 - } - }, "rule_name": "Microsoft Windows Defender Tampering", "sha256": "cb03d4fedad0f761b8ee747dbf555bfea74c2931a6f2dd3f82004c0cc1571b65", "type": "eql", @@ -13303,16 +8985,6 @@ "version": 2 }, "feeed87c-5e95-4339-aef1-47fd79bcfbe3": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 207, - "rule_name": "MS Office Macro Security Registry Modifications", - "sha256": "d89feb920d5a0d3e030a96c263df8d04776b80b8b6ba19c208082ea006e19329", - "type": "eql", - "version": 108 - } - }, "rule_name": "MS Office Macro Security Registry Modifications", "sha256": "99cf8e49260a71f7e543cba491822d4fa747aac63b25532628d89de61e7b5e56", "type": "eql", @@ -13361,16 +9033,6 @@ "version": 207 }, "ff6cf8b9-b76c-4cc1-ac1b-4935164d1029": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 100, - "rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory", - "sha256": "142aa8456d0c3151257b8d40bb29b00d7880561940ea1366b6c850725a7fa90b", - "type": "eql", - "version": 2 - } - }, "rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory", "sha256": "1b182aabc1a25362770238d8e6fbd5d91def7ad420cbd29f0ec914985f603673", "type": "eql", @@ -13385,7 +9047,7 @@ "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": { "min_stack_version": "8.16", "previous": { - "8.13": { + "8.14": { "max_allowable_version": 106, "rule_name": "Potential Sudo Token Manipulation via Process Injection", "sha256": "b3468a2a0f4b606f04c16270c18b6b7d2a77491078aa852a13f671f64b328173", diff --git a/detection_rules/schemas/__init__.py b/detection_rules/schemas/__init__.py index d7b8cdf64..98506eeb2 100644 --- a/detection_rules/schemas/__init__.py +++ b/detection_rules/schemas/__init__.py @@ -309,6 +309,12 @@ def migrate_to_8_18(version: Version, api_contents: dict) -> dict: return strip_additional_properties(version, api_contents) +@migrate("9.0") +def migrate_to_9_0(version: Version, api_contents: dict) -> dict: + """Default migration for 9.0.""" + return strip_additional_properties(version, api_contents) + + def downgrade(api_contents: dict, target_version: str, current_version: Optional[str] = None) -> dict: """Downgrade a rule to a target stack version.""" from ..packaging import current_stack_version diff --git a/pyproject.toml b/pyproject.toml index b77688f81..0cf991bb4 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.0.1" +version = "1.0.2" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12" diff --git a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml index e0b4e9354..8d556a3e4 100644 --- a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml +++ b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2020/12/21" integration = ["endpoint", "windows", "system"] -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,6 +25,41 @@ language = "eql" license = "Elastic License v2" max_signals = 33 name = "Potential Cookies Theft via Browser Debugging" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Cookies Theft via Browser Debugging + +Chromium-based browsers support debugging features that allow developers to inspect and modify web applications. Adversaries can exploit these features to access session cookies, enabling unauthorized access to web services. The detection rule identifies suspicious browser processes using debugging arguments, which may indicate cookie theft attempts, by monitoring specific process names and arguments across different operating systems. + +### Possible investigation steps + +- Review the process details to confirm the presence of suspicious debugging arguments such as "--remote-debugging-port=*", "--remote-debugging-targets=*", or "--remote-debugging-pipe=*". Check if these arguments were used in conjunction with "--user-data-dir=*" and ensure "--remote-debugging-port=0" is not present. +- Identify the user account associated with the suspicious browser process to determine if it aligns with expected behavior or if it might be compromised. +- Investigate the source IP address and network activity associated with the process to identify any unusual or unauthorized access patterns. +- Check for any recent changes or anomalies in the user's account activity, such as unexpected logins or access to sensitive applications. +- Correlate the event with other security alerts or logs to identify if this activity is part of a broader attack pattern or campaign. +- If possible, capture and analyze the network traffic associated with the process to detect any data exfiltration attempts or communication with known malicious IP addresses. + +### False positive analysis + +- Development and testing activities may trigger the rule when developers use debugging features for legitimate purposes. To manage this, create exceptions for known developer machines or user accounts frequently involved in web application development. +- Automated testing frameworks that utilize browser debugging for testing web applications can also cause false positives. Identify and exclude processes initiated by these frameworks by specifying their unique process names or user accounts. +- Browser extensions or tools that rely on debugging ports for functionality might be flagged. Review and whitelist these extensions or tools if they are verified as safe and necessary for business operations. +- Remote support or troubleshooting sessions using debugging features can be mistaken for suspicious activity. Implement a policy to log and review such sessions, allowing exceptions for recognized support tools or personnel. +- Continuous integration/continuous deployment (CI/CD) pipelines that involve browser automation may inadvertently match the rule criteria. Exclude these processes by identifying and filtering based on the CI/CD system's user accounts or process identifiers. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. +- Terminate any suspicious browser processes identified with debugging arguments to stop potential cookie theft in progress. +- Conduct a thorough review of access logs for the affected web applications or services to identify any unauthorized access attempts using stolen cookies. +- Invalidate all active sessions for the affected user accounts and force a re-authentication to ensure that any stolen session cookies are rendered useless. +- Implement stricter browser security policies, such as disabling remote debugging features in production environments, to prevent similar exploitation in the future. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems or data have been compromised. +- Enhance monitoring and alerting for similar suspicious browser activities by refining detection rules and incorporating additional threat intelligence.""" references = [ "https://github.com/defaultnamehere/cookie_crimes", "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", @@ -66,41 +99,6 @@ process where event.type in ("start", "process_started", "info") and "--remote-debugging-pipe=*") and process.args : "--user-data-dir=*" and not process.args:"--remote-debugging-port=0" ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Cookies Theft via Browser Debugging - -Chromium-based browsers support debugging features that allow developers to inspect and modify web applications. Adversaries can exploit these features to access session cookies, enabling unauthorized access to web services. The detection rule identifies suspicious browser processes using debugging arguments, which may indicate cookie theft attempts, by monitoring specific process names and arguments across different operating systems. - -### Possible investigation steps - -- Review the process details to confirm the presence of suspicious debugging arguments such as "--remote-debugging-port=*", "--remote-debugging-targets=*", or "--remote-debugging-pipe=*". Check if these arguments were used in conjunction with "--user-data-dir=*" and ensure "--remote-debugging-port=0" is not present. -- Identify the user account associated with the suspicious browser process to determine if it aligns with expected behavior or if it might be compromised. -- Investigate the source IP address and network activity associated with the process to identify any unusual or unauthorized access patterns. -- Check for any recent changes or anomalies in the user's account activity, such as unexpected logins or access to sensitive applications. -- Correlate the event with other security alerts or logs to identify if this activity is part of a broader attack pattern or campaign. -- If possible, capture and analyze the network traffic associated with the process to detect any data exfiltration attempts or communication with known malicious IP addresses. - -### False positive analysis - -- Development and testing activities may trigger the rule when developers use debugging features for legitimate purposes. To manage this, create exceptions for known developer machines or user accounts frequently involved in web application development. -- Automated testing frameworks that utilize browser debugging for testing web applications can also cause false positives. Identify and exclude processes initiated by these frameworks by specifying their unique process names or user accounts. -- Browser extensions or tools that rely on debugging ports for functionality might be flagged. Review and whitelist these extensions or tools if they are verified as safe and necessary for business operations. -- Remote support or troubleshooting sessions using debugging features can be mistaken for suspicious activity. Implement a policy to log and review such sessions, allowing exceptions for recognized support tools or personnel. -- Continuous integration/continuous deployment (CI/CD) pipelines that involve browser automation may inadvertently match the rule criteria. Exclude these processes by identifying and filtering based on the CI/CD system's user accounts or process identifiers. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. -- Terminate any suspicious browser processes identified with debugging arguments to stop potential cookie theft in progress. -- Conduct a thorough review of access logs for the affected web applications or services to identify any unauthorized access attempts using stolen cookies. -- Invalidate all active sessions for the affected user accounts and force a re-authentication to ensure that any stolen session cookies are rendered useless. -- Implement stricter browser security policies, such as disabling remote debugging features in production environments, to prevent similar exploitation in the future. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems or data have been compromised. -- Enhance monitoring and alerting for similar suspicious browser activities by refining detection rules and incorporating additional threat intelligence.""" [[rule.threat]] diff --git a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml index 97e4f3921..150a6573e 100644 --- a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml +++ b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,39 +15,6 @@ index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows. language = "eql" license = "Elastic License v2" name = "WebServer Access Logs Deleted" -risk_score = 47 -rule_id = "665e7a4f-c58e-4fc6-bc83-87a7572670ac" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: Windows", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -file where event.type == "deletion" and - file.path : ("C:\\inetpub\\logs\\LogFiles\\*.log", - "/var/log/apache*/access.log", - "/etc/httpd/logs/access_log", - "/var/log/httpd/access_log", - "/var/www/*/logs/access.log") -''' note = """## Triage and analysis > **Disclaimer**: @@ -84,6 +49,39 @@ Web server access logs are crucial for monitoring and analyzing web traffic, pro - Review and tighten access controls and permissions on log files to ensure only authorized personnel can modify or delete them. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised. - Document the incident, including all actions taken, and update incident response plans to improve future detection and response capabilities.""" +risk_score = 47 +rule_id = "665e7a4f-c58e-4fc6-bc83-87a7572670ac" +setup = """## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where event.type == "deletion" and + file.path : ("C:\\inetpub\\logs\\LogFiles\\*.log", + "/var/log/apache*/access.log", + "/etc/httpd/logs/access_log", + "/var/log/httpd/access_log", + "/var/www/*/logs/access.log") +''' [[rule.threat]] diff --git a/rules/cross-platform/impact_hosts_file_modified.toml b/rules/cross-platform/impact_hosts_file_modified.toml index 17b0f004b..ed579049f 100644 --- a/rules/cross-platform/impact_hosts_file_modified.toml +++ b/rules/cross-platform/impact_hosts_file_modified.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/07" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml index d8058762e..24db21c14 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/19" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] anomaly_threshold = 75 @@ -20,6 +18,40 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_rare_process_by_host" name = "Unusual Process Spawned by a Host" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Process Spawned by a Host + +The detection rule leverages machine learning to identify atypical processes on Windows systems, focusing on those that deviate from normal behavior. Adversaries often exploit legitimate system tools, known as LOLbins, to evade detection. This rule uses the ProblemChild ML model to flag processes that are both statistically unusual and potentially malicious, enhancing detection of stealthy attacks that bypass traditional methods. + +### Possible investigation steps + +- Review the process details flagged by the ProblemChild ML model, including the process name, path, and command line arguments, to understand its nature and potential purpose. +- Check the parent process of the flagged process to determine if it was spawned by a legitimate application or a known LOLbin, which might indicate a Living off the Land attack. +- Investigate the host's historical activity to assess whether this process or similar ones have been executed previously, focusing on any patterns of unusual behavior. +- Correlate the process activity with user logins and network connections to identify any suspicious user behavior or external communications that coincide with the process execution. +- Examine the system's security logs for any related alerts or anomalies around the time the process was detected, which might provide additional context or evidence of malicious activity. + +### False positive analysis + +- Routine administrative tasks may trigger false positives if they involve unusual processes or tools not commonly used on the host. Users can create exceptions for these known tasks to prevent unnecessary alerts. +- Software updates or installations can spawn processes that are atypical but benign. Identifying and excluding these processes during known maintenance windows can reduce false positives. +- Custom scripts or automation tools that mimic LOLbins behavior might be flagged. Users should document and whitelist these scripts if they are verified as safe and necessary for operations. +- Legitimate third-party applications that use system binaries in uncommon ways may be misclassified. Regularly review and update the list of approved applications to ensure they are not mistakenly flagged. +- Temporary spikes in unusual processes due to legitimate business activities, such as end-of-quarter reporting, can be managed by adjusting the detection thresholds or temporarily disabling the rule during these periods. + +### Response and remediation + +- Isolate the affected host from the network to prevent further spread or communication with potential command and control servers. +- Terminate the suspicious process identified by the ProblemChild ML model to halt any ongoing malicious activity. +- Conduct a thorough review of the process's parent and child processes to identify any additional malicious activity or persistence mechanisms. +- Remove any identified LOLbins or unauthorized tools used by the adversary from the system to prevent further exploitation. +- Restore the affected system from a known good backup if any system integrity issues are detected. +- Update endpoint protection and monitoring tools to ensure they can detect similar threats in the future, focusing on the specific techniques used in this incident. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", @@ -58,40 +90,6 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Unusual Process Spawned by a Host - -The detection rule leverages machine learning to identify atypical processes on Windows systems, focusing on those that deviate from normal behavior. Adversaries often exploit legitimate system tools, known as LOLbins, to evade detection. This rule uses the ProblemChild ML model to flag processes that are both statistically unusual and potentially malicious, enhancing detection of stealthy attacks that bypass traditional methods. - -### Possible investigation steps - -- Review the process details flagged by the ProblemChild ML model, including the process name, path, and command line arguments, to understand its nature and potential purpose. -- Check the parent process of the flagged process to determine if it was spawned by a legitimate application or a known LOLbin, which might indicate a Living off the Land attack. -- Investigate the host's historical activity to assess whether this process or similar ones have been executed previously, focusing on any patterns of unusual behavior. -- Correlate the process activity with user logins and network connections to identify any suspicious user behavior or external communications that coincide with the process execution. -- Examine the system's security logs for any related alerts or anomalies around the time the process was detected, which might provide additional context or evidence of malicious activity. - -### False positive analysis - -- Routine administrative tasks may trigger false positives if they involve unusual processes or tools not commonly used on the host. Users can create exceptions for these known tasks to prevent unnecessary alerts. -- Software updates or installations can spawn processes that are atypical but benign. Identifying and excluding these processes during known maintenance windows can reduce false positives. -- Custom scripts or automation tools that mimic LOLbins behavior might be flagged. Users should document and whitelist these scripts if they are verified as safe and necessary for operations. -- Legitimate third-party applications that use system binaries in uncommon ways may be misclassified. Regularly review and update the list of approved applications to ensure they are not mistakenly flagged. -- Temporary spikes in unusual processes due to legitimate business activities, such as end-of-quarter reporting, can be managed by adjusting the detection thresholds or temporarily disabling the rule during these periods. - -### Response and remediation - -- Isolate the affected host from the network to prevent further spread or communication with potential command and control servers. -- Terminate the suspicious process identified by the ProblemChild ML model to halt any ongoing malicious activity. -- Conduct a thorough review of the process's parent and child processes to identify any additional malicious activity or persistence mechanisms. -- Remove any identified LOLbins or unauthorized tools used by the adversary from the system to prevent further exploitation. -- Restore the affected system from a known good backup if any system integrity issues are detected. -- Update endpoint protection and monitoring tools to ensure they can detect similar threats in the future, focusing on the specific techniques used in this incident. -- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml index 7383e362e..abb8bb47e 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] anomaly_threshold = 75 @@ -20,6 +18,42 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_rare_process_by_parent" name = "Unusual Process Spawned by a Parent Process" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Process Spawned by a Parent Process + +In Windows environments, processes are often spawned by parent processes to perform legitimate tasks. However, adversaries can exploit this by using legitimate tools, known as LOLbins, to execute malicious activities stealthily. The detection rule leverages machine learning to identify anomalies in process creation patterns, flagging processes that deviate from typical behavior, thus uncovering potential threats that evade traditional detection methods. + +### Possible investigation steps + +- Review the parent process and child process names to determine if they are known legitimate applications or if they are commonly associated with LOLbins or other malicious activities. +- Check the process creation time and correlate it with any known user activity or scheduled tasks to identify if the process execution aligns with expected behavior. +- Investigate the command line arguments used by the suspicious process to identify any unusual or potentially malicious commands or scripts being executed. +- Analyze the network activity associated with the process to detect any suspicious outbound connections or data exfiltration attempts. +- Examine the file path and hash of the executable to verify its legitimacy and check against known malware databases or threat intelligence sources. +- Review any recent changes to the system, such as software installations or updates, that might explain the unusual process behavior. +- Consult endpoint detection and response (EDR) logs or other security tools to gather additional context and evidence related to the process and its activities. + +### False positive analysis + +- Legitimate administrative tools like PowerShell or command prompt may be flagged when used for routine tasks. Users can create exceptions for these tools when executed by known and trusted parent processes. +- Software updates or installations often spawn processes that might appear unusual. Exclude these processes by identifying their typical parent-child relationships during updates. +- Custom scripts or automation tools used within the organization might trigger alerts. Document these scripts and their expected behavior to create exceptions for them. +- Frequent use of remote management tools can lead to false positives. Ensure these tools are whitelisted when used by authorized personnel. +- Regularly review and update the list of exceptions to accommodate changes in legitimate process behaviors over time. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity. +- Terminate the suspicious process identified by the alert to stop any ongoing malicious actions. +- Conduct a thorough analysis of the process and its parent to understand the scope of the compromise and identify any additional malicious activities or files. +- Remove any malicious files or artifacts associated with the process from the system to ensure complete remediation. +- Restore the system from a known good backup if the integrity of the system is compromised beyond repair. +- Update and patch the system to close any vulnerabilities that may have been exploited by the adversary. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", @@ -58,42 +92,6 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Unusual Process Spawned by a Parent Process - -In Windows environments, processes are often spawned by parent processes to perform legitimate tasks. However, adversaries can exploit this by using legitimate tools, known as LOLbins, to execute malicious activities stealthily. The detection rule leverages machine learning to identify anomalies in process creation patterns, flagging processes that deviate from typical behavior, thus uncovering potential threats that evade traditional detection methods. - -### Possible investigation steps - -- Review the parent process and child process names to determine if they are known legitimate applications or if they are commonly associated with LOLbins or other malicious activities. -- Check the process creation time and correlate it with any known user activity or scheduled tasks to identify if the process execution aligns with expected behavior. -- Investigate the command line arguments used by the suspicious process to identify any unusual or potentially malicious commands or scripts being executed. -- Analyze the network activity associated with the process to detect any suspicious outbound connections or data exfiltration attempts. -- Examine the file path and hash of the executable to verify its legitimacy and check against known malware databases or threat intelligence sources. -- Review any recent changes to the system, such as software installations or updates, that might explain the unusual process behavior. -- Consult endpoint detection and response (EDR) logs or other security tools to gather additional context and evidence related to the process and its activities. - -### False positive analysis - -- Legitimate administrative tools like PowerShell or command prompt may be flagged when used for routine tasks. Users can create exceptions for these tools when executed by known and trusted parent processes. -- Software updates or installations often spawn processes that might appear unusual. Exclude these processes by identifying their typical parent-child relationships during updates. -- Custom scripts or automation tools used within the organization might trigger alerts. Document these scripts and their expected behavior to create exceptions for them. -- Frequent use of remote management tools can lead to false positives. Ensure these tools are whitelisted when used by authorized personnel. -- Regularly review and update the list of exceptions to accommodate changes in legitimate process behaviors over time. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity. -- Terminate the suspicious process identified by the alert to stop any ongoing malicious actions. -- Conduct a thorough analysis of the process and its parent to understand the scope of the compromise and identify any additional malicious activities or files. -- Remove any malicious files or artifacts associated with the process from the system to ensure complete remediation. -- Restore the system from a known good backup if the integrity of the system is compromised beyond repair. -- Update and patch the system to close any vulnerabilities that may have been exploited by the adversary. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml index ef3e3edf8..513d1a8b8 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] anomaly_threshold = 75 @@ -21,6 +19,41 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_rare_process_by_user" name = "Unusual Process Spawned by a User" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Process Spawned by a User + +The detection of unusual processes spawned by users leverages machine learning to identify anomalies in user behavior and process execution. Adversaries often exploit legitimate tools, known as LOLbins, to evade detection. This rule uses both supervised and unsupervised ML models to flag processes that deviate from typical user activity, indicating potential misuse or masquerading tactics. + +### Possible investigation steps + +- Review the user context associated with the alert to determine if the user has a history of spawning unusual processes or if this is an isolated incident. +- Examine the specific process flagged by the alert, including its command line arguments, parent process, and any associated network activity, to identify potential indicators of compromise. +- Check for the presence of known LOLbins or other legitimate tools that may have been exploited, as indicated by the alert's focus on defense evasion tactics. +- Investigate any recent changes in the user's behavior or system configuration that could explain the anomaly, such as software updates or new application installations. +- Correlate the alert with other security events or logs from the same timeframe to identify any related suspicious activities or patterns. +- Assess the risk score and severity level in the context of the organization's threat landscape to prioritize the response and determine if further action is needed. + +### False positive analysis + +- Legitimate administrative tools may trigger false positives if they are used in atypical contexts. Users should review the context of the process execution and, if deemed safe, add these tools to an exception list to prevent future alerts. +- Scheduled tasks or scripts that run infrequently might be flagged as unusual. Verify the legitimacy of these tasks and consider excluding them if they are part of regular maintenance or updates. +- Software updates or installations can spawn processes that appear anomalous. Confirm the source and purpose of these updates, and if they are routine, create exceptions for these specific processes. +- Developers or IT personnel using command-line tools for legitimate purposes may trigger alerts. Evaluate the necessity of these tools in their workflow and whitelist them if they are consistently used in a non-malicious manner. +- New or infrequently used applications might be flagged due to lack of historical data. Assess the application's legitimacy and, if appropriate, add it to a list of known safe applications to reduce false positives. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread or communication with potential command and control servers. +- Terminate the suspicious process identified by the alert to halt any ongoing malicious activity. +- Conduct a thorough review of the user's recent activity and access logs to identify any unauthorized actions or data access. +- Reset the credentials of the affected user account to prevent further unauthorized access, ensuring that strong, unique passwords are used. +- Scan the system for additional indicators of compromise, such as other unusual processes or modifications to system files, and remove any identified threats. +- Restore the system from a known good backup if any critical system files or configurations have been altered. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", @@ -59,41 +92,6 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Unusual Process Spawned by a User - -The detection of unusual processes spawned by users leverages machine learning to identify anomalies in user behavior and process execution. Adversaries often exploit legitimate tools, known as LOLbins, to evade detection. This rule uses both supervised and unsupervised ML models to flag processes that deviate from typical user activity, indicating potential misuse or masquerading tactics. - -### Possible investigation steps - -- Review the user context associated with the alert to determine if the user has a history of spawning unusual processes or if this is an isolated incident. -- Examine the specific process flagged by the alert, including its command line arguments, parent process, and any associated network activity, to identify potential indicators of compromise. -- Check for the presence of known LOLbins or other legitimate tools that may have been exploited, as indicated by the alert's focus on defense evasion tactics. -- Investigate any recent changes in the user's behavior or system configuration that could explain the anomaly, such as software updates or new application installations. -- Correlate the alert with other security events or logs from the same timeframe to identify any related suspicious activities or patterns. -- Assess the risk score and severity level in the context of the organization's threat landscape to prioritize the response and determine if further action is needed. - -### False positive analysis - -- Legitimate administrative tools may trigger false positives if they are used in atypical contexts. Users should review the context of the process execution and, if deemed safe, add these tools to an exception list to prevent future alerts. -- Scheduled tasks or scripts that run infrequently might be flagged as unusual. Verify the legitimacy of these tasks and consider excluding them if they are part of regular maintenance or updates. -- Software updates or installations can spawn processes that appear anomalous. Confirm the source and purpose of these updates, and if they are routine, create exceptions for these specific processes. -- Developers or IT personnel using command-line tools for legitimate purposes may trigger alerts. Evaluate the necessity of these tools in their workflow and whitelist them if they are consistently used in a non-malicious manner. -- New or infrequently used applications might be flagged due to lack of historical data. Assess the application's legitimacy and, if appropriate, add it to a list of known safe applications to reduce false positives. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread or communication with potential command and control servers. -- Terminate the suspicious process identified by the alert to halt any ongoing malicious activity. -- Conduct a thorough review of the user's recent activity and access logs to identify any unauthorized actions or data access. -- Reset the credentials of the affected user account to prevent further unauthorized access, ensuring that strong, unique passwords are used. -- Scan the system for additional indicators of compromise, such as other unusual processes or modifications to system files, and remove any identified threats. -- Restore the system from a known good backup if any critical system files or configurations have been altered. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml index 204ac3433..398db64af 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,6 +16,41 @@ index = ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score + +The detection leverages a machine learning model, ProblemChild, to identify potentially malicious Windows processes by analyzing patterns and assigning a high probability score to suspicious activities. Adversaries may exploit legitimate processes to evade detection, often using techniques like masquerading. This rule flags high-risk events by focusing on processes with a high malicious probability score or those identified by a blocklist, excluding known benign activities. + +### Possible investigation steps + +- Review the process details flagged by the ProblemChild model, focusing on those with a prediction probability greater than 0.98 or identified by the blocklist. +- Examine the command-line arguments of the suspicious process to identify any unusual or unexpected patterns, excluding those matching known benign patterns like "*C:\\\\WINDOWS\\\\temp\\\\nessus_*.txt*" or "*C:\\\\WINDOWS\\\\temp\\\\nessus_*.tmp*". +- Check the parent process of the flagged event to determine if it is a legitimate process or if it has been potentially compromised. +- Investigate the user account associated with the process to assess if it has been involved in any other suspicious activities or if it has elevated privileges that could be exploited. +- Correlate the event with other security alerts or logs to identify any related activities or patterns that could indicate a broader attack campaign. +- Consult threat intelligence sources to determine if the process or its associated indicators are linked to known malicious activities or threat actors. + +### False positive analysis + +- Nessus scan files in the Windows temp directory may trigger false positives due to their temporary nature and frequent legitimate use. Users can mitigate this by adding exceptions for file paths like C:\\WINDOWS\\temp\\nessus_*.txt and C:\\WINDOWS\\temp\\nessus_*.tmp. +- Legitimate software updates or installations might be flagged if they mimic known malicious patterns. Users should review the process details and whitelist trusted software update processes. +- System administration tools that perform actions similar to those used in attacks could be misidentified. Users should verify the legitimacy of these tools and exclude them from the rule if they are part of regular administrative tasks. +- Custom scripts or automation tools that are not widely recognized might be flagged. Users should ensure these scripts are secure and add them to an allowlist if they are part of routine operations. +- Frequent false positives from specific processes can be managed by adjusting the threshold of the machine learning model or refining the blocklist to better distinguish between benign and malicious activities. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread of potential malicious activity. +- Terminate the suspicious process identified by the ProblemChild model to halt any ongoing malicious actions. +- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any additional threats. +- Review and analyze the process execution history and associated files to understand the scope of the compromise and identify any persistence mechanisms. +- Restore any altered or deleted files from backups, ensuring that the backup is clean and free from malware. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +- Implement enhanced monitoring and logging for similar processes and activities to detect and respond to future attempts at masquerading or defense evasion.""" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", @@ -63,41 +96,6 @@ query = ''' process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score - -The detection leverages a machine learning model, ProblemChild, to identify potentially malicious Windows processes by analyzing patterns and assigning a high probability score to suspicious activities. Adversaries may exploit legitimate processes to evade detection, often using techniques like masquerading. This rule flags high-risk events by focusing on processes with a high malicious probability score or those identified by a blocklist, excluding known benign activities. - -### Possible investigation steps - -- Review the process details flagged by the ProblemChild model, focusing on those with a prediction probability greater than 0.98 or identified by the blocklist. -- Examine the command-line arguments of the suspicious process to identify any unusual or unexpected patterns, excluding those matching known benign patterns like "*C:\\\\WINDOWS\\\\temp\\\\nessus_*.txt*" or "*C:\\\\WINDOWS\\\\temp\\\\nessus_*.tmp*". -- Check the parent process of the flagged event to determine if it is a legitimate process or if it has been potentially compromised. -- Investigate the user account associated with the process to assess if it has been involved in any other suspicious activities or if it has elevated privileges that could be exploited. -- Correlate the event with other security alerts or logs to identify any related activities or patterns that could indicate a broader attack campaign. -- Consult threat intelligence sources to determine if the process or its associated indicators are linked to known malicious activities or threat actors. - -### False positive analysis - -- Nessus scan files in the Windows temp directory may trigger false positives due to their temporary nature and frequent legitimate use. Users can mitigate this by adding exceptions for file paths like C:\\WINDOWS\\temp\\nessus_*.txt and C:\\WINDOWS\\temp\\nessus_*.tmp. -- Legitimate software updates or installations might be flagged if they mimic known malicious patterns. Users should review the process details and whitelist trusted software update processes. -- System administration tools that perform actions similar to those used in attacks could be misidentified. Users should verify the legitimacy of these tools and exclude them from the rule if they are part of regular administrative tasks. -- Custom scripts or automation tools that are not widely recognized might be flagged. Users should ensure these scripts are secure and add them to an allowlist if they are part of routine operations. -- Frequent false positives from specific processes can be managed by adjusting the threshold of the machine learning model or refining the blocklist to better distinguish between benign and malicious activities. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread of potential malicious activity. -- Terminate the suspicious process identified by the ProblemChild model to halt any ongoing malicious actions. -- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any additional threats. -- Review and analyze the process execution history and associated files to understand the scope of the compromise and identify any persistence mechanisms. -- Restore any altered or deleted files from backups, ensuring that the backup is clean and free from malware. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. -- Implement enhanced monitoring and logging for similar processes and activities to detect and respond to future attempts at masquerading or defense evasion.""" [[rule.threat]] diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml index 831a135ef..22b4da659 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml @@ -2,26 +2,59 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/03/19" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ A machine learning job combination has identified a host with one or more suspicious Windows processes that exhibit -unusually high malicious probability scores.These process(es) have been classified as malicious in several ways. The process(es) -were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious -processes, each process has the same host name, and the aggregate score of the event cluster was calculated to be -unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly -involving LOLbins, that may be resistant to detection using conventional search rules. +unusually high malicious probability scores.These process(es) have been classified as malicious in several ways. The +process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of +suspicious processes, each process has the same host name, and the aggregate score of the event cluster was calculated +to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, +possibly involving LOLbins, that may be resistant to detection using conventional search rules. """ from = "now-45m" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_high_sum_by_host" name = "Host Detected with Suspicious Windows Process(es)" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Host Detected with Suspicious Windows Process(es) + +The detection leverages machine learning to identify clusters of Windows processes with high malicious probability scores. Adversaries exploit legitimate tools, known as LOLbins, to evade detection. This rule uses both supervised and unsupervised ML models to flag unusual process clusters on a single host, indicating potential masquerading tactics for defense evasion. + +### Possible investigation steps + +- Review the host name associated with the suspicious process cluster to determine if it is a critical asset or has a history of similar alerts. +- Examine the specific processes flagged by the ProblemChild supervised ML model to identify any known LOLbins or unusual command-line arguments that may indicate masquerading. +- Check the timeline of the process execution to see if it coincides with any known scheduled tasks or user activity that could explain the anomaly. +- Investigate the parent-child relationship of the processes to identify any unexpected or unauthorized process spawning patterns. +- Correlate the alert with other security events or logs from the same host to identify any additional indicators of compromise or related suspicious activity. +- Assess the network activity associated with the host during the time of the alert to detect any potential data exfiltration or communication with known malicious IP addresses. + +### False positive analysis + +- Legitimate administrative tools like PowerShell or Windows Management Instrumentation (WMI) may be flagged as suspicious due to their dual-use nature. Users can create exceptions for these tools when used by trusted administrators or during scheduled maintenance. +- Automated scripts or scheduled tasks that perform routine system checks or updates might trigger alerts. Review these processes and whitelist them if they are verified as part of regular operations. +- Software updates or installations that involve multiple processes spawning in a short time frame can be mistaken for malicious clusters. Ensure that these activities are documented and create exceptions for known update processes. +- Development or testing environments where new or experimental software is frequently executed may generate false positives. Consider excluding these environments from monitoring or adjusting the sensitivity of the rule for these specific hosts. +- Frequent use of remote desktop or remote management tools by IT staff can appear suspicious. Implement user-based exceptions for known IT personnel to reduce unnecessary alerts. + +### Response and remediation + +- Isolate the affected host immediately to prevent further spread of potential malicious activity. Disconnect it from the network to contain the threat. +- Terminate the suspicious processes identified by the alert. Use task management tools or scripts to ensure all instances of the processes are stopped. +- Conduct a thorough review of the host's system logs and process history to identify any additional indicators of compromise or related malicious activity. +- Restore the host from a known good backup if available, ensuring that the backup is free from any signs of compromise. +- Update and patch the host's operating system and all installed software to close any vulnerabilities that may have been exploited. +- Implement application whitelisting to prevent unauthorized or suspicious processes from executing in the future. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional hosts are affected.""" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", @@ -58,41 +91,6 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Host Detected with Suspicious Windows Process(es) - -The detection leverages machine learning to identify clusters of Windows processes with high malicious probability scores. Adversaries exploit legitimate tools, known as LOLbins, to evade detection. This rule uses both supervised and unsupervised ML models to flag unusual process clusters on a single host, indicating potential masquerading tactics for defense evasion. - -### Possible investigation steps - -- Review the host name associated with the suspicious process cluster to determine if it is a critical asset or has a history of similar alerts. -- Examine the specific processes flagged by the ProblemChild supervised ML model to identify any known LOLbins or unusual command-line arguments that may indicate masquerading. -- Check the timeline of the process execution to see if it coincides with any known scheduled tasks or user activity that could explain the anomaly. -- Investigate the parent-child relationship of the processes to identify any unexpected or unauthorized process spawning patterns. -- Correlate the alert with other security events or logs from the same host to identify any additional indicators of compromise or related suspicious activity. -- Assess the network activity associated with the host during the time of the alert to detect any potential data exfiltration or communication with known malicious IP addresses. - -### False positive analysis - -- Legitimate administrative tools like PowerShell or Windows Management Instrumentation (WMI) may be flagged as suspicious due to their dual-use nature. Users can create exceptions for these tools when used by trusted administrators or during scheduled maintenance. -- Automated scripts or scheduled tasks that perform routine system checks or updates might trigger alerts. Review these processes and whitelist them if they are verified as part of regular operations. -- Software updates or installations that involve multiple processes spawning in a short time frame can be mistaken for malicious clusters. Ensure that these activities are documented and create exceptions for known update processes. -- Development or testing environments where new or experimental software is frequently executed may generate false positives. Consider excluding these environments from monitoring or adjusting the sensitivity of the rule for these specific hosts. -- Frequent use of remote desktop or remote management tools by IT staff can appear suspicious. Implement user-based exceptions for known IT personnel to reduce unnecessary alerts. - -### Response and remediation - -- Isolate the affected host immediately to prevent further spread of potential malicious activity. Disconnect it from the network to contain the threat. -- Terminate the suspicious processes identified by the alert. Use task management tools or scripts to ensure all instances of the processes are stopped. -- Conduct a thorough review of the host's system logs and process history to identify any additional indicators of compromise or related malicious activity. -- Restore the host from a known good backup if available, ensuring that the backup is free from any signs of compromise. -- Update and patch the host's operating system and all installed software to close any vulnerabilities that may have been exploited. -- Implement application whitelisting to prevent unauthorized or suspicious processes from executing in the future. -- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional hosts are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml index 8216d5e73..7b94ae3ca 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml @@ -2,26 +2,59 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/03/19" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job combination has identified a parent process with one or more suspicious Windows processes that exhibit -unusually high malicious probability scores. These process(es) have been classified as malicious in several ways. The process(es) -were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious -processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to -be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly -involving LOLbins, that may be resistant to detection using conventional search rules. +A machine learning job combination has identified a parent process with one or more suspicious Windows processes that +exhibit unusually high malicious probability scores. These process(es) have been classified as malicious in several +ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a +cluster of suspicious processes, each process has the same parent process name, and the aggregate score of the event +cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or +malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. """ from = "now-45m" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_high_sum_by_parent" name = "Parent Process Detected with Suspicious Windows Process(es)" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Parent Process Detected with Suspicious Windows Process(es) + +In Windows environments, processes are often spawned by parent processes, forming a hierarchy. Adversaries exploit this by using legitimate processes to launch malicious ones, often leveraging Living off the Land Binaries (LOLBins) to evade detection. The detection rule employs machine learning to identify clusters of processes with high malicious probability, focusing on those sharing a common parent process. This approach helps uncover stealthy attacks that traditional methods might miss, enhancing defense against tactics like masquerading. + +### Possible investigation steps + +- Review the parent process name associated with the suspicious process cluster to identify if it is a known legitimate process or a potential masquerading attempt. +- Examine the command line arguments and execution context of the suspicious processes to identify any use of LOLBins or unusual patterns that could indicate malicious activity. +- Check the process creation timestamps and correlate them with any known events or user activities to determine if the process execution aligns with expected behavior. +- Investigate the network activity of the suspicious processes to identify any unusual outbound connections or data exfiltration attempts. +- Analyze the user account context under which the suspicious processes were executed to determine if there is any indication of compromised credentials or privilege escalation. +- Cross-reference the detected processes with threat intelligence sources to identify any known indicators of compromise or related threat actor activity. + +### False positive analysis + +- Legitimate administrative tools may trigger false positives if they frequently spawn processes that resemble malicious activity. Users can create exceptions for known safe tools by whitelisting their parent process names. +- Software updates or installations often generate clusters of processes that might be flagged as suspicious. Users should monitor these activities and exclude them if they are verified as legitimate. +- Automated scripts or batch jobs that run regularly and spawn multiple processes can be mistaken for malicious clusters. Identifying these scripts and excluding their parent processes can reduce false positives. +- Security software or monitoring tools that perform regular scans or updates might mimic malicious behavior. Users should ensure these tools are recognized and excluded from the rule's scope. +- Custom business applications that are not widely recognized might be flagged. Users should document and exclude these applications if they are confirmed to be safe and necessary for operations. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any ongoing malicious activity. +- Terminate the suspicious processes identified by the alert to stop any malicious actions they may be performing. +- Conduct a thorough review of the parent process and its associated binaries to ensure they have not been tampered with or replaced by malicious versions. +- Restore any affected files or system components from a known good backup to ensure system integrity and functionality. +- Update and patch the system to close any vulnerabilities that may have been exploited by the adversary, focusing on those related to LOLBins and masquerading techniques. +- Monitor the system and network for any signs of re-infection or related suspicious activity, using enhanced logging and alerting mechanisms. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", @@ -60,41 +93,6 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Parent Process Detected with Suspicious Windows Process(es) - -In Windows environments, processes are often spawned by parent processes, forming a hierarchy. Adversaries exploit this by using legitimate processes to launch malicious ones, often leveraging Living off the Land Binaries (LOLBins) to evade detection. The detection rule employs machine learning to identify clusters of processes with high malicious probability, focusing on those sharing a common parent process. This approach helps uncover stealthy attacks that traditional methods might miss, enhancing defense against tactics like masquerading. - -### Possible investigation steps - -- Review the parent process name associated with the suspicious process cluster to identify if it is a known legitimate process or a potential masquerading attempt. -- Examine the command line arguments and execution context of the suspicious processes to identify any use of LOLBins or unusual patterns that could indicate malicious activity. -- Check the process creation timestamps and correlate them with any known events or user activities to determine if the process execution aligns with expected behavior. -- Investigate the network activity of the suspicious processes to identify any unusual outbound connections or data exfiltration attempts. -- Analyze the user account context under which the suspicious processes were executed to determine if there is any indication of compromised credentials or privilege escalation. -- Cross-reference the detected processes with threat intelligence sources to identify any known indicators of compromise or related threat actor activity. - -### False positive analysis - -- Legitimate administrative tools may trigger false positives if they frequently spawn processes that resemble malicious activity. Users can create exceptions for known safe tools by whitelisting their parent process names. -- Software updates or installations often generate clusters of processes that might be flagged as suspicious. Users should monitor these activities and exclude them if they are verified as legitimate. -- Automated scripts or batch jobs that run regularly and spawn multiple processes can be mistaken for malicious clusters. Identifying these scripts and excluding their parent processes can reduce false positives. -- Security software or monitoring tools that perform regular scans or updates might mimic malicious behavior. Users should ensure these tools are recognized and excluded from the rule's scope. -- Custom business applications that are not widely recognized might be flagged. Users should document and exclude these applications if they are confirmed to be safe and necessary for operations. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any ongoing malicious activity. -- Terminate the suspicious processes identified by the alert to stop any malicious actions they may be performing. -- Conduct a thorough review of the parent process and its associated binaries to ensure they have not been tampered with or replaced by malicious versions. -- Restore any affected files or system components from a known good backup to ensure system integrity and functionality. -- Update and patch the system to close any vulnerabilities that may have been exploited by the adversary, focusing on those related to LOLBins and masquerading techniques. -- Monitor the system and network for any signs of re-infection or related suspicious activity, using enhanced logging and alerting mechanisms. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml index 64d44f497..a5b82dcbb 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml @@ -2,26 +2,59 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/03/19" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ A machine learning job combination has identified a user with one or more suspicious Windows processes that exhibit -unusually high malicious probability scores. These process(es) have been classified as malicious in several ways. The process(es) -were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious -processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be -unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly -involving LOLbins, that may be resistant to detection using conventional search rules. +unusually high malicious probability scores. These process(es) have been classified as malicious in several ways. The +process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of +suspicious processes, each process has the same user name, and the aggregate score of the event cluster was calculated +to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, +possibly involving LOLbins, that may be resistant to detection using conventional search rules. """ from = "now-45m" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_high_sum_by_user" name = "User Detected with Suspicious Windows Process(es)" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating User Detected with Suspicious Windows Process(es) + +The detection leverages machine learning to identify clusters of Windows processes with high malicious probability, often linked to tactics like masquerading. Adversaries exploit legitimate tools (LOLBins) to evade detection. This rule uses both supervised and unsupervised ML models to flag unusual process clusters, focusing on user-associated anomalies to uncover potential threats. + +### Possible investigation steps + +- Review the list of processes flagged by the alert to identify any known legitimate applications or tools that might have been misclassified. +- Investigate the user account associated with the suspicious process cluster to determine if there is any history of unusual activity or if the account has been compromised. +- Examine the parent-child relationship of the processes to understand the execution chain and identify any potential masquerading attempts or use of LOLBins. +- Check for any recent changes or updates to the system that might explain the unusual process behavior, such as software installations or updates. +- Correlate the detected processes with any known indicators of compromise (IOCs) or threat intelligence feeds to assess if they are linked to known malicious activity. +- Analyze the network activity associated with the processes to identify any suspicious outbound connections or data exfiltration attempts. + +### False positive analysis + +- Legitimate administrative tools like PowerShell or Windows Management Instrumentation (WMI) may trigger false positives due to their frequent use in system management. Users can create exceptions for these tools when used by trusted administrators. +- Software updates or installations often involve processes that mimic suspicious behavior. Exclude these processes by identifying and whitelisting update-related activities from known software vendors. +- Automated scripts or scheduled tasks that perform routine maintenance can be misclassified as malicious. Review and whitelist these tasks if they are part of regular system operations. +- Development environments may spawn multiple processes that resemble malicious clusters. Developers should document and exclude these processes when they are part of legitimate development activities. +- Security software or monitoring tools might generate process clusters that appear suspicious. Ensure these tools are recognized and excluded from analysis to prevent false alerts. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread of potential malicious activity. +- Terminate the suspicious processes identified by the alert to halt any ongoing malicious actions. +- Conduct a thorough review of the affected user's account for any unauthorized access or changes, and reset credentials if necessary. +- Analyze the use of any identified LOLBins to determine if they were used maliciously and restrict their execution through application whitelisting or policy adjustments. +- Collect and preserve relevant logs and forensic data from the affected system for further analysis and to aid in understanding the scope of the incident. +- Escalate the incident to the security operations center (SOC) or incident response team for a deeper investigation and to determine if additional systems are compromised. +- Implement enhanced monitoring and detection rules to identify similar patterns of behavior in the future, focusing on the specific tactics and techniques used in this incident.""" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", @@ -60,41 +93,6 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating User Detected with Suspicious Windows Process(es) - -The detection leverages machine learning to identify clusters of Windows processes with high malicious probability, often linked to tactics like masquerading. Adversaries exploit legitimate tools (LOLBins) to evade detection. This rule uses both supervised and unsupervised ML models to flag unusual process clusters, focusing on user-associated anomalies to uncover potential threats. - -### Possible investigation steps - -- Review the list of processes flagged by the alert to identify any known legitimate applications or tools that might have been misclassified. -- Investigate the user account associated with the suspicious process cluster to determine if there is any history of unusual activity or if the account has been compromised. -- Examine the parent-child relationship of the processes to understand the execution chain and identify any potential masquerading attempts or use of LOLBins. -- Check for any recent changes or updates to the system that might explain the unusual process behavior, such as software installations or updates. -- Correlate the detected processes with any known indicators of compromise (IOCs) or threat intelligence feeds to assess if they are linked to known malicious activity. -- Analyze the network activity associated with the processes to identify any suspicious outbound connections or data exfiltration attempts. - -### False positive analysis - -- Legitimate administrative tools like PowerShell or Windows Management Instrumentation (WMI) may trigger false positives due to their frequent use in system management. Users can create exceptions for these tools when used by trusted administrators. -- Software updates or installations often involve processes that mimic suspicious behavior. Exclude these processes by identifying and whitelisting update-related activities from known software vendors. -- Automated scripts or scheduled tasks that perform routine maintenance can be misclassified as malicious. Review and whitelist these tasks if they are part of regular system operations. -- Development environments may spawn multiple processes that resemble malicious clusters. Developers should document and exclude these processes when they are part of legitimate development activities. -- Security software or monitoring tools might generate process clusters that appear suspicious. Ensure these tools are recognized and excluded from analysis to prevent false alerts. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread of potential malicious activity. -- Terminate the suspicious processes identified by the alert to halt any ongoing malicious actions. -- Conduct a thorough review of the affected user's account for any unauthorized access or changes, and reset credentials if necessary. -- Analyze the use of any identified LOLBins to determine if they were used maliciously and restrict their execution through application whitelisting or policy adjustments. -- Collect and preserve relevant logs and forensic data from the affected system for further analysis and to aid in understanding the scope of the incident. -- Escalate the incident to the security operations center (SOC) or incident response team for a deeper investigation and to determine if additional systems are compromised. -- Implement enhanced monitoring and detection rules to identify similar patterns of behavior in the future, focusing on the specific tactics and techniques used in this incident.""" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml index d262945a7..999853954 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/22" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] anomaly_threshold = 50 @@ -24,6 +22,42 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_rare_metadata_process"] name = "Unusual Windows Process Calling the Metadata Service" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Windows Process Calling the Metadata Service + +In cloud environments, the metadata service provides essential instance information, including credentials and configuration data. Adversaries may exploit this by using atypical Windows processes to access the service, aiming to extract sensitive information. The detection rule leverages machine learning to identify anomalies in process behavior, flagging potential credential access attempts by unusual processes. + +### Possible investigation steps + +- Review the process name and command line arguments associated with the alert to identify any unusual or suspicious activity. +- Check the parent process of the flagged process to understand the context of how it was initiated and assess if it aligns with expected behavior. +- Investigate the user account under which the process was executed to determine if it has legitimate access to the metadata service or if it has been compromised. +- Analyze network logs to identify any outbound connections to the metadata service from the flagged process, noting any unusual patterns or destinations. +- Cross-reference the process and user activity with recent changes or deployments in the environment to rule out false positives related to legitimate administrative actions. +- Consult threat intelligence sources to see if the process or command line arguments have been associated with known malicious activity or campaigns. + +### False positive analysis + +- Routine system updates or maintenance scripts may trigger the rule. Review the process details and verify if they align with scheduled maintenance activities. If confirmed, consider adding these processes to an exception list. +- Legitimate software or security tools that access the metadata service for configuration purposes might be flagged. Identify these tools and create exceptions for their known processes to prevent future alerts. +- Automated backup or monitoring solutions that interact with the metadata service could be misidentified as threats. Validate these processes and exclude them if they are part of authorized operations. +- Custom scripts developed in-house for cloud management tasks may access the metadata service. Ensure these scripts are documented and, if safe, add them to the list of exceptions to reduce false positives. + +### Response and remediation + +- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration. +- Terminate the unusual process accessing the metadata service to stop any ongoing credential harvesting attempts. +- Conduct a thorough review of the system's event logs and process history to identify any additional indicators of compromise or related malicious activity. +- Change all credentials that may have been exposed or accessed through the metadata service to mitigate the risk of unauthorized access. +- Implement network segmentation to limit access to the metadata service, ensuring only authorized processes and users can interact with it. +- Escalate the incident to the security operations center (SOC) for further analysis and to determine if the threat is part of a larger attack campaign. +- Update and enhance endpoint detection and response (EDR) solutions to improve monitoring and alerting for similar anomalous process behaviors in the future.""" +risk_score = 21 +rule_id = "abae61a8-c560-4dbd-acca-1e1438bff36b" setup = """## Setup This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: @@ -68,8 +102,6 @@ The Windows integration allows you to monitor the Windows OS, services, applicat - Click “Save and Continue”. - For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). """ -risk_score = 21 -rule_id = "abae61a8-c560-4dbd-acca-1e1438bff36b" severity = "low" tags = [ "Domain: Endpoint", @@ -81,40 +113,6 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Unusual Windows Process Calling the Metadata Service - -In cloud environments, the metadata service provides essential instance information, including credentials and configuration data. Adversaries may exploit this by using atypical Windows processes to access the service, aiming to extract sensitive information. The detection rule leverages machine learning to identify anomalies in process behavior, flagging potential credential access attempts by unusual processes. - -### Possible investigation steps - -- Review the process name and command line arguments associated with the alert to identify any unusual or suspicious activity. -- Check the parent process of the flagged process to understand the context of how it was initiated and assess if it aligns with expected behavior. -- Investigate the user account under which the process was executed to determine if it has legitimate access to the metadata service or if it has been compromised. -- Analyze network logs to identify any outbound connections to the metadata service from the flagged process, noting any unusual patterns or destinations. -- Cross-reference the process and user activity with recent changes or deployments in the environment to rule out false positives related to legitimate administrative actions. -- Consult threat intelligence sources to see if the process or command line arguments have been associated with known malicious activity or campaigns. - -### False positive analysis - -- Routine system updates or maintenance scripts may trigger the rule. Review the process details and verify if they align with scheduled maintenance activities. If confirmed, consider adding these processes to an exception list. -- Legitimate software or security tools that access the metadata service for configuration purposes might be flagged. Identify these tools and create exceptions for their known processes to prevent future alerts. -- Automated backup or monitoring solutions that interact with the metadata service could be misidentified as threats. Validate these processes and exclude them if they are part of authorized operations. -- Custom scripts developed in-house for cloud management tasks may access the metadata service. Ensure these scripts are documented and, if safe, add them to the list of exceptions to reduce false positives. - -### Response and remediation - -- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration. -- Terminate the unusual process accessing the metadata service to stop any ongoing credential harvesting attempts. -- Conduct a thorough review of the system's event logs and process history to identify any additional indicators of compromise or related malicious activity. -- Change all credentials that may have been exposed or accessed through the metadata service to mitigate the risk of unauthorized access. -- Implement network segmentation to limit access to the metadata service, ensuring only authorized processes and users can interact with it. -- Escalate the incident to the security operations center (SOC) for further analysis and to determine if the threat is part of a larger attack campaign. -- Update and enhance endpoint detection and response (EDR) solutions to improve monitoring and alerting for similar anomalous process behaviors in the future.""" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml index 5c56c751c..885dc3a82 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/22" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] anomaly_threshold = 75 @@ -24,6 +22,44 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_rare_metadata_user"] name = "Unusual Windows User Calling the Metadata Service" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Windows User Calling the Metadata Service + +Cloud platforms provide a metadata service that allows instances to access configuration data, including credentials. Adversaries may exploit this by using compromised Windows accounts to query the service, aiming to harvest sensitive information. The detection rule leverages machine learning to identify atypical access patterns by Windows users, flagging potential credential access attempts. + +### Possible investigation steps + +- Review the alert details to identify the specific Windows user account involved in the unusual access to the metadata service. +- Check the timestamp of the access attempt to correlate with any known scheduled tasks or legitimate user activities. +- Investigate the source IP address and device from which the metadata service was accessed to determine if it aligns with expected user behavior or known assets. +- Examine recent login and access logs for the identified user account to detect any other suspicious activities or anomalies. +- Assess whether there have been any recent changes to the user's permissions or roles that could explain the access attempt. +- Look for any other alerts or incidents involving the same user account or device to identify potential patterns of malicious behavior. +- Consult with the user or their manager to verify if the access was legitimate or if the account may have been compromised. + +### False positive analysis + +- Routine administrative tasks by IT personnel may trigger alerts. Review access logs to confirm legitimate administrative actions and consider whitelisting specific user accounts or IP addresses. +- Automated scripts or scheduled tasks that query the metadata service for configuration updates can be mistaken for suspicious activity. Identify these scripts and exclude them from the rule by adding them to an exception list. +- Cloud management tools that regularly access the metadata service for monitoring or configuration purposes might be flagged. Verify these tools and create exceptions for their known access patterns. +- Instances where legitimate software updates or patch management processes access the metadata service should be reviewed. Document these processes and exclude them from triggering alerts. +- Temporary access by third-party vendors or consultants may appear unusual. Ensure their access is documented and create temporary exceptions during their engagement period. + +### Response and remediation + +- Immediately isolate the affected Windows system from the network to prevent further unauthorized access to the metadata service. +- Revoke any potentially compromised credentials identified during the investigation and issue new credentials to affected users. +- Conduct a thorough review of access logs to identify any unauthorized data access or exfiltration attempts from the metadata service. +- Implement additional monitoring on the affected system and similar systems to detect any further anomalous access attempts. +- Escalate the incident to the security operations center (SOC) for a deeper investigation into potential lateral movement or other compromised systems. +- Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited. +- Review and enhance access controls and permissions for the metadata service to ensure only authorized users can access sensitive information.""" +risk_score = 21 +rule_id = "df197323-72a8-46a9-a08e-3f5b04a4a97a" setup = """## Setup This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: @@ -68,8 +104,6 @@ The Windows integration allows you to monitor the Windows OS, services, applicat - Click “Save and Continue”. - For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). """ -risk_score = 21 -rule_id = "df197323-72a8-46a9-a08e-3f5b04a4a97a" severity = "low" tags = [ "Domain: Endpoint", @@ -81,42 +115,6 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Unusual Windows User Calling the Metadata Service - -Cloud platforms provide a metadata service that allows instances to access configuration data, including credentials. Adversaries may exploit this by using compromised Windows accounts to query the service, aiming to harvest sensitive information. The detection rule leverages machine learning to identify atypical access patterns by Windows users, flagging potential credential access attempts. - -### Possible investigation steps - -- Review the alert details to identify the specific Windows user account involved in the unusual access to the metadata service. -- Check the timestamp of the access attempt to correlate with any known scheduled tasks or legitimate user activities. -- Investigate the source IP address and device from which the metadata service was accessed to determine if it aligns with expected user behavior or known assets. -- Examine recent login and access logs for the identified user account to detect any other suspicious activities or anomalies. -- Assess whether there have been any recent changes to the user's permissions or roles that could explain the access attempt. -- Look for any other alerts or incidents involving the same user account or device to identify potential patterns of malicious behavior. -- Consult with the user or their manager to verify if the access was legitimate or if the account may have been compromised. - -### False positive analysis - -- Routine administrative tasks by IT personnel may trigger alerts. Review access logs to confirm legitimate administrative actions and consider whitelisting specific user accounts or IP addresses. -- Automated scripts or scheduled tasks that query the metadata service for configuration updates can be mistaken for suspicious activity. Identify these scripts and exclude them from the rule by adding them to an exception list. -- Cloud management tools that regularly access the metadata service for monitoring or configuration purposes might be flagged. Verify these tools and create exceptions for their known access patterns. -- Instances where legitimate software updates or patch management processes access the metadata service should be reviewed. Document these processes and exclude them from triggering alerts. -- Temporary access by third-party vendors or consultants may appear unusual. Ensure their access is documented and create temporary exceptions during their engagement period. - -### Response and remediation - -- Immediately isolate the affected Windows system from the network to prevent further unauthorized access to the metadata service. -- Revoke any potentially compromised credentials identified during the investigation and issue new credentials to affected users. -- Conduct a thorough review of access logs to identify any unauthorized data access or exfiltration attempts from the metadata service. -- Implement additional monitoring on the affected system and similar systems to detect any further anomalous access attempts. -- Escalate the incident to the security operations center (SOC) for a deeper investigation into potential lateral movement or other compromised systems. -- Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited. -- Review and enhance access controls and permissions for the metadata service to ensure only authorized users can access sensitive information.""" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/ml/execution_ml_windows_anomalous_script.toml b/rules/ml/execution_ml_windows_anomalous_script.toml index b347de57f..af93615b6 100644 --- a/rules/ml/execution_ml_windows_anomalous_script.toml +++ b/rules/ml/execution_ml_windows_anomalous_script.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] anomaly_threshold = 50 @@ -24,6 +22,47 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_anomalous_script"] name = "Suspicious Powershell Script" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious Powershell Script + +PowerShell is a powerful scripting language used for task automation and configuration management in Windows environments. Adversaries often exploit its capabilities to execute malicious scripts, leveraging obfuscation to evade detection. The 'Suspicious Powershell Script' detection rule employs machine learning to identify unusual script characteristics, such as obfuscation, indicating potential threats. By analyzing these anomalies, the rule aids in early threat detection and mitigation. + +### Possible investigation steps + +- Review the alert details to identify the specific PowerShell script or command that triggered the detection, focusing on any obfuscated elements. +- Examine the source endpoint and user account associated with the alert to determine if the activity aligns with expected behavior or if it appears suspicious. +- Check the execution history on the affected endpoint for any other unusual or unauthorized PowerShell commands or scripts executed around the same time. +- Investigate the network activity from the source endpoint to identify any connections to known malicious IP addresses or domains. +- Correlate the alert with other security events or logs, such as antivirus alerts or firewall logs, to gather additional context and assess the potential impact. +- Consult threat intelligence sources to determine if the detected script or its components are associated with known malware or attack campaigns. + +### False positive analysis + +- Legitimate administrative scripts may trigger the rule due to obfuscation techniques used for efficiency or security. Review the script's purpose and source to determine its legitimacy. +- Automated deployment tools often use PowerShell scripts that appear obfuscated. Identify and whitelist these tools to prevent unnecessary alerts. +- Security software updates might use obfuscated scripts for protection against tampering. Verify the update source and add exceptions for known trusted vendors. +- Custom scripts developed in-house for specific tasks may use obfuscation for intellectual property protection. Document and exclude these scripts after confirming their safety. +- Regularly review and update the list of exceptions to ensure that only verified non-threatening scripts are excluded, maintaining the effectiveness of the detection rule. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity. +- Terminate any suspicious PowerShell processes identified on the affected system to halt the execution of potentially harmful scripts. +- Conduct a thorough review of the PowerShell script logs and execution history on the affected system to identify any unauthorized or malicious commands executed. +- Restore the affected system from a known good backup if any malicious activity is confirmed, ensuring that the backup is free from compromise. +- Update and patch the affected system to the latest security standards to close any vulnerabilities that may have been exploited. +- Implement enhanced monitoring for PowerShell activity across the network, focusing on detecting obfuscation and unusual script characteristics. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "1781d055-5c66-4adf-9d60-fc0fa58337b6" setup = """## Setup This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: @@ -68,12 +107,6 @@ The Windows integration allows you to monitor the Windows OS, services, applicat - Click “Save and Continue”. - For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "1781d055-5c66-4adf-9d60-fc0fa58337b6" severity = "low" tags = [ "Domain: Endpoint", @@ -85,41 +118,6 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious Powershell Script - -PowerShell is a powerful scripting language used for task automation and configuration management in Windows environments. Adversaries often exploit its capabilities to execute malicious scripts, leveraging obfuscation to evade detection. The 'Suspicious Powershell Script' detection rule employs machine learning to identify unusual script characteristics, such as obfuscation, indicating potential threats. By analyzing these anomalies, the rule aids in early threat detection and mitigation. - -### Possible investigation steps - -- Review the alert details to identify the specific PowerShell script or command that triggered the detection, focusing on any obfuscated elements. -- Examine the source endpoint and user account associated with the alert to determine if the activity aligns with expected behavior or if it appears suspicious. -- Check the execution history on the affected endpoint for any other unusual or unauthorized PowerShell commands or scripts executed around the same time. -- Investigate the network activity from the source endpoint to identify any connections to known malicious IP addresses or domains. -- Correlate the alert with other security events or logs, such as antivirus alerts or firewall logs, to gather additional context and assess the potential impact. -- Consult threat intelligence sources to determine if the detected script or its components are associated with known malware or attack campaigns. - -### False positive analysis - -- Legitimate administrative scripts may trigger the rule due to obfuscation techniques used for efficiency or security. Review the script's purpose and source to determine its legitimacy. -- Automated deployment tools often use PowerShell scripts that appear obfuscated. Identify and whitelist these tools to prevent unnecessary alerts. -- Security software updates might use obfuscated scripts for protection against tampering. Verify the update source and add exceptions for known trusted vendors. -- Custom scripts developed in-house for specific tasks may use obfuscation for intellectual property protection. Document and exclude these scripts after confirming their safety. -- Regularly review and update the list of exceptions to ensure that only verified non-threatening scripts are excluded, maintaining the effectiveness of the detection rule. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity. -- Terminate any suspicious PowerShell processes identified on the affected system to halt the execution of potentially harmful scripts. -- Conduct a thorough review of the PowerShell script logs and execution history on the affected system to identify any unauthorized or malicious commands executed. -- Restore the affected system from a known good backup if any malicious activity is confirmed, ensuring that the backup is free from compromise. -- Update and patch the affected system to the latest security standards to close any vulnerabilities that may have been exploited. -- Implement enhanced monitoring for PowerShell activity across the network, focusing on detecting obfuscation and unusual script characteristics. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml index c57a450b4..e0e85483f 100644 --- a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml +++ b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/17" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] anomaly_threshold = 50 @@ -30,6 +28,17 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_anomalous_user_name"] name = "Unusual Windows Username" +note = """## Triage and analysis + +### Investigating Unusual Windows Username +Detection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation: +- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity? +- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process. +- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing. +- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.""" +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "1781d055-5c66-4adf-9c59-fc0fa58336a5" setup = """## Setup This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: @@ -74,17 +83,6 @@ The Windows integration allows you to monitor the Windows OS, services, applicat - Click “Save and Continue”. - For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). """ -note = """## Triage and analysis - -### Investigating Unusual Windows Username -Detection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation: -- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity? -- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process. -- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing. -- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.""" -references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] -risk_score = 21 -rule_id = "1781d055-5c66-4adf-9c59-fc0fa58336a5" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml index f283dc1c6..b4a53fb62 100644 --- a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml +++ b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/17" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] anomaly_threshold = 50 @@ -25,6 +23,15 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_rare_user_type10_remote_login"] name = "Unusual Windows Remote User" +note = """## Triage and analysis + +### Investigating Unusual Windows Remote User +Detection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation: +- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user? +- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?""" +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "1781d055-5c66-4adf-9e93-fc0fa69550c9" setup = """## Setup This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: @@ -69,15 +76,6 @@ The Windows integration allows you to monitor the Windows OS, services, applicat - Click “Save and Continue”. - For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). """ -note = """## Triage and analysis - -### Investigating Unusual Windows Remote User -Detection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation: -- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user? -- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?""" -references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] -risk_score = 21 -rule_id = "1781d055-5c66-4adf-9e93-fc0fa69550c9" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/ml/ml_windows_anomalous_network_activity.toml b/rules/ml/ml_windows_anomalous_network_activity.toml index 144f452f5..1aa718774 100644 --- a/rules/ml/ml_windows_anomalous_network_activity.toml +++ b/rules/ml/ml_windows_anomalous_network_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/17" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] anomaly_threshold = 50 @@ -22,6 +20,20 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_anomalous_network_activity"] name = "Unusual Windows Network Activity" +note = """## Triage and analysis + +### Investigating Unusual Windows Network Activity +Detection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation: +- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? +- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses. +- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program? +- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process. +- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing. +- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious. +- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.""" +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "ba342eb2-583c-439f-b04d-1fdd7c1417cc" setup = """## Setup This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: @@ -66,20 +78,6 @@ The Windows integration allows you to monitor the Windows OS, services, applicat - Click “Save and Continue”. - For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). """ -note = """## Triage and analysis - -### Investigating Unusual Windows Network Activity -Detection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation: -- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? -- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses. -- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program? -- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process. -- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing. -- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious. -- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.""" -references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] -risk_score = 21 -rule_id = "ba342eb2-583c-439f-b04d-1fdd7c1417cc" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/ml/persistence_ml_rare_process_by_host_windows.toml b/rules/ml/persistence_ml_rare_process_by_host_windows.toml index 4c1b8cae6..019072788 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_windows.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_windows.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -51,50 +49,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_rare_process_by_host_windows"] name = "Unusual Process For a Windows Host" -setup = """## Setup - -This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: -- Elastic Defend -- Windows - -### Anomaly Detection Setup - -Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). - -### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. - -#### Prerequisite Requirements: -- Fleet is required for Elastic Defend. -- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). - -#### The following steps should be executed in order to add the Elastic Defend integration to your system: -- Go to the Kibana home page and click "Add integrations". -- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. -- Click "Add Elastic Defend". -- Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". -- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. -For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). -- Click "Save and Continue". -- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. -For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - -### Windows Integration Setup -The Windows integration allows you to monitor the Windows OS, services, applications, and more. - -#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: -- Go to the Kibana home page and click “Add integrations”. -- In the query bar, search for “Windows” and select the integration to see more details about it. -- Click “Add Windows”. -- Configure the integration name and optionally add a description. -- Review optional and advanced settings accordingly. -- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. -- Click “Save and Continue”. -- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). -""" note = """## Triage and analysis ### Investigating Unusual Process For a Windows Host @@ -159,6 +113,50 @@ This rule uses a machine learning job to detect a Windows process that is rare a references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "6d448b96-c922-4adb-b51c-b767f1ea5b76" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Windows + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Windows Integration Setup +The Windows integration allows you to monitor the Windows OS, services, applications, and more. + +#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Windows” and select the integration to see more details about it. +- Click “Add Windows”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). +""" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml index 413b60866..ce8453a68 100644 --- a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml +++ b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] anomaly_threshold = 50 @@ -27,6 +25,44 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_anomalous_path_activity"] name = "Unusual Windows Path Activity" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Windows Path Activity + +In corporate Windows environments, software is typically managed centrally, making execution from user or temporary directories uncommon. Adversaries exploit this by running malware from these atypical paths, bypassing standard security measures. The 'Unusual Windows Path Activity' detection rule leverages machine learning to identify such anomalies, flagging potential persistence or execution tactics used by attackers. + +### Possible investigation steps + +- Review the process name and path to determine if it is a known legitimate application or a suspicious executable. +- Check the parent process to understand how the process was initiated and if it correlates with expected user behavior or known software installations. +- Investigate the user account associated with the process execution to verify if the activity aligns with their typical usage patterns or if it appears anomalous. +- Examine the file hash of the executable to see if it matches known malware signatures or if it has been flagged by any threat intelligence sources. +- Look into recent file modifications or creations in the directory from which the process was executed to identify any additional suspicious files or scripts. +- Analyze network connections initiated by the process to detect any unusual or unauthorized external communications. + +### False positive analysis + +- Software updates or installations by IT staff can trigger alerts when executed from temporary directories. To manage this, create exceptions for known IT processes or scripts that are regularly used for legitimate software deployment. +- Some legitimate applications may temporarily execute components from user directories during updates or initial setup. Identify these applications and add them to an allowlist to prevent unnecessary alerts. +- Developers or power users might run scripts or applications from non-standard directories for testing purposes. Establish a policy to document and approve such activities, and configure exceptions for these known cases. +- Automated tasks or scripts that are scheduled to run from user directories can be mistaken for malicious activity. Review and document these tasks, then configure the detection rule to exclude them from triggering alerts. +- Security tools or monitoring software might execute diagnostic or remediation scripts from temporary paths. Verify these activities and add them to an exception list to avoid false positives. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread of potential malware and unauthorized access. +- Terminate any suspicious processes identified as running from atypical directories to halt malicious activity. +- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious files. +- Review and restore any modified system processes or configurations to their original state to ensure system integrity. +- Collect and preserve relevant logs and evidence for further analysis and potential escalation to the incident response team. +- Escalate the incident to the security operations center (SOC) or incident response team if the threat persists or if there is evidence of broader compromise. +- Implement application whitelisting to prevent unauthorized execution of software from user or temporary directories in the future.""" +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "445a342e-03fb-42d0-8656-0367eb2dead5" setup = """## Setup This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: @@ -71,9 +107,6 @@ The Windows integration allows you to monitor the Windows OS, services, applicat - Click “Save and Continue”. - For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). """ -references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] -risk_score = 21 -rule_id = "445a342e-03fb-42d0-8656-0367eb2dead5" severity = "low" tags = [ "Domain: Endpoint", @@ -86,41 +119,6 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Unusual Windows Path Activity - -In corporate Windows environments, software is typically managed centrally, making execution from user or temporary directories uncommon. Adversaries exploit this by running malware from these atypical paths, bypassing standard security measures. The 'Unusual Windows Path Activity' detection rule leverages machine learning to identify such anomalies, flagging potential persistence or execution tactics used by attackers. - -### Possible investigation steps - -- Review the process name and path to determine if it is a known legitimate application or a suspicious executable. -- Check the parent process to understand how the process was initiated and if it correlates with expected user behavior or known software installations. -- Investigate the user account associated with the process execution to verify if the activity aligns with their typical usage patterns or if it appears anomalous. -- Examine the file hash of the executable to see if it matches known malware signatures or if it has been flagged by any threat intelligence sources. -- Look into recent file modifications or creations in the directory from which the process was executed to identify any additional suspicious files or scripts. -- Analyze network connections initiated by the process to detect any unusual or unauthorized external communications. - -### False positive analysis - -- Software updates or installations by IT staff can trigger alerts when executed from temporary directories. To manage this, create exceptions for known IT processes or scripts that are regularly used for legitimate software deployment. -- Some legitimate applications may temporarily execute components from user directories during updates or initial setup. Identify these applications and add them to an allowlist to prevent unnecessary alerts. -- Developers or power users might run scripts or applications from non-standard directories for testing purposes. Establish a policy to document and approve such activities, and configure exceptions for these known cases. -- Automated tasks or scripts that are scheduled to run from user directories can be mistaken for malicious activity. Review and document these tasks, then configure the detection rule to exclude them from triggering alerts. -- Security tools or monitoring software might execute diagnostic or remediation scripts from temporary paths. Verify these activities and add them to an exception list to avoid false positives. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread of potential malware and unauthorized access. -- Terminate any suspicious processes identified as running from atypical directories to halt malicious activity. -- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious files. -- Review and restore any modified system processes or configurations to their original state to ensure system integrity. -- Collect and preserve relevant logs and evidence for further analysis and potential escalation to the incident response team. -- Escalate the incident to the security operations center (SOC) or incident response team if the threat persists or if there is evidence of broader compromise. -- Implement application whitelisting to prevent unauthorized execution of software from user or temporary directories in the future.""" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml index 661a857bc..f9ada397b 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -51,50 +49,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_anomalous_process_all_hosts"] name = "Anomalous Process For a Windows Population" -setup = """## Setup - -This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: -- Elastic Defend -- Windows - -### Anomaly Detection Setup - -Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). - -### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. - -#### Prerequisite Requirements: -- Fleet is required for Elastic Defend. -- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). - -#### The following steps should be executed in order to add the Elastic Defend integration to your system: -- Go to the Kibana home page and click "Add integrations". -- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. -- Click "Add Elastic Defend". -- Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". -- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. -For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). -- Click "Save and Continue". -- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. -For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - -### Windows Integration Setup -The Windows integration allows you to monitor the Windows OS, services, applications, and more. - -#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: -- Go to the Kibana home page and click “Add integrations”. -- In the query bar, search for “Windows” and select the integration to see more details about it. -- Click “Add Windows”. -- Configure the integration name and optionally add a description. -- Review optional and advanced settings accordingly. -- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. -- Click “Save and Continue”. -- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). -""" note = """## Triage and analysis ### Investigating Anomalous Process For a Windows Population @@ -159,6 +113,50 @@ This rule uses a machine learning job to detect a Windows process that is rare a references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "6e40d56f-5c0e-4ac6-aece-bee96645b172" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Windows + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Windows Integration Setup +The Windows integration allows you to monitor the Windows OS, services, applications, and more. + +#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Windows” and select the integration to see more details about it. +- Click “Add Windows”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). +""" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml index 9368ab82e..f498ba198 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2020/03/25" integration = ["endpoint", "windows"] -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -54,50 +52,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_anomalous_process_creation"] name = "Anomalous Windows Process Creation" -setup = """## Setup - -This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: -- Elastic Defend -- Windows - -### Anomaly Detection Setup - -Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). - -### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. - -#### Prerequisite Requirements: -- Fleet is required for Elastic Defend. -- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). - -#### The following steps should be executed in order to add the Elastic Defend integration to your system: -- Go to the Kibana home page and click "Add integrations". -- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. -- Click "Add Elastic Defend". -- Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". -- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. -For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). -- Click "Save and Continue". -- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. -For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - -### Windows Integration Setup -The Windows integration allows you to monitor the Windows OS, services, applications, and more. - -#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: -- Go to the Kibana home page and click “Add integrations”. -- In the query bar, search for “Windows” and select the integration to see more details about it. -- Click “Add Windows”. -- Configure the integration name and optionally add a description. -- Review optional and advanced settings accordingly. -- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. -- Click “Save and Continue”. -- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). -""" note = """## Triage and analysis ### Investigating Anomalous Windows Process Creation @@ -162,6 +116,50 @@ This rule uses a machine learning job to detect an anomalous Windows process wit references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Windows + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Windows Integration Setup +The Windows integration allows you to monitor the Windows OS, services, applications, and more. + +#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Windows” and select the integration to see more details about it. +- Click “Add Windows”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). +""" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/ml/persistence_ml_windows_anomalous_service.toml b/rules/ml/persistence_ml_windows_anomalous_service.toml index 0c129a5b9..de8216621 100644 --- a/rules/ml/persistence_ml_windows_anomalous_service.toml +++ b/rules/ml/persistence_ml_windows_anomalous_service.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] anomaly_threshold = 50 @@ -25,6 +23,44 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_anomalous_service"] name = "Unusual Windows Service" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Windows Service + +Windows services are crucial for running background processes and applications. Adversaries exploit this by creating or modifying services to maintain persistence or execute unauthorized actions. The 'Unusual Windows Service' detection rule leverages machine learning to identify atypical services, flagging potential threats by comparing against known service patterns, thus aiding in early threat detection and response. + +### Possible investigation steps + +- Review the details of the detected unusual Windows service, including the service name, path, and any associated executables, to determine if it aligns with known legitimate services or appears suspicious. +- Check the creation and modification timestamps of the service to identify if it was recently added or altered, which could indicate unauthorized activity. +- Investigate the user account under which the service is running to assess if it has the necessary permissions and if the account has been compromised or misused. +- Cross-reference the service with known threat intelligence databases to see if it matches any known malware or persistence mechanisms. +- Analyze the network activity and connections associated with the service to identify any unusual or unauthorized communication patterns. +- Examine the host's event logs for any related entries that could provide additional context or evidence of malicious activity, such as failed login attempts or privilege escalation events. + +### False positive analysis + +- Legitimate software installations or updates may create new services that are flagged as unusual. Users should verify the source and purpose of the service before excluding it. +- Custom in-house applications often run unique services that can trigger alerts. Document these services and create exceptions to prevent future false positives. +- IT administrative tools might install services for management purposes. Confirm these tools are authorized and add them to an exception list if they are frequently flagged. +- Temporary services used for troubleshooting or testing can be mistaken for threats. Ensure these are removed after use or excluded if they are part of regular operations. +- Scheduled tasks that create services for specific operations might be flagged. Review these tasks and exclude them if they are part of normal business processes. + +### Response and remediation + +- Immediately isolate the affected host from the network to prevent potential lateral movement or data exfiltration by the unauthorized service. +- Terminate the unusual Windows service identified by the alert to stop any ongoing malicious activity. +- Conduct a thorough analysis of the service's executable and associated files to determine if they are malicious. Use endpoint detection and response (EDR) tools to assist in this analysis. +- Remove any malicious files or executables associated with the service from the system to ensure complete eradication of the threat. +- Restore the affected system from a known good backup if the service has caused significant changes or damage to the system. +- Monitor the system and network for any signs of re-infection or similar unusual service activity, using enhanced logging and alerting mechanisms. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the need for broader organizational response measures.""" +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "1781d055-5c66-4adf-9c71-fc0fa58338c7" setup = """## Setup This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: @@ -69,9 +105,6 @@ The Windows integration allows you to monitor the Windows OS, services, applicat - Click “Save and Continue”. - For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). """ -references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] -risk_score = 21 -rule_id = "1781d055-5c66-4adf-9c71-fc0fa58338c7" severity = "low" tags = [ "Domain: Endpoint", @@ -83,41 +116,6 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Unusual Windows Service - -Windows services are crucial for running background processes and applications. Adversaries exploit this by creating or modifying services to maintain persistence or execute unauthorized actions. The 'Unusual Windows Service' detection rule leverages machine learning to identify atypical services, flagging potential threats by comparing against known service patterns, thus aiding in early threat detection and response. - -### Possible investigation steps - -- Review the details of the detected unusual Windows service, including the service name, path, and any associated executables, to determine if it aligns with known legitimate services or appears suspicious. -- Check the creation and modification timestamps of the service to identify if it was recently added or altered, which could indicate unauthorized activity. -- Investigate the user account under which the service is running to assess if it has the necessary permissions and if the account has been compromised or misused. -- Cross-reference the service with known threat intelligence databases to see if it matches any known malware or persistence mechanisms. -- Analyze the network activity and connections associated with the service to identify any unusual or unauthorized communication patterns. -- Examine the host's event logs for any related entries that could provide additional context or evidence of malicious activity, such as failed login attempts or privilege escalation events. - -### False positive analysis - -- Legitimate software installations or updates may create new services that are flagged as unusual. Users should verify the source and purpose of the service before excluding it. -- Custom in-house applications often run unique services that can trigger alerts. Document these services and create exceptions to prevent future false positives. -- IT administrative tools might install services for management purposes. Confirm these tools are authorized and add them to an exception list if they are frequently flagged. -- Temporary services used for troubleshooting or testing can be mistaken for threats. Ensure these are removed after use or excluded if they are part of regular operations. -- Scheduled tasks that create services for specific operations might be flagged. Review these tasks and exclude them if they are part of normal business processes. - -### Response and remediation - -- Immediately isolate the affected host from the network to prevent potential lateral movement or data exfiltration by the unauthorized service. -- Terminate the unusual Windows service identified by the alert to stop any ongoing malicious activity. -- Conduct a thorough analysis of the service's executable and associated files to determine if they are malicious. Use endpoint detection and response (EDR) tools to assist in this analysis. -- Remove any malicious files or executables associated with the service from the system to ensure complete eradication of the threat. -- Restore the affected system from a known good backup if the service has caused significant changes or damage to the system. -- Monitor the system and network for any signs of re-infection or similar unusual service activity, using enhanced logging and alerting mechanisms. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the need for broader organizational response measures.""" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml index 17250cb6b..8485f372d 100644 --- a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml +++ b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] anomaly_threshold = 50 @@ -25,6 +23,44 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_rare_user_runas_event"] name = "Unusual Windows User Privilege Elevation Activity" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Windows User Privilege Elevation Activity + +In Windows environments, privilege elevation tools like 'runas' allow users to execute programs with different user credentials, typically used by administrators. Adversaries exploit this to gain elevated access, often indicating account compromise. The detection rule leverages machine learning to identify atypical usage patterns of such tools, flagging potential unauthorized privilege escalation attempts. + +### Possible investigation steps + +- Review the specific user account involved in the alert to determine if it is a regular user or an administrator, as privilege elevation is more common among administrators. +- Check the timestamp of the alert to correlate with any known scheduled tasks or administrative activities that might explain the use of privilege elevation tools. +- Investigate the source IP address and device from which the privilege elevation attempt was made to verify if it aligns with the user's typical access patterns. +- Examine recent login activity for the user account to identify any unusual or unauthorized access attempts that could indicate account compromise. +- Look for any other security alerts or logs related to the same user or device around the time of the alert to gather additional context on potential malicious activity. +- Assess whether there have been any recent changes to user permissions or group memberships that could have facilitated the privilege elevation. + +### False positive analysis + +- Regular administrative tasks by domain or network administrators can trigger false positives. To manage this, create exceptions for known administrator accounts frequently using the runas command. +- Scheduled tasks or scripts that require privilege elevation might be flagged. Identify and exclude these tasks from monitoring if they are verified as safe and necessary for operations. +- Software updates or installations that require elevated privileges can also cause alerts. Maintain a list of approved software and update processes to exclude them from triggering the rule. +- Training or testing environments where privilege elevation is part of routine operations may generate false positives. Exclude these environments from the rule's scope to prevent unnecessary alerts. +- Third-party applications that use privilege elevation for legitimate purposes should be reviewed and, if deemed safe, added to an exception list to avoid repeated false positives. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement. +- Revoke any elevated privileges granted to the compromised account and reset its password to prevent further misuse. +- Conduct a thorough review of recent activity logs for the affected account to identify any unauthorized actions or data access. +- Notify the security team and relevant stakeholders about the incident for awareness and potential escalation. +- Restore any altered or compromised system configurations to their original state using backups or system snapshots. +- Implement additional monitoring on the affected system and account to detect any further suspicious activity. +- Review and update access controls and privilege management policies to minimize the risk of similar incidents in the future.""" +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "1781d055-5c66-4adf-9d82-fc0fa58449c8" setup = """## Setup This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: @@ -69,9 +105,6 @@ The Windows integration allows you to monitor the Windows OS, services, applicat - Click “Save and Continue”. - For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). """ -references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] -risk_score = 21 -rule_id = "1781d055-5c66-4adf-9d82-fc0fa58449c8" severity = "low" tags = [ "Domain: Endpoint", @@ -83,41 +116,6 @@ tags = [ "Resources: Investigation Guide", ] type = "machine_learning" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Unusual Windows User Privilege Elevation Activity - -In Windows environments, privilege elevation tools like 'runas' allow users to execute programs with different user credentials, typically used by administrators. Adversaries exploit this to gain elevated access, often indicating account compromise. The detection rule leverages machine learning to identify atypical usage patterns of such tools, flagging potential unauthorized privilege escalation attempts. - -### Possible investigation steps - -- Review the specific user account involved in the alert to determine if it is a regular user or an administrator, as privilege elevation is more common among administrators. -- Check the timestamp of the alert to correlate with any known scheduled tasks or administrative activities that might explain the use of privilege elevation tools. -- Investigate the source IP address and device from which the privilege elevation attempt was made to verify if it aligns with the user's typical access patterns. -- Examine recent login activity for the user account to identify any unusual or unauthorized access attempts that could indicate account compromise. -- Look for any other security alerts or logs related to the same user or device around the time of the alert to gather additional context on potential malicious activity. -- Assess whether there have been any recent changes to user permissions or group memberships that could have facilitated the privilege elevation. - -### False positive analysis - -- Regular administrative tasks by domain or network administrators can trigger false positives. To manage this, create exceptions for known administrator accounts frequently using the runas command. -- Scheduled tasks or scripts that require privilege elevation might be flagged. Identify and exclude these tasks from monitoring if they are verified as safe and necessary for operations. -- Software updates or installations that require elevated privileges can also cause alerts. Maintain a list of approved software and update processes to exclude them from triggering the rule. -- Training or testing environments where privilege elevation is part of routine operations may generate false positives. Exclude these environments from the rule's scope to prevent unnecessary alerts. -- Third-party applications that use privilege elevation for legitimate purposes should be reviewed and, if deemed safe, added to an exception list to avoid repeated false positives. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement. -- Revoke any elevated privileges granted to the compromised account and reset its password to prevent further misuse. -- Conduct a thorough review of recent activity logs for the affected account to identify any unauthorized actions or data access. -- Notify the security team and relevant stakeholders about the incident for awareness and potential escalation. -- Restore any altered or compromised system configurations to their original state using backups or system snapshots. -- Implement additional monitoring on the affected system and account to detect any further suspicious activity. -- Review and update access controls and privilege management policies to minimize the risk of similar incidents in the future.""" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index 2baaf3533..97ba3fb44 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_mailbox_export_winlog.toml b/rules/windows/collection_mailbox_export_winlog.toml index d1d9311a1..d9df945ca 100644 --- a/rules/windows/collection_mailbox_export_winlog.toml +++ b/rules/windows/collection_mailbox_export_winlog.toml @@ -2,14 +2,13 @@ creation_date = "2023/01/11" integration = ["windows"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2024/10/28" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information. +Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary +mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information. """ false_positives = ["Legitimate exchange system administration activity."] from = "now-9m" @@ -63,7 +62,14 @@ references = [ risk_score = 47 rule_id = "54a81f68-5f2a-421e-8eed-f888278bb712" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" @@ -72,27 +78,28 @@ event.category:process and host.os.type:windows and powershell.file.script_block_text : "New-MailboxExportRequest" ''' + [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\*" - +case_insensitive = true +value = "?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\*" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" - +case_insensitive = true +value = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Windows\\\\TEMP\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" - +case_insensitive = true +value = "?:\\\\Windows\\\\TEMP\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -104,7 +111,6 @@ reference = "https://attack.mitre.org/techniques/T1005/" id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" - [[rule.threat.technique.subtechnique]] id = "T1114.001" name = "Local Email Collection" @@ -116,7 +122,9 @@ name = "Remote Email Collection" reference = "https://attack.mitre.org/techniques/T1114/002/" + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml index c1accd7d8..55a17d138 100644 --- a/rules/windows/collection_posh_audio_capture.toml +++ b/rules/windows/collection_posh_audio_capture.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_posh_clipboard_capture.toml b/rules/windows/collection_posh_clipboard_capture.toml index d08e24720..faf38d488 100644 --- a/rules/windows/collection_posh_clipboard_capture.toml +++ b/rules/windows/collection_posh_clipboard_capture.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/12" integration = ["windows"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2024/10/28" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -80,7 +78,14 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -105,27 +110,28 @@ event.category:process and host.os.type:windows and ) ''' + [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\program?files\\\\powershell\\\\?\\\\Modules\\\\*.psd1" - +case_insensitive = true +value = "?:\\\\program?files\\\\powershell\\\\?\\\\Modules\\\\*.psd1" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\*.psd1" - +case_insensitive = true +value = "?:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\*.psd1" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\*.ps?1" - +case_insensitive = true +value = "?:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\*.ps?1" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/collection_posh_keylogger.toml b/rules/windows/collection_posh_keylogger.toml index 7e89556a9..6feee1d78 100644 --- a/rules/windows/collection_posh_keylogger.toml +++ b/rules/windows/collection_posh_keylogger.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_posh_mailbox.toml b/rules/windows/collection_posh_mailbox.toml index 6e8c81179..9a8eacb6f 100644 --- a/rules/windows/collection_posh_mailbox.toml +++ b/rules/windows/collection_posh_mailbox.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/11" integration = ["windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_posh_screen_grabber.toml b/rules/windows/collection_posh_screen_grabber.toml index cd618e1b0..c0b7b9ffe 100644 --- a/rules/windows/collection_posh_screen_grabber.toml +++ b/rules/windows/collection_posh_screen_grabber.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_posh_webcam_video_capture.toml b/rules/windows/collection_posh_webcam_video_capture.toml index e7afa981c..cf95d2a9b 100644 --- a/rules/windows/collection_posh_webcam_video_capture.toml +++ b/rules/windows/collection_posh_webcam_video_capture.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/18" integration = ["windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,40 @@ index = ["winlogbeat-*", "logs-windows.powershell*"] language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Webcam Video Capture Capabilities" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating PowerShell Script with Webcam Video Capture Capabilities + +PowerShell, a powerful scripting language in Windows, can interface with system components like webcams for legitimate tasks such as video conferencing. However, adversaries exploit this by crafting scripts to covertly record video, infringing on privacy. The detection rule identifies suspicious script patterns and API calls linked to webcam access, flagging potential misuse for further investigation. + +### Possible investigation steps + +- Review the PowerShell script block text associated with the alert to identify any suspicious patterns or API calls, such as "NewFrameEventHandler" or "VideoCaptureDevice". +- Check the process execution details, including the parent process, to determine how the PowerShell script was initiated and if it was part of a legitimate application or task. +- Investigate the user account under which the PowerShell script was executed to assess if the account has a history of suspicious activity or if it has been compromised. +- Examine the host's recent activity logs for any other unusual behavior or alerts that might correlate with the webcam access attempt, such as unauthorized access attempts or data exfiltration. +- Verify if the host has any legitimate applications that might use webcam access, and cross-reference with the script's behavior to rule out false positives. + +### False positive analysis + +- Legitimate video conferencing applications may trigger the detection rule due to their use of similar API calls and script patterns. Users can create exceptions for known and trusted applications by whitelisting their process names or script signatures. +- Security testing tools that simulate webcam access for vulnerability assessments might be flagged. To handle this, users should exclude these tools from monitoring during scheduled testing periods. +- System diagnostics or maintenance scripts that access webcam components for hardware checks can be mistaken for malicious activity. Users should document and exclude these scripts if they are part of routine system operations. +- Educational or training software that uses webcam access for interactive sessions may be incorrectly identified. Users can mitigate this by adding these applications to an allowlist after verifying their legitimacy. +- Custom scripts developed in-house for specific business needs that involve webcam access should be reviewed and, if deemed safe, excluded from the detection rule to prevent unnecessary alerts. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. +- Terminate any suspicious PowerShell processes identified by the detection rule to stop ongoing webcam recording activities. +- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious scripts or software. +- Review and revoke any unauthorized access permissions or credentials that may have been compromised during the incident. +- Restore the system from a known good backup if any critical system files or configurations have been altered by the malicious script. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. +- Implement enhanced monitoring and logging for PowerShell activities across the network to detect and respond to similar threats more effectively in the future.""" references = [ "https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py", ] @@ -68,40 +100,6 @@ event.category:process and host.os.type:windows and ) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating PowerShell Script with Webcam Video Capture Capabilities - -PowerShell, a powerful scripting language in Windows, can interface with system components like webcams for legitimate tasks such as video conferencing. However, adversaries exploit this by crafting scripts to covertly record video, infringing on privacy. The detection rule identifies suspicious script patterns and API calls linked to webcam access, flagging potential misuse for further investigation. - -### Possible investigation steps - -- Review the PowerShell script block text associated with the alert to identify any suspicious patterns or API calls, such as "NewFrameEventHandler" or "VideoCaptureDevice". -- Check the process execution details, including the parent process, to determine how the PowerShell script was initiated and if it was part of a legitimate application or task. -- Investigate the user account under which the PowerShell script was executed to assess if the account has a history of suspicious activity or if it has been compromised. -- Examine the host's recent activity logs for any other unusual behavior or alerts that might correlate with the webcam access attempt, such as unauthorized access attempts or data exfiltration. -- Verify if the host has any legitimate applications that might use webcam access, and cross-reference with the script's behavior to rule out false positives. - -### False positive analysis - -- Legitimate video conferencing applications may trigger the detection rule due to their use of similar API calls and script patterns. Users can create exceptions for known and trusted applications by whitelisting their process names or script signatures. -- Security testing tools that simulate webcam access for vulnerability assessments might be flagged. To handle this, users should exclude these tools from monitoring during scheduled testing periods. -- System diagnostics or maintenance scripts that access webcam components for hardware checks can be mistaken for malicious activity. Users should document and exclude these scripts if they are part of routine system operations. -- Educational or training software that uses webcam access for interactive sessions may be incorrectly identified. Users can mitigate this by adding these applications to an allowlist after verifying their legitimacy. -- Custom scripts developed in-house for specific business needs that involve webcam access should be reviewed and, if deemed safe, excluded from the detection rule to prevent unnecessary alerts. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. -- Terminate any suspicious PowerShell processes identified by the detection rule to stop ongoing webcam recording activities. -- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious scripts or software. -- Review and revoke any unauthorized access permissions or credentials that may have been compromised during the incident. -- Restore the system from a known good backup if any critical system files or configurations have been altered by the malicious script. -- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. -- Implement enhanced monitoring and logging for PowerShell activities across the network to detect and respond to similar threats more effectively in the future.""" [[rule.threat]] diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index c17e967c8..0cbdbc6a1 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/11/02" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,12 +12,12 @@ preparation for exfiltration. """ from = "now-9m" index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.sysmon_operational-*", - "endgame-*", - "logs-m365_defender.event-*", - "logs-sentinel_one_cloud_funnel.*" + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", ] language = "eql" license = "Elastic License v2" @@ -81,7 +79,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne" + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_certreq_postdata.toml b/rules/windows/command_and_control_certreq_postdata.toml index a2a98c6bf..d2af75605 100644 --- a/rules/windows/command_and_control_certreq_postdata.toml +++ b/rules/windows/command_and_control_certreq_postdata.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml index 3083a7f5f..27ba25a1e 100644 --- a/rules/windows/command_and_control_dns_tunneling_nslookup.toml +++ b/rules/windows/command_and_control_dns_tunneling_nslookup.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/11" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml index 6815716b9..7a9bf50f8 100644 --- a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml +++ b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,40 @@ index = ["winlogbeat-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_ language = "eql" license = "Elastic License v2" name = "Connection to Commonly Abused Free SSL Certificate Providers" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Connection to Commonly Abused Free SSL Certificate Providers + +Free SSL certificates, like those from Let's Encrypt, enable secure web traffic encryption. Adversaries exploit these to mask malicious command and control (C2) communications. The detection rule identifies unusual Windows processes accessing domains with such certificates, excluding common false positives, to flag potential misuse of encrypted channels for C2 activities. + +### Possible investigation steps + +- Review the process executable path to confirm if it is a native Windows process and assess the legitimacy of its network activity. Focus on paths like "C:\\Windows\\System32\\*.exe" and "C:\\Windows\\SysWOW64\\*.exe". +- Investigate the specific domain accessed by the process, such as those ending in "*.letsencrypt.org" or "*.sslforfree.com", to determine if it is associated with known malicious activity or if it is a legitimate service. +- Check the process name against the list of excluded false positives, ensuring it is not "svchost.exe", "MicrosoftEdge*.exe", or "msedge.exe", which are common and typically benign. +- Analyze the network traffic associated with the process to identify any unusual patterns or anomalies that could indicate command and control activity. +- Correlate the alert with other security events or logs from the same host to identify any additional indicators of compromise or related suspicious activities. + +### False positive analysis + +- Windows system processes like svchost.exe and MicrosoftEdge.exe are common false positives due to their legitimate network activities. These can be excluded from the detection rule to reduce noise. +- Regularly update the list of excluded processes to include any new system processes that are verified to have legitimate reasons for accessing domains with free SSL certificates. +- Monitor and analyze network traffic patterns to identify any additional processes that consistently generate false positives, and consider adding them to the exclusion list if they are deemed non-threatening. +- Use process whitelisting to allow known safe applications that frequently access these domains, ensuring they do not trigger alerts unnecessarily. +- Implement a review process to periodically reassess the exclusion list, ensuring it remains relevant and does not inadvertently allow malicious activities to go undetected. + +### Response and remediation + +- Isolate the affected system from the network to prevent further malicious communication and potential lateral movement. +- Terminate any suspicious processes identified in the alert that are not typically associated with network activity, such as those running from unusual paths or with unexpected network connections. +- Conduct a thorough review of the system's recent activity logs to identify any unauthorized changes or additional indicators of compromise. +- Remove any malicious files or executables found on the system, ensuring that all remnants of the threat are eradicated. +- Restore the system from a known good backup if any critical system files or configurations have been altered. +- Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" risk_score = 21 rule_id = "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d" setup = """## Setup @@ -56,40 +88,6 @@ network where host.os.type == "windows" and network.protocol == "dns" and /* Insert noisy false positives here */ not process.name : ("svchost.exe", "MicrosoftEdge*.exe", "msedge.exe") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Connection to Commonly Abused Free SSL Certificate Providers - -Free SSL certificates, like those from Let's Encrypt, enable secure web traffic encryption. Adversaries exploit these to mask malicious command and control (C2) communications. The detection rule identifies unusual Windows processes accessing domains with such certificates, excluding common false positives, to flag potential misuse of encrypted channels for C2 activities. - -### Possible investigation steps - -- Review the process executable path to confirm if it is a native Windows process and assess the legitimacy of its network activity. Focus on paths like "C:\\Windows\\System32\\*.exe" and "C:\\Windows\\SysWOW64\\*.exe". -- Investigate the specific domain accessed by the process, such as those ending in "*.letsencrypt.org" or "*.sslforfree.com", to determine if it is associated with known malicious activity or if it is a legitimate service. -- Check the process name against the list of excluded false positives, ensuring it is not "svchost.exe", "MicrosoftEdge*.exe", or "msedge.exe", which are common and typically benign. -- Analyze the network traffic associated with the process to identify any unusual patterns or anomalies that could indicate command and control activity. -- Correlate the alert with other security events or logs from the same host to identify any additional indicators of compromise or related suspicious activities. - -### False positive analysis - -- Windows system processes like svchost.exe and MicrosoftEdge.exe are common false positives due to their legitimate network activities. These can be excluded from the detection rule to reduce noise. -- Regularly update the list of excluded processes to include any new system processes that are verified to have legitimate reasons for accessing domains with free SSL certificates. -- Monitor and analyze network traffic patterns to identify any additional processes that consistently generate false positives, and consider adding them to the exclusion list if they are deemed non-threatening. -- Use process whitelisting to allow known safe applications that frequently access these domains, ensuring they do not trigger alerts unnecessarily. -- Implement a review process to periodically reassess the exclusion list, ensuring it remains relevant and does not inadvertently allow malicious activities to go undetected. - -### Response and remediation - -- Isolate the affected system from the network to prevent further malicious communication and potential lateral movement. -- Terminate any suspicious processes identified in the alert that are not typically associated with network activity, such as those running from unusual paths or with unexpected network connections. -- Conduct a thorough review of the system's recent activity logs to identify any unauthorized changes or additional indicators of compromise. -- Remove any malicious files or executables found on the system, ensuring that all remnants of the threat are eradicated. -- Restore the system from a known good backup if any critical system files or configurations have been altered. -- Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] diff --git a/rules/windows/command_and_control_headless_browser.toml b/rules/windows/command_and_control_headless_browser.toml index 81abab110..58a321831 100644 --- a/rules/windows/command_and_control_headless_browser.toml +++ b/rules/windows/command_and_control_headless_browser.toml @@ -2,9 +2,7 @@ creation_date = "2024/05/10" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml index 8e7ba96c2..7df227a7d 100644 --- a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml +++ b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml @@ -2,9 +2,7 @@ creation_date = "2023/04/03" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_outlook_home_page.toml b/rules/windows/command_and_control_outlook_home_page.toml index 90f713db5..4486f3e47 100644 --- a/rules/windows/command_and_control_outlook_home_page.toml +++ b/rules/windows/command_and_control_outlook_home_page.toml @@ -2,9 +2,7 @@ creation_date = "2024/08/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,43 +11,17 @@ Identifies modifications in registry keys associated with abuse of the Outlook H control or persistence. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Outlook Home Page Registry Modification" -references = [ - "https://cloud.google.com/blog/topics/threat-intelligence/breaking-the-rules-tough-outlook-for-home-page-attacks/", - "https://github.com/trustedsec/specula" -] -risk_score = 47 -rule_id = "ac5a2759-5c34-440a-b0c4-51fe674611d6" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and event.action != "deletion" and registry.value : "URL" and - registry.path : ( - "HKCU\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL", - "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL", - "HKU\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL", - "\\REGISTRY\\USER\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL", - "USER\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL" - ) and registry.data.strings : "*http*" -''' note = """## Triage and analysis > **Disclaimer**: @@ -84,6 +56,39 @@ The Outlook Home Page feature allows users to set a webpage as the default view - Review and analyze network logs to identify any outbound connections to suspicious domains or IP addresses, and block these at the firewall. - Escalate the incident to the security operations center (SOC) for further investigation and to determine if other systems are affected. - Implement additional monitoring on the affected system and similar endpoints to detect any recurrence of the threat, focusing on registry changes and network activity.""" +references = [ + "https://cloud.google.com/blog/topics/threat-intelligence/breaking-the-rules-tough-outlook-for-home-page-attacks/", + "https://github.com/trustedsec/specula", +] +risk_score = 47 +rule_id = "ac5a2759-5c34-440a-b0c4-51fe674611d6" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.action != "deletion" and registry.value : "URL" and + registry.path : ( + "HKCU\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL", + "HKU\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL", + "\\REGISTRY\\USER\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL", + "USER\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL" + ) and registry.data.strings : "*http*" +''' [[rule.threat]] @@ -93,7 +98,6 @@ framework = "MITRE ATT&CK" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/command_and_control_port_forwarding_added_registry.toml b/rules/windows/command_and_control_port_forwarding_added_registry.toml index cc1ee407e..a5f8f32e7 100644 --- a/rules/windows/command_and_control_port_forwarding_added_registry.toml +++ b/rules/windows/command_and_control_port_forwarding_added_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2024/10/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,7 +11,14 @@ Identifies the creation of a new port forwarding rule. An adversary may abuse th segmentation restrictions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Port Forwarding Rule Addition" @@ -101,7 +106,6 @@ reference = "https://attack.mitre.org/techniques/T1572/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -109,6 +113,7 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index 138ce8e3f..14e373d6b 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/14" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -103,7 +101,6 @@ reference = "https://attack.mitre.org/techniques/T1572/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -121,3 +118,4 @@ reference = "https://attack.mitre.org/techniques/T1021/004/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index 8bb08c1cf..82f163f5d 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -2,11 +2,40 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] +[[transform.investigate]] +label = "Alerts associated with the user in the last 48h" +providers = [ + [ + { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" }, + { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" } + ] +] +relativeFrom = "now-48h/h" +relativeTo = "now" + +[[transform.investigate]] +label = "Alerts associated with the host in the last 48h" +providers = [ + [ + { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" }, + { excluded = false, field = "host.name", queryType = "phrase", value = "{{host.name}}", valueType = "string" } + ] +] +relativeFrom = "now-48h/h" +relativeTo = "now" + +[[transform.investigate]] +label = "Investigate the Subject Process Network Events" +providers = [ + [ + { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }, + { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" } + ] +] + [[transform.osquery]] label = "Osquery - Retrieve DNS Cache" query = "SELECT * FROM dns_cache" @@ -31,37 +60,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ -[[transform.investigate]] -label = "Alerts associated with the user in the last 48h" -relativeFrom = "now-48h/h" -relativeTo = "now" -providers = [ - [ - {field = "event.kind", excluded = false, queryType = "phrase", value = "signal", valueType = "string"}, - {field = "user.id", excluded = false, queryType = "phrase", value = "{{user.id}}", valueType = "string"} - ] -] - -[[transform.investigate]] -label = "Alerts associated with the host in the last 48h" -relativeFrom = "now-48h/h" -relativeTo = "now" -providers = [ - [ - {field = "event.kind", excluded = false, queryType = "phrase", value = "signal", valueType = "string"}, - {field = "host.name", excluded = false, queryType = "phrase", value = "{{host.name}}", valueType = "string"}, - ] -] - -[[transform.investigate]] -label = "Investigate the Subject Process Network Events" -providers = [ - [ - {field = "process.entity_id", excluded = false, queryType = "phrase", value = "{{process.entity_id}}", valueType = "string"}, - {field = "event.category", excluded = false, queryType = "phrase", value = "network", valueType = "string"} - ] -] - [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index 2bed2b5a9..cd047fec4 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -2,11 +2,40 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] +[[transform.investigate]] +label = "Alerts associated with the user in the last 48h" +providers = [ + [ + { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" }, + { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" } + ] +] +relativeFrom = "now-48h/h" +relativeTo = "now" + +[[transform.investigate]] +label = "Alerts associated with the host in the last 48h" +providers = [ + [ + { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" }, + { excluded = false, field = "host.name", queryType = "phrase", value = "{{host.name}}", valueType = "string" } + ] +] +relativeFrom = "now-48h/h" +relativeTo = "now" + +[[transform.investigate]] +label = "Investigate the Subject Process Network Events" +providers = [ + [ + { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }, + { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" } + ] +] + [[transform.osquery]] label = "Osquery - Retrieve DNS Cache" query = "SELECT * FROM dns_cache" @@ -31,37 +60,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ -[[transform.investigate]] -label = "Alerts associated with the user in the last 48h" -relativeFrom = "now-48h/h" -relativeTo = "now" -providers = [ - [ - {field = "event.kind", excluded = false, queryType = "phrase", value = "signal", valueType = "string"}, - {field = "user.id", excluded = false, queryType = "phrase", value = "{{user.id}}", valueType = "string"} - ] -] - -[[transform.investigate]] -label = "Alerts associated with the host in the last 48h" -relativeFrom = "now-48h/h" -relativeTo = "now" -providers = [ - [ - {field = "event.kind", excluded = false, queryType = "phrase", value = "signal", valueType = "string"}, - {field = "host.name", excluded = false, queryType = "phrase", value = "{{host.name}}", valueType = "string"} - ] -] - -[[transform.investigate]] -label = "Investigate the Subject Process Network Events" -providers = [ - [ - {field = "process.entity_id", excluded = false, queryType = "phrase", value = "{{process.entity_id}}", valueType = "string"}, - {field = "event.category", excluded = false, queryType = "phrase", value = "network", valueType = "string"} - ] -] - [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml index 813cad05e..a6a497a81 100644 --- a/rules/windows/command_and_control_remote_file_copy_scripts.toml +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/command_and_control_screenconnect_childproc.toml b/rules/windows/command_and_control_screenconnect_childproc.toml index 25f96b21f..274f09412 100644 --- a/rules/windows/command_and_control_screenconnect_childproc.toml +++ b/rules/windows/command_and_control_screenconnect_childproc.toml @@ -2,15 +2,13 @@ creation_date = "2024/03/27" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate execution -abusing unauthorized access to the ScreenConnect remote access software. +Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate +execution abusing unauthorized access to the ScreenConnect remote access software. """ from = "now-9m" index = [ @@ -26,7 +24,44 @@ index = [ language = "eql" license = "Elastic License v2" name = "Suspicious ScreenConnect Client Child Process" -references = ["https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"] +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious ScreenConnect Client Child Process + +ScreenConnect, a remote access tool, facilitates legitimate remote support but can be exploited by adversaries to execute unauthorized commands. Malicious actors may spawn processes like PowerShell or cmd.exe via ScreenConnect to perform harmful activities. The detection rule identifies such suspicious child processes, focusing on unusual arguments and process names, indicating potential abuse of remote access capabilities. + +### Possible investigation steps + +- Review the parent process name to confirm it is one of the ScreenConnect client processes listed in the query, such as ScreenConnect.ClientService.exe or ScreenConnect.WindowsClient.exe, to verify the source of the suspicious activity. +- Examine the child process name and arguments, such as powershell.exe with encoded commands or cmd.exe with /c, to identify potentially malicious actions or commands being executed. +- Check the network activity associated with the suspicious process, especially if the process arguments include network-related terms like *http* or *downloadstring*, to determine if there is any unauthorized data exfiltration or command and control communication. +- Investigate the user account under which the suspicious process was executed to assess if the account has been compromised or is being misused. +- Correlate the event with other security alerts or logs from data sources like Elastic Defend or Microsoft Defender for Endpoint to gather additional context and identify any related malicious activities. +- Review the system's recent activity and changes, such as new scheduled tasks or services created by schtasks.exe or sc.exe, to identify any persistence mechanisms that may have been established by the attacker. + +### False positive analysis + +- Legitimate IT support activities using ScreenConnect may trigger the rule when executing scripts or commands for maintenance. To manage this, identify and whitelist specific IT support accounts or IP addresses that regularly perform these actions. +- Automated scripts or scheduled tasks that use ScreenConnect for routine operations might be flagged. Review and document these scripts, then create exceptions for known benign processes and arguments. +- Software updates or installations initiated through ScreenConnect can appear suspicious. Maintain a list of approved software and update processes, and exclude these from the rule. +- Internal security tools or monitoring solutions that leverage ScreenConnect for legitimate purposes may be detected. Verify these tools and add them to an exclusion list to prevent false positives. +- Training sessions or demonstrations using ScreenConnect to showcase command-line tools could be misinterpreted as threats. Ensure these sessions are logged and recognized as non-threatening, and adjust the rule to accommodate these scenarios. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the attacker. +- Terminate any suspicious processes identified in the alert, such as PowerShell, cmd.exe, or other flagged executables, to halt any ongoing malicious activity. +- Review and revoke any unauthorized user accounts or privileges that may have been created or modified using tools like net.exe or schtasks.exe. +- Conduct a thorough scan of the affected system using endpoint protection tools to identify and remove any malware or unauthorized software installed by the attacker. +- Restore the system from a known good backup if any critical system files or configurations have been altered or compromised. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +- Implement enhanced monitoring and logging for ScreenConnect and other remote access tools to detect similar activities in the future, ensuring that alerts are promptly reviewed and acted upon.""" +references = [ + "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", +] risk_score = 47 rule_id = "78de1aeb-5225-4067-b8cc-f4a1de8a8546" severity = "medium" @@ -68,41 +103,6 @@ process where host.os.type == "windows" and event.type == "start" and "ssh.exe", "scp.exe", "wevtutil.exe", "wget.exe", "wmic.exe") ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious ScreenConnect Client Child Process - -ScreenConnect, a remote access tool, facilitates legitimate remote support but can be exploited by adversaries to execute unauthorized commands. Malicious actors may spawn processes like PowerShell or cmd.exe via ScreenConnect to perform harmful activities. The detection rule identifies such suspicious child processes, focusing on unusual arguments and process names, indicating potential abuse of remote access capabilities. - -### Possible investigation steps - -- Review the parent process name to confirm it is one of the ScreenConnect client processes listed in the query, such as ScreenConnect.ClientService.exe or ScreenConnect.WindowsClient.exe, to verify the source of the suspicious activity. -- Examine the child process name and arguments, such as powershell.exe with encoded commands or cmd.exe with /c, to identify potentially malicious actions or commands being executed. -- Check the network activity associated with the suspicious process, especially if the process arguments include network-related terms like *http* or *downloadstring*, to determine if there is any unauthorized data exfiltration or command and control communication. -- Investigate the user account under which the suspicious process was executed to assess if the account has been compromised or is being misused. -- Correlate the event with other security alerts or logs from data sources like Elastic Defend or Microsoft Defender for Endpoint to gather additional context and identify any related malicious activities. -- Review the system's recent activity and changes, such as new scheduled tasks or services created by schtasks.exe or sc.exe, to identify any persistence mechanisms that may have been established by the attacker. - -### False positive analysis - -- Legitimate IT support activities using ScreenConnect may trigger the rule when executing scripts or commands for maintenance. To manage this, identify and whitelist specific IT support accounts or IP addresses that regularly perform these actions. -- Automated scripts or scheduled tasks that use ScreenConnect for routine operations might be flagged. Review and document these scripts, then create exceptions for known benign processes and arguments. -- Software updates or installations initiated through ScreenConnect can appear suspicious. Maintain a list of approved software and update processes, and exclude these from the rule. -- Internal security tools or monitoring solutions that leverage ScreenConnect for legitimate purposes may be detected. Verify these tools and add them to an exclusion list to prevent false positives. -- Training sessions or demonstrations using ScreenConnect to showcase command-line tools could be misinterpreted as threats. Ensure these sessions are logged and recognized as non-threatening, and adjust the rule to accommodate these scenarios. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the attacker. -- Terminate any suspicious processes identified in the alert, such as PowerShell, cmd.exe, or other flagged executables, to halt any ongoing malicious activity. -- Review and revoke any unauthorized user accounts or privileges that may have been created or modified using tools like net.exe or schtasks.exe. -- Conduct a thorough scan of the affected system using endpoint protection tools to identify and remove any malware or unauthorized software installed by the attacker. -- Restore the system from a known good backup if any critical system files or configurations have been altered or compromised. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. -- Implement enhanced monitoring and logging for ScreenConnect and other remote access tools to detect similar activities in the future, ensuring that alerts are promptly reviewed and acted upon.""" [[rule.threat]] diff --git a/rules/windows/command_and_control_tool_transfer_via_curl.toml b/rules/windows/command_and_control_tool_transfer_via_curl.toml index 69694fc30..cfac5ff60 100644 --- a/rules/windows/command_and_control_tool_transfer_via_curl.toml +++ b/rules/windows/command_and_control_tool_transfer_via_curl.toml @@ -2,14 +2,13 @@ creation_date = "2025/02/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/22" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -Identifies Curl for Windows making an HTTP request. Adversaries could abuse Curl to download files or upload data to a remote URL. +Identifies Curl for Windows making an HTTP request. Adversaries could abuse Curl to download files or upload data to a +remote URL. """ from = "now-9m" index = [ @@ -118,4 +117,5 @@ reference = "https://attack.mitre.org/techniques/T1105/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/windows/command_and_control_tunnel_vscode.toml b/rules/windows/command_and_control_tunnel_vscode.toml index 1bc611fa8..991ae1f84 100644 --- a/rules/windows/command_and_control_tunnel_vscode.toml +++ b/rules/windows/command_and_control_tunnel_vscode.toml @@ -2,15 +2,13 @@ creation_date = "2024/09/09" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -Detects the execution of the VScode portable binary with the tunnel command line option indicating an -attempt to establish a remote tunnel session to Github or a remote VScode instance. +Detects the execution of the VScode portable binary with the tunnel command line option indicating an attempt to +establish a remote tunnel session to Github or a remote VScode instance. """ from = "now-9m" index = [ @@ -26,35 +24,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Attempt to Establish VScode Remote Tunnel" -references = [ - "https://badoption.eu/blog/2023/01/31/code_c2.html", - "https://code.visualstudio.com/docs/remote/tunnels" -] -risk_score = 47 -rule_id = "0b96dfd8-5b8c-4485-9a1c-69ff7839786a" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Windows Security Event Logs", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.args : "tunnel" and (process.args : "--accept-server-license-terms" or process.name : "code*.exe") and - not (process.name == "code-tunnel.exe" and process.args == "status" and process.parent.name == "Code.exe") -''' note = """## Triage and analysis > **Disclaimer**: @@ -90,6 +59,35 @@ Visual Studio Code (VScode) offers a remote tunnel feature enabling developers t - Restore the system from a known good backup if any unauthorized changes or malware are detected. - Implement network segmentation to limit the ability of similar threats to spread across the environment. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +references = [ + "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://code.visualstudio.com/docs/remote/tunnels", +] +risk_score = 47 +rule_id = "0b96dfd8-5b8c-4485-9a1c-69ff7839786a" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Windows Security Event Logs", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.args : "tunnel" and (process.args : "--accept-server-license-terms" or process.name : "code*.exe") and + not (process.name == "code-tunnel.exe" and process.args == "status" and process.parent.name == "Code.exe") +''' [[rule.threat]] diff --git a/rules/windows/credential_access_adidns_wildcard.toml b/rules/windows/credential_access_adidns_wildcard.toml index 9fd97275a..e3c6af875 100644 --- a/rules/windows/credential_access_adidns_wildcard.toml +++ b/rules/windows/credential_access_adidns_wildcard.toml @@ -2,9 +2,7 @@ creation_date = "2024/03/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -21,6 +19,41 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Potential ADIDNS Poisoning via Wildcard Record Creation" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential ADIDNS Poisoning via Wildcard Record Creation + +Active Directory Integrated DNS (ADIDNS) is crucial for maintaining domain consistency by storing DNS zones as AD objects. However, its default permissions allow authenticated users to create DNS records, which adversaries can exploit by adding wildcard records. This enables them to redirect traffic and perform Man-in-the-Middle attacks. The detection rule identifies such abuse by monitoring specific directory service changes indicative of wildcard record creation. + +### Possible investigation steps + +- Review the event logs on the affected Windows host to confirm the presence of event code 5137, which indicates a directory service object modification. +- Examine the ObjectDN field in the event data to identify the specific DNS zone where the wildcard record was created, ensuring it starts with "DC=*," to confirm the wildcard nature. +- Check the user account associated with the event to determine if it is a legitimate account or potentially compromised, focusing on any unusual or unauthorized activity. +- Investigate recent changes in the DNS zone to identify any other suspicious modifications or patterns that could indicate further malicious activity. +- Correlate the event with network traffic logs to detect any unusual or redirected traffic patterns that could suggest a Man-in-the-Middle attack. +- Assess the permissions and access controls on the DNS zones to ensure they are appropriately configured and restrict unnecessary modifications by authenticated users. + +### False positive analysis + +- Routine administrative changes to DNS records by IT staff can trigger alerts. To manage this, create exceptions for known administrative accounts or specific ObjectDN patterns that correspond to legitimate changes. +- Automated systems or scripts that update DNS records as part of regular maintenance may cause false positives. Identify these systems and exclude their activity from triggering alerts by filtering based on their unique identifiers or event sources. +- Software installations or updates that modify DNS settings might be flagged. Monitor and document these activities, and consider excluding them if they are part of a recognized and secure process. +- Changes made by trusted third-party services that integrate with ADIDNS could be misinterpreted as threats. Verify these services and whitelist their actions to prevent unnecessary alerts. +- Temporary testing environments that mimic production settings might generate alerts. Ensure these environments are clearly documented and excluded from monitoring if they are known to perform non-threatening wildcard record creations. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further exploitation or data exfiltration. +- Revoke any potentially compromised credentials associated with the affected system or user accounts involved in the alert. +- Conduct a thorough review of DNS records in the affected zone to identify and remove any unauthorized wildcard entries. +- Implement stricter access controls on DNS record creation, limiting permissions to only necessary administrative accounts. +- Monitor network traffic for signs of Man-in-the-Middle activity, focusing on unusual DNS queries or redirections. +- Escalate the incident to the security operations center (SOC) for further investigation and to assess the potential impact on other systems. +- Update detection mechanisms to include additional indicators of compromise related to ADIDNS abuse, enhancing future threat detection capabilities.""" references = [ "https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/", "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/adidns-spoofing", @@ -67,41 +100,6 @@ query = ''' any where host.os.type == "windows" and event.code == "5137" and startsWith(winlog.event_data.ObjectDN, "DC=*,") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential ADIDNS Poisoning via Wildcard Record Creation - -Active Directory Integrated DNS (ADIDNS) is crucial for maintaining domain consistency by storing DNS zones as AD objects. However, its default permissions allow authenticated users to create DNS records, which adversaries can exploit by adding wildcard records. This enables them to redirect traffic and perform Man-in-the-Middle attacks. The detection rule identifies such abuse by monitoring specific directory service changes indicative of wildcard record creation. - -### Possible investigation steps - -- Review the event logs on the affected Windows host to confirm the presence of event code 5137, which indicates a directory service object modification. -- Examine the ObjectDN field in the event data to identify the specific DNS zone where the wildcard record was created, ensuring it starts with "DC=*," to confirm the wildcard nature. -- Check the user account associated with the event to determine if it is a legitimate account or potentially compromised, focusing on any unusual or unauthorized activity. -- Investigate recent changes in the DNS zone to identify any other suspicious modifications or patterns that could indicate further malicious activity. -- Correlate the event with network traffic logs to detect any unusual or redirected traffic patterns that could suggest a Man-in-the-Middle attack. -- Assess the permissions and access controls on the DNS zones to ensure they are appropriately configured and restrict unnecessary modifications by authenticated users. - -### False positive analysis - -- Routine administrative changes to DNS records by IT staff can trigger alerts. To manage this, create exceptions for known administrative accounts or specific ObjectDN patterns that correspond to legitimate changes. -- Automated systems or scripts that update DNS records as part of regular maintenance may cause false positives. Identify these systems and exclude their activity from triggering alerts by filtering based on their unique identifiers or event sources. -- Software installations or updates that modify DNS settings might be flagged. Monitor and document these activities, and consider excluding them if they are part of a recognized and secure process. -- Changes made by trusted third-party services that integrate with ADIDNS could be misinterpreted as threats. Verify these services and whitelist their actions to prevent unnecessary alerts. -- Temporary testing environments that mimic production settings might generate alerts. Ensure these environments are clearly documented and excluded from monitoring if they are known to perform non-threatening wildcard record creations. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further exploitation or data exfiltration. -- Revoke any potentially compromised credentials associated with the affected system or user accounts involved in the alert. -- Conduct a thorough review of DNS records in the affected zone to identify and remove any unauthorized wildcard entries. -- Implement stricter access controls on DNS record creation, limiting permissions to only necessary administrative accounts. -- Monitor network traffic for signs of Man-in-the-Middle activity, focusing on unusual DNS queries or redirections. -- Escalate the incident to the security operations center (SOC) for further investigation and to assess the potential impact on other systems. -- Update detection mechanisms to include additional indicators of compromise related to ADIDNS abuse, enhancing future threat detection capabilities.""" [[rule.threat]] diff --git a/rules/windows/credential_access_adidns_wpad_record.toml b/rules/windows/credential_access_adidns_wpad_record.toml index aefa64bd7..06fa86eb8 100644 --- a/rules/windows/credential_access_adidns_wpad_record.toml +++ b/rules/windows/credential_access_adidns_wpad_record.toml @@ -2,9 +2,7 @@ creation_date = "2024/06/03" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,6 +16,41 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Potential WPAD Spoofing via DNS Record Creation" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential WPAD Spoofing via DNS Record Creation + +Web Proxy Auto-Discovery (WPAD) helps devices automatically detect proxy settings, crucial for network efficiency. However, attackers can exploit WPAD by creating malicious DNS records, tricking systems into using rogue proxies for data interception. The detection rule identifies suspicious DNS record changes, specifically targeting WPAD entries, to flag potential spoofing attempts, aiding in early threat detection and mitigation. + +### Possible investigation steps + +- Review the event logs for the specific event code "5137" to identify the creation or modification of the "wpad" DNS record. Focus on the details provided in the winlog.event_data.ObjectDN field to confirm the presence of "DC=wpad,*". +- Check the Active Directory change history to determine who made the changes to the DNS records and whether these changes were authorized. +- Investigate the user account associated with the directory service change event to assess if it has been compromised or if there are any signs of unauthorized access. +- Analyze network traffic to and from the "wpad" DNS record to identify any suspicious activity or connections to rogue proxy servers. +- Verify the configuration of the Global Query Block List (GQBL) to ensure it has not been disabled or altered, which could allow unauthorized WPAD entries. +- Cross-reference the alert with other security logs and alerts to identify any related suspicious activities or patterns that could indicate a broader attack campaign. + +### False positive analysis + +- Legitimate network changes may trigger alerts if a new WPAD DNS record is created intentionally for network configuration. Verify with network administrators if such changes were planned. +- Automated scripts or software updates that modify DNS records can cause false positives. Review the source of the change and consider excluding known benign scripts or update processes. +- Test environments often simulate DNS changes, including WPAD entries, for development purposes. Exclude these environments from monitoring if they are known to generate non-threatening alerts. +- Some organizations may have legacy systems that rely on WPAD configurations. Document these systems and create exceptions for their DNS changes to avoid unnecessary alerts. +- Regular audits of the Global Query Block List settings can help identify and exclude expected changes, reducing false positives related to WPAD record creation. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further data interception or lateral movement by the rogue proxy. +- Verify and restore the integrity of the DNS records by removing any unauthorized "wpad" entries and re-enabling the Global Query Block List (GQBL) if it was disabled. +- Conduct a thorough review of Active Directory logs to identify any unauthorized changes or suspicious activities related to directory service modifications. +- Reset credentials for any accounts that may have been compromised or accessed during the incident to prevent unauthorized access. +- Implement network segmentation to limit the exposure of critical systems to potential WPAD spoofing attacks. +- Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional systems or data were affected. +- Update and enhance monitoring rules to detect similar WPAD spoofing attempts in the future, ensuring timely alerts and responses.""" references = [ "https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing#through-adidns-spoofing", "https://cube0x0.github.io/Pocing-Beyond-DA/", @@ -63,41 +96,6 @@ type = "eql" query = ''' any where host.os.type == "windows" and event.code == "5137" and winlog.event_data.ObjectDN : "DC=wpad,*" ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential WPAD Spoofing via DNS Record Creation - -Web Proxy Auto-Discovery (WPAD) helps devices automatically detect proxy settings, crucial for network efficiency. However, attackers can exploit WPAD by creating malicious DNS records, tricking systems into using rogue proxies for data interception. The detection rule identifies suspicious DNS record changes, specifically targeting WPAD entries, to flag potential spoofing attempts, aiding in early threat detection and mitigation. - -### Possible investigation steps - -- Review the event logs for the specific event code "5137" to identify the creation or modification of the "wpad" DNS record. Focus on the details provided in the winlog.event_data.ObjectDN field to confirm the presence of "DC=wpad,*". -- Check the Active Directory change history to determine who made the changes to the DNS records and whether these changes were authorized. -- Investigate the user account associated with the directory service change event to assess if it has been compromised or if there are any signs of unauthorized access. -- Analyze network traffic to and from the "wpad" DNS record to identify any suspicious activity or connections to rogue proxy servers. -- Verify the configuration of the Global Query Block List (GQBL) to ensure it has not been disabled or altered, which could allow unauthorized WPAD entries. -- Cross-reference the alert with other security logs and alerts to identify any related suspicious activities or patterns that could indicate a broader attack campaign. - -### False positive analysis - -- Legitimate network changes may trigger alerts if a new WPAD DNS record is created intentionally for network configuration. Verify with network administrators if such changes were planned. -- Automated scripts or software updates that modify DNS records can cause false positives. Review the source of the change and consider excluding known benign scripts or update processes. -- Test environments often simulate DNS changes, including WPAD entries, for development purposes. Exclude these environments from monitoring if they are known to generate non-threatening alerts. -- Some organizations may have legacy systems that rely on WPAD configurations. Document these systems and create exceptions for their DNS changes to avoid unnecessary alerts. -- Regular audits of the Global Query Block List settings can help identify and exclude expected changes, reducing false positives related to WPAD record creation. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further data interception or lateral movement by the rogue proxy. -- Verify and restore the integrity of the DNS records by removing any unauthorized "wpad" entries and re-enabling the Global Query Block List (GQBL) if it was disabled. -- Conduct a thorough review of Active Directory logs to identify any unauthorized changes or suspicious activities related to directory service modifications. -- Reset credentials for any accounts that may have been compromised or accessed during the incident to prevent unauthorized access. -- Implement network segmentation to limit the exposure of critical systems to potential WPAD spoofing attacks. -- Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional systems or data were affected. -- Update and enhance monitoring rules to detect similar WPAD spoofing attempts in the future, ensuring timely alerts and responses.""" [[rule.threat]] diff --git a/rules/windows/credential_access_bruteforce_admin_account.toml b/rules/windows/credential_access_bruteforce_admin_account.toml index 20b39abf7..acf397f31 100644 --- a/rules/windows/credential_access_bruteforce_admin_account.toml +++ b/rules/windows/credential_access_bruteforce_admin_account.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml index 1a01a5b16..aca183164 100644 --- a/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml +++ b/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml index e3cf7a78f..a68638dd9 100644 --- a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml +++ b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index 96caa2b51..70779e976 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index 14e2e20d9..5057638d0 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index e6e093b01..2b04a3c5a 100644 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml index 4c05c46de..0aae0785b 100644 --- a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml +++ b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml @@ -2,9 +2,7 @@ creation_date = "2022/12/19" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_dcsync_replication_rights.toml b/rules/windows/credential_access_dcsync_replication_rights.toml index 92a17b401..510eb4004 100644 --- a/rules/windows/credential_access_dcsync_replication_rights.toml +++ b/rules/windows/credential_access_dcsync_replication_rights.toml @@ -2,9 +2,7 @@ creation_date = "2022/02/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_dcsync_user_backdoor.toml b/rules/windows/credential_access_dcsync_user_backdoor.toml index 4375ab76d..da206e94d 100644 --- a/rules/windows/credential_access_dcsync_user_backdoor.toml +++ b/rules/windows/credential_access_dcsync_user_backdoor.toml @@ -2,9 +2,7 @@ creation_date = "2024/07/10" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -75,12 +73,21 @@ references = [ "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml", "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-all", "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes", - "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-in-filtered-set" + "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-in-filtered-set", ] risk_score = 47 rule_id = "f8822053-a5d2-46db-8c96-d460b12c36ac" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Active Directory", + "Use Case: Active Directory Monitoring", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -96,22 +103,22 @@ event.code:"5136" and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.006" +name = "DCSync" +reference = "https://attack.mitre.org/techniques/T1003/006/" - [[rule.threat.technique]] - id = "T1003" - reference = "https://attack.mitre.org/techniques/T1003/" - name = "OS Credential Dumping" - - [[rule.threat.technique.subtechnique]] - id = "T1003.006" - reference = "https://attack.mitre.org/techniques/T1003/006/" - name = "DCSync" [rule.threat.tactic] id = "TA0006" -reference = "https://attack.mitre.org/tactics/TA0006/" name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/windows/credential_access_disable_kerberos_preauth.toml b/rules/windows/credential_access_disable_kerberos_preauth.toml index 94d814c62..f69365d6a 100644 --- a/rules/windows/credential_access_disable_kerberos_preauth.toml +++ b/rules/windows/credential_access_disable_kerberos_preauth.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/24" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_dnsnode_creation.toml b/rules/windows/credential_access_dnsnode_creation.toml index 4eb3b83a9..4dd21727d 100644 --- a/rules/windows/credential_access_dnsnode_creation.toml +++ b/rules/windows/credential_access_dnsnode_creation.toml @@ -2,9 +2,7 @@ creation_date = "2024/03/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -21,6 +19,41 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Creation of a DNS-Named Record" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Creation of a DNS-Named Record + +Active Directory Integrated DNS (ADIDNS) is crucial for maintaining domain consistency by storing DNS zones as AD objects. However, its default permissions can be exploited by attackers to create DNS records for spoofing attacks, targeting services like WPAD. The detection rule identifies such abuse by monitoring specific Windows events related to DNS record creation, filtering out legitimate system accounts to highlight potential threats. + +### Possible investigation steps + +- Review the event logs for event code 5137 to identify the specific DNS-named record that was created and the associated timestamp. +- Examine the winlog.event_data.SubjectUserName field to determine the user account that initiated the DNS record creation, ensuring it is not a system account. +- Investigate the context around the winlog.event_data.ObjectClass field to confirm the object class is "dnsNode" and assess if the DNS record creation aligns with expected administrative activities. +- Check for any recent LLMNR/NBT-NS requests or network traffic that might indicate an attempt to exploit the newly created DNS record for spoofing purposes. +- Correlate the alert with other security events or logs to identify any patterns or anomalies that might suggest malicious intent or unauthorized access attempts. +- Assess the risk and impact of the DNS record creation by determining if it targets critical services like WPAD or other sensitive systems within the network. + +### False positive analysis + +- Legitimate administrative actions may trigger the rule when DNS records are created or modified by IT staff. To manage this, create exceptions for known administrative accounts that regularly perform these tasks. +- Automated system processes or scripts that update DNS records can also cause false positives. Identify these processes and exclude their associated accounts from the rule to prevent unnecessary alerts. +- Service accounts used by legitimate applications to dynamically update DNS records might be flagged. Review these accounts and add them to an exception list if they are verified as non-threatening. +- Temporary network changes or testing environments where DNS records are frequently modified can lead to false positives. Consider excluding these environments or specific IP ranges from the rule to reduce noise. +- Regularly review and update the exception list to ensure it reflects current network and administrative practices, minimizing the risk of overlooking genuine threats. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further malicious DNS record creation and potential spoofing attacks. +- Review and remove any unauthorized DNS records created by non-system accounts, focusing on those targeting services like WPAD. +- Reset credentials for any accounts that were potentially compromised or used in the attack to prevent further unauthorized access. +- Implement stricter access controls on DNS record creation within Active Directory to limit permissions to only necessary and trusted accounts. +- Monitor for any further suspicious DNS record creation events, particularly those involving non-system accounts, to detect and respond to potential follow-up attacks. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or services were affected. +- Conduct a post-incident review to identify gaps in detection and response, and update security policies and procedures to prevent similar incidents in the future.""" references = [ "https://www.netspi.com/blog/technical/network-penetration-testing/adidns-revisited/", "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wpad-spoofing", @@ -67,41 +100,6 @@ query = ''' any where host.os.type == "windows" and event.code == "5137" and winlog.event_data.ObjectClass == "dnsNode" and not winlog.event_data.SubjectUserName : "*$" ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Creation of a DNS-Named Record - -Active Directory Integrated DNS (ADIDNS) is crucial for maintaining domain consistency by storing DNS zones as AD objects. However, its default permissions can be exploited by attackers to create DNS records for spoofing attacks, targeting services like WPAD. The detection rule identifies such abuse by monitoring specific Windows events related to DNS record creation, filtering out legitimate system accounts to highlight potential threats. - -### Possible investigation steps - -- Review the event logs for event code 5137 to identify the specific DNS-named record that was created and the associated timestamp. -- Examine the winlog.event_data.SubjectUserName field to determine the user account that initiated the DNS record creation, ensuring it is not a system account. -- Investigate the context around the winlog.event_data.ObjectClass field to confirm the object class is "dnsNode" and assess if the DNS record creation aligns with expected administrative activities. -- Check for any recent LLMNR/NBT-NS requests or network traffic that might indicate an attempt to exploit the newly created DNS record for spoofing purposes. -- Correlate the alert with other security events or logs to identify any patterns or anomalies that might suggest malicious intent or unauthorized access attempts. -- Assess the risk and impact of the DNS record creation by determining if it targets critical services like WPAD or other sensitive systems within the network. - -### False positive analysis - -- Legitimate administrative actions may trigger the rule when DNS records are created or modified by IT staff. To manage this, create exceptions for known administrative accounts that regularly perform these tasks. -- Automated system processes or scripts that update DNS records can also cause false positives. Identify these processes and exclude their associated accounts from the rule to prevent unnecessary alerts. -- Service accounts used by legitimate applications to dynamically update DNS records might be flagged. Review these accounts and add them to an exception list if they are verified as non-threatening. -- Temporary network changes or testing environments where DNS records are frequently modified can lead to false positives. Consider excluding these environments or specific IP ranges from the rule to reduce noise. -- Regularly review and update the exception list to ensure it reflects current network and administrative practices, minimizing the risk of overlooking genuine threats. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further malicious DNS record creation and potential spoofing attacks. -- Review and remove any unauthorized DNS records created by non-system accounts, focusing on those targeting services like WPAD. -- Reset credentials for any accounts that were potentially compromised or used in the attack to prevent further unauthorized access. -- Implement stricter access controls on DNS record creation within Active Directory to limit permissions to only necessary and trusted accounts. -- Monitor for any further suspicious DNS record creation events, particularly those involving non-system accounts, to detect and respond to potential follow-up attacks. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or services were affected. -- Conduct a post-incident review to identify gaps in detection and response, and update security policies and procedures to prevent similar incidents in the future.""" [[rule.threat]] diff --git a/rules/windows/credential_access_dollar_account_relay.toml b/rules/windows/credential_access_dollar_account_relay.toml index 6e808140f..6a835e245 100644 --- a/rules/windows/credential_access_dollar_account_relay.toml +++ b/rules/windows/credential_access_dollar_account_relay.toml @@ -2,9 +2,7 @@ creation_date = "2024/07/24" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,39 +16,6 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Potential Relay Attack against a Domain Controller" -references = [ - "https://github.com/p0dalirius/windows-coerced-authentication-methods", - "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications", - "https://attack.mitre.org/techniques/T1187/", -] -risk_score = 21 -rule_id = "263481c8-1e9b-492e-912d-d1760707f810" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Data Source: Active Directory", - "Use Case: Active Directory Monitoring", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -authentication where host.os.type == "windows" and event.code in ("4624", "4625") and endswith~(user.name, "$") and - winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.logon.type : "network" and - - /* Filter for a machine account that matches the hostname */ - startswith~(host.name, substring(user.name, 0, -1)) and - - /* Verify if the Source IP belongs to the host */ - not endswith(string(source.ip), string(host.ip)) and - source.ip != null and source.ip != "::1" and source.ip != "127.0.0.1" -''' note = """## Triage and analysis > **Disclaimer**: @@ -86,6 +51,39 @@ Domain Controllers (DCs) are critical in managing authentication within Windows - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the full scope of the breach. - Deploy additional monitoring and detection mechanisms to identify similar relay attack patterns in the future, enhancing the detection capabilities for NTLM relay attacks. - Conduct a post-incident review to identify any gaps in security controls and update policies or procedures to prevent recurrence, ensuring lessons learned are applied to improve overall security posture.""" +references = [ + "https://github.com/p0dalirius/windows-coerced-authentication-methods", + "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications", + "https://attack.mitre.org/techniques/T1187/", +] +risk_score = 21 +rule_id = "263481c8-1e9b-492e-912d-d1760707f810" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Active Directory", + "Use Case: Active Directory Monitoring", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +authentication where host.os.type == "windows" and event.code in ("4624", "4625") and endswith~(user.name, "$") and + winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.logon.type : "network" and + + /* Filter for a machine account that matches the hostname */ + startswith~(host.name, substring(user.name, 0, -1)) and + + /* Verify if the Source IP belongs to the host */ + not endswith(string(source.ip), string(host.ip)) and + source.ip != null and source.ip != "::1" and source.ip != "127.0.0.1" +''' [[rule.threat]] @@ -105,6 +103,7 @@ name = "LLMNR/NBT-NS Poisoning and SMB Relay" reference = "https://attack.mitre.org/techniques/T1557/001/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index 58d2a58bd..25f74db62 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/13" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,7 +11,15 @@ Identifies the creation or modification of Domain Backup private keys. Adversari (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*", + "logs-crowdstrike.fdr*", +] language = "eql" license = "Elastic License v2" name = "Creation or Modification of Domain Backup DPAPI private key" @@ -28,7 +34,19 @@ references = [ risk_score = 73 rule_id = "b83a7e96-2eb3-4edf-8346-427b6858d3bd" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Crowdstrike", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_dump_registry_hives.toml b/rules/windows/credential_access_dump_registry_hives.toml index f1ccc8b6b..18de8dbd6 100644 --- a/rules/windows/credential_access_dump_registry_hives.toml +++ b/rules/windows/credential_access_dump_registry_hives.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_generic_localdumps.toml b/rules/windows/credential_access_generic_localdumps.toml index 6b1d013fb..01dd1f390 100644 --- a/rules/windows/credential_access_generic_localdumps.toml +++ b/rules/windows/credential_access_generic_localdumps.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/28" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -16,41 +14,16 @@ the credentials present on the system without having to bring malware to the sys default, and applications must create their registry subkeys to hold settings that enable them to collect dumps. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Full User-Mode Dumps Enabled System-Wide" -references = [ - "https://docs.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", - "https://github.com/deepinstinct/Lsass-Shtinkering", - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", -] -risk_score = 47 -rule_id = "220be143-5c67-4fdb-b6ce-dd6826d024fd" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and - registry.path : ( - "HKLM\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType", - "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType" - ) and - registry.data.strings : ("2", "0x00000002") and - not (process.executable : "?:\\Windows\\system32\\svchost.exe" and user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20")) -''' note = """## Triage and analysis > **Disclaimer**: @@ -85,6 +58,37 @@ Full user-mode dumps are a diagnostic feature in Windows that captures detailed - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and alerting for similar registry changes across the network to detect and respond to future attempts promptly. - Review and update endpoint protection configurations to ensure they are capable of detecting and blocking similar credential dumping techniques.""" +references = [ + "https://docs.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", + "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", +] +risk_score = 47 +rule_id = "220be143-5c67-4fdb-b6ce-dd6826d024fd" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and + registry.path : ( + "HKLM\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType" + ) and + registry.data.strings : ("2", "0x00000002") and + not (process.executable : "?:\\Windows\\system32\\svchost.exe" and user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20")) +''' [[rule.threat]] diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index 3982f2e52..ad8287b96 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -29,35 +27,6 @@ language = "eql" license = "Elastic License v2" max_signals = 33 name = "Microsoft IIS Connection Strings Decryption" -references = [ - "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia", -] -risk_score = 73 -rule_id = "c25e9c87-95e1-4368-bfab-9fd34cf867ec" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - (process.name : "aspnet_regiis.exe" or ?process.pe.original_file_name == "aspnet_regiis.exe") and - process.args : "connectionStrings" and process.args : "-pdf" -''' note = """## Triage and analysis > **Disclaimer**: @@ -93,6 +62,35 @@ Microsoft IIS often stores sensitive connection strings in encrypted form to sec - Restore the IIS server from a known good backup taken before the compromise, ensuring that any webshells or malicious scripts are removed. - Implement enhanced monitoring and alerting for any future unauthorized use of aspnet_regiis.exe, focusing on the specific arguments used in the detection query. - Escalate the incident to the security operations center (SOC) or relevant incident response team for further investigation and to assess the broader impact on the organization.""" +references = [ + "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia", +] +risk_score = 73 +rule_id = "c25e9c87-95e1-4368-bfab-9fd34cf867ec" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + (process.name : "aspnet_regiis.exe" or ?process.pe.original_file_name == "aspnet_regiis.exe") and + process.args : "connectionStrings" and process.args : "-pdf" +''' [[rule.threat]] diff --git a/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml b/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml index 4238e5828..cba252630 100644 --- a/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml +++ b/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml @@ -2,9 +2,7 @@ creation_date = "2024/10/14" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/14" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic", "Matteo Potito Giorgio"] @@ -17,43 +15,6 @@ index = ["winlogbeat-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_ language = "eql" license = "Elastic License v2" name = "Untrusted DLL Loaded by Azure AD Sync Service" -references = [ -"https://blog.xpnsec.com/azuread-connect-for-redteam/", -"https://medium.com/@breakingmhet/detect-azure-pass-through-authentication-abuse-azure-hybrid-environments-ed4274784252", -"https://learn.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-pass-through-authentication" -] -risk_score = 73 -rule_id = "f909075d-afc7-42d7-b399-600b94352fd9" -severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -any where host.os.type == "windows" and process.name : "AzureADConnectAuthenticationAgentService.exe" and -( - (event.category == "library" and event.action == "load") or - (event.category == "process" and event.action : "Image loaded*") -) and - -not (?dll.code_signature.trusted == true or file.code_signature.status == "Valid") and not - - ( - /* Elastic defend DLL path */ - ?dll.path : - ("?:\\Windows\\assembly\\NativeImages*", - "?:\\Windows\\Microsoft.NET\\*", - "?:\\Windows\\WinSxS\\*", - "?:\\Windows\\System32\\DriverStore\\FileRepository\\*") or - - /* Sysmon DLL path is mapped to file.path */ - file.path : - ("?:\\Windows\\assembly\\NativeImages*", - "?:\\Windows\\Microsoft.NET\\*", - "?:\\Windows\\WinSxS\\*", - "?:\\Windows\\System32\\DriverStore\\FileRepository\\*") - ) -''' note = """## Triage and analysis > **Disclaimer**: @@ -89,6 +50,51 @@ Azure AD Sync Service facilitates identity synchronization between on-premises d - Change all credentials that may have been exposed or compromised, focusing on those related to Azure AD and on-premises directory services. - Implement application whitelisting to prevent unauthorized DLLs from being loaded by critical processes like Azure AD Sync. - Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional systems are affected.""" +references = [ + "https://blog.xpnsec.com/azuread-connect-for-redteam/", + "https://medium.com/@breakingmhet/detect-azure-pass-through-authentication-abuse-azure-hybrid-environments-ed4274784252", + "https://learn.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-pass-through-authentication", +] +risk_score = 73 +rule_id = "f909075d-afc7-42d7-b399-600b94352fd9" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +any where host.os.type == "windows" and process.name : "AzureADConnectAuthenticationAgentService.exe" and +( + (event.category == "library" and event.action == "load") or + (event.category == "process" and event.action : "Image loaded*") +) and + +not (?dll.code_signature.trusted == true or file.code_signature.status == "Valid") and not + + ( + /* Elastic defend DLL path */ + ?dll.path : + ("?:\\Windows\\assembly\\NativeImages*", + "?:\\Windows\\Microsoft.NET\\*", + "?:\\Windows\\WinSxS\\*", + "?:\\Windows\\System32\\DriverStore\\FileRepository\\*") or + + /* Sysmon DLL path is mapped to file.path */ + file.path : + ("?:\\Windows\\assembly\\NativeImages*", + "?:\\Windows\\Microsoft.NET\\*", + "?:\\Windows\\WinSxS\\*", + "?:\\Windows\\System32\\DriverStore\\FileRepository\\*") + ) +''' [[rule.threat]] @@ -103,3 +109,4 @@ reference = "https://attack.mitre.org/techniques/T1003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_kirbi_file.toml b/rules/windows/credential_access_kirbi_file.toml index f1587fef4..8f5e1c47d 100644 --- a/rules/windows/credential_access_kirbi_file.toml +++ b/rules/windows/credential_access_kirbi_file.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,20 +12,18 @@ Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as P attacker to impersonate users using Kerberos tickets. """ from = "now-9m" -index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "winlogbeat-*", "endgame-*", "logs-crowdstrike.fdr*"] +index = [ + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*", + "winlogbeat-*", + "endgame-*", + "logs-crowdstrike.fdr*", +] language = "eql" license = "Elastic License v2" name = "Kirbi File Creation" -risk_score = 73 -rule_id = "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a" -severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -file where host.os.type == "windows" and event.type == "creation" and file.extension : "kirbi" -''' note = """## Triage and analysis > **Disclaimer**: @@ -63,6 +59,28 @@ Kirbi files are associated with Kerberos, a network authentication protocol used - Revoke all active Kerberos tickets and force re-authentication for all users to ensure that any stolen tickets are rendered useless. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the full scope of the breach. - Implement enhanced monitoring and logging for Kerberos-related activities to detect and respond to similar threats more effectively in the future.""" +risk_score = 73 +rule_id = "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Elastic Endgame", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where host.os.type == "windows" and event.type == "creation" and file.extension : "kirbi" +''' [[rule.threat]] @@ -78,7 +96,6 @@ name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_ldap_attributes.toml b/rules/windows/credential_access_ldap_attributes.toml index 5dda53662..61067e5b6 100644 --- a/rules/windows/credential_access_ldap_attributes.toml +++ b/rules/windows/credential_access_ldap_attributes.toml @@ -2,9 +2,7 @@ creation_date = "2022/11/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,41 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Access to a Sensitive LDAP Attribute" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Access to a Sensitive LDAP Attribute + +LDAP (Lightweight Directory Access Protocol) is crucial for accessing and managing directory information in Active Directory environments. Adversaries may exploit LDAP to access sensitive attributes like passwords and decryption keys, facilitating credential theft or privilege escalation. The detection rule identifies unauthorized access attempts by monitoring specific event codes and attribute identifiers, excluding benign activities to reduce noise, thus highlighting potential security threats. + +### Possible investigation steps + +- Review the event logs for event code 4662 to identify the specific user or process attempting to access the sensitive LDAP attributes. +- Check the winlog.event_data.SubjectUserSid to determine the identity of the user or service account involved in the access attempt, excluding the well-known SID S-1-5-18 (Local System). +- Analyze the winlog.event_data.Properties field to confirm which sensitive attribute was accessed, such as unixUserPassword, ms-PKI-AccountCredentials, or msPKI-CredentialRoamingTokens. +- Investigate the context of the access attempt by correlating the event with other logs or alerts around the same timestamp to identify any suspicious patterns or activities. +- Verify the legitimacy of the access by checking if the user or process has a valid reason or permission to access the sensitive attributes, considering the organization's access control policies. +- Assess the potential impact of the access attempt on the organization's security posture, focusing on credential theft or privilege escalation risks. +- Document findings and, if necessary, escalate the incident to the appropriate security team for further action or remediation. + +### False positive analysis + +- Access by legitimate administrative accounts: Regular access by system administrators to sensitive LDAP attributes can trigger alerts. To manage this, create exceptions for known administrative accounts by excluding their SIDs from the detection rule. +- Scheduled system processes: Automated tasks or system processes that require access to certain LDAP attributes may cause false positives. Identify these processes and exclude their specific event codes or AccessMasks if they are consistently benign. +- Service accounts: Service accounts that perform routine directory operations might access sensitive attributes as part of their normal function. Exclude these accounts by adding their SIDs to the exception list to prevent unnecessary alerts. +- Monitoring tools: Security or monitoring tools that scan directory attributes for compliance or auditing purposes can generate false positives. Whitelist these tools by excluding their event sources or specific actions from the detection criteria. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. +- Conduct a thorough review of the access logs to identify any unauthorized users or systems that accessed the sensitive LDAP attributes. +- Reset passwords and revoke any potentially compromised credentials associated with the affected accounts, focusing on those with access to sensitive attributes. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach. +- Implement additional monitoring on the affected systems and accounts to detect any further suspicious activities or attempts to access sensitive LDAP attributes. +- Review and update access controls and permissions for sensitive LDAP attributes to ensure they are restricted to only necessary personnel. +- Conduct a post-incident analysis to identify any gaps in security controls and update policies or procedures to prevent similar incidents in the future.""" references = [ "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", @@ -81,41 +114,6 @@ any where event.code == "4662" and */ not winlog.event_data.AccessMask in ("0x0", "0x100") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Access to a Sensitive LDAP Attribute - -LDAP (Lightweight Directory Access Protocol) is crucial for accessing and managing directory information in Active Directory environments. Adversaries may exploit LDAP to access sensitive attributes like passwords and decryption keys, facilitating credential theft or privilege escalation. The detection rule identifies unauthorized access attempts by monitoring specific event codes and attribute identifiers, excluding benign activities to reduce noise, thus highlighting potential security threats. - -### Possible investigation steps - -- Review the event logs for event code 4662 to identify the specific user or process attempting to access the sensitive LDAP attributes. -- Check the winlog.event_data.SubjectUserSid to determine the identity of the user or service account involved in the access attempt, excluding the well-known SID S-1-5-18 (Local System). -- Analyze the winlog.event_data.Properties field to confirm which sensitive attribute was accessed, such as unixUserPassword, ms-PKI-AccountCredentials, or msPKI-CredentialRoamingTokens. -- Investigate the context of the access attempt by correlating the event with other logs or alerts around the same timestamp to identify any suspicious patterns or activities. -- Verify the legitimacy of the access by checking if the user or process has a valid reason or permission to access the sensitive attributes, considering the organization's access control policies. -- Assess the potential impact of the access attempt on the organization's security posture, focusing on credential theft or privilege escalation risks. -- Document findings and, if necessary, escalate the incident to the appropriate security team for further action or remediation. - -### False positive analysis - -- Access by legitimate administrative accounts: Regular access by system administrators to sensitive LDAP attributes can trigger alerts. To manage this, create exceptions for known administrative accounts by excluding their SIDs from the detection rule. -- Scheduled system processes: Automated tasks or system processes that require access to certain LDAP attributes may cause false positives. Identify these processes and exclude their specific event codes or AccessMasks if they are consistently benign. -- Service accounts: Service accounts that perform routine directory operations might access sensitive attributes as part of their normal function. Exclude these accounts by adding their SIDs to the exception list to prevent unnecessary alerts. -- Monitoring tools: Security or monitoring tools that scan directory attributes for compliance or auditing purposes can generate false positives. Whitelist these tools by excluding their event sources or specific actions from the detection criteria. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. -- Conduct a thorough review of the access logs to identify any unauthorized users or systems that accessed the sensitive LDAP attributes. -- Reset passwords and revoke any potentially compromised credentials associated with the affected accounts, focusing on those with access to sensitive attributes. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach. -- Implement additional monitoring on the affected systems and accounts to detect any further suspicious activities or attempts to access sensitive LDAP attributes. -- Review and update access controls and permissions for sensitive LDAP attributes to ensure they are restricted to only necessary personnel. -- Conduct a post-incident analysis to identify any gaps in security controls and update policies or procedures to prevent similar incidents in the future.""" [[rule.threat]] diff --git a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml index c3881e957..3ec2f3d65 100644 --- a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml +++ b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml @@ -2,9 +2,7 @@ creation_date = "2022/06/29" integration = ["windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,39 +16,6 @@ index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Suspicious LSASS Access via MalSecLogon" -references = ["https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html"] -risk_score = 73 -rule_id = "7ba58110-ae13-439b-8192-357b0fcfa9d7" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.code == "10" and - winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe" and - - /* seclogon service accessing lsass */ - winlog.event_data.CallTrace : "*seclogon.dll*" and process.name : "svchost.exe" and - - /* PROCESS_CREATE_PROCESS & PROCESS_DUP_HANDLE & PROCESS_QUERY_INFORMATION */ - winlog.event_data.GrantedAccess == "0x14c0" -''' note = """## Triage and analysis > **Disclaimer**: @@ -85,6 +50,39 @@ The Local Security Authority Subsystem Service (LSASS) is crucial for managing s - Collect and preserve relevant logs and forensic data from the affected system for further analysis and potential legal action. - Escalate the incident to the security operations center (SOC) or incident response team for a comprehensive investigation and to determine the full scope of the breach. - Implement additional monitoring and alerting for similar suspicious activities involving LSASS and seclogon.dll to enhance detection capabilities.""" +references = ["https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html"] +risk_score = 73 +rule_id = "7ba58110-ae13-439b-8192-357b0fcfa9d7" +setup = """## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.code == "10" and + winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe" and + + /* seclogon service accessing lsass */ + winlog.event_data.CallTrace : "*seclogon.dll*" and process.name : "svchost.exe" and + + /* PROCESS_CREATE_PROCESS & PROCESS_DUP_HANDLE & PROCESS_QUERY_INFORMATION */ + winlog.event_data.GrantedAccess == "0x14c0" +''' [[rule.threat]] diff --git a/rules/windows/credential_access_lsass_memdump_file_created.toml b/rules/windows/credential_access_lsass_memdump_file_created.toml index 31610e3dd..2dd0821b6 100644 --- a/rules/windows/credential_access_lsass_memdump_file_created.toml +++ b/rules/windows/credential_access_lsass_memdump_file_created.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -40,7 +38,14 @@ indicate a credential access attempt via trusted system utilities such as Task M (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "LSASS Memory Dump Creation" diff --git a/rules/windows/credential_access_lsass_memdump_handle_access.toml b/rules/windows/credential_access_lsass_memdump_handle_access.toml index 4a1f3af0b..eb631b3b3 100644 --- a/rules/windows/credential_access_lsass_memdump_handle_access.toml +++ b/rules/windows/credential_access_lsass_memdump_handle_access.toml @@ -2,9 +2,7 @@ creation_date = "2022/02/16" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index addbde90c..f85adb5f6 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -2,15 +2,20 @@ creation_date = "2020/08/31" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2024/10/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = "Identifies the password log file from the default Mimikatz memssp module." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Mimikatz Memssp Log File Detected" diff --git a/rules/windows/credential_access_mimikatz_powershell_module.toml b/rules/windows/credential_access_mimikatz_powershell_module.toml index ef51cb564..1ae501525 100644 --- a/rules/windows/credential_access_mimikatz_powershell_module.toml +++ b/rules/windows/credential_access_mimikatz_powershell_module.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/07" integration = ["windows"] maturity = "production" -updated_date = "2025/01/17" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index 7dd04a08f..00f419dbb 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -15,7 +13,13 @@ an endpoint. Once the UseLogonCredential value is modified, the adversary may at memory. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Modification of WDigest Security Provider" diff --git a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml index 6ffc0fe8f..3f82b5ebb 100644 --- a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml +++ b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml @@ -2,9 +2,7 @@ creation_date = "2021/03/18" integration = ["endpoint", "m365_defender", "windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -41,7 +39,13 @@ during user logon. """ false_positives = ["Authorized third party network logon providers."] from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*"] +index = [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Network Logon Provider Registry Modification" diff --git a/rules/windows/credential_access_posh_invoke_ninjacopy.toml b/rules/windows/credential_access_posh_invoke_ninjacopy.toml index 4f7d07531..5ed3b282e 100644 --- a/rules/windows/credential_access_posh_invoke_ninjacopy.toml +++ b/rules/windows/credential_access_posh_invoke_ninjacopy.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/23" integration = ["windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_posh_kerb_ticket_dump.toml b/rules/windows/credential_access_posh_kerb_ticket_dump.toml index 49ae8aa5e..e8db8ccd2 100644 --- a/rules/windows/credential_access_posh_kerb_ticket_dump.toml +++ b/rules/windows/credential_access_posh_kerb_ticket_dump.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/26" integration = ["windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_posh_minidump.toml b/rules/windows/credential_access_posh_minidump.toml index 9a743631e..5be837e35 100644 --- a/rules/windows/credential_access_posh_minidump.toml +++ b/rules/windows/credential_access_posh_minidump.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/05" integration = ["windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_posh_relay_tools.toml b/rules/windows/credential_access_posh_relay_tools.toml index 84466912e..6909bc97c 100644 --- a/rules/windows/credential_access_posh_relay_tools.toml +++ b/rules/windows/credential_access_posh_relay_tools.toml @@ -2,9 +2,7 @@ creation_date = "2024/03/27" integration = ["windows"] maturity = "production" -updated_date = "2025/01/10" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,41 @@ index = ["winlogbeat-*", "logs-windows.powershell*"] language = "kuery" license = "Elastic License v2" name = "Potential PowerShell Pass-the-Hash/Relay Script" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential PowerShell Pass-the-Hash/Relay Script + +PowerShell is a powerful scripting language used for task automation and configuration management in Windows environments. Adversaries exploit PowerShell to perform pass-the-hash attacks, where they use stolen hashed credentials to authenticate without knowing the actual password. The detection rule identifies scripts attempting to execute such attacks by monitoring for specific NTLM negotiation patterns and hex sequences indicative of credential relay activities, while excluding legitimate system processes. + +### Possible investigation steps + +- Review the PowerShell script block text associated with the alert to identify any suspicious patterns or hex sequences, such as "NTLMSSPNegotiate" or specific hex values like "4E544C4D53535000". +- Check the process execution details, including the parent process and command line arguments, to determine if the script was executed by a legitimate user or process. +- Investigate the source and destination IP addresses involved in the NTLM negotiation to identify any unusual or unauthorized network activity. +- Examine the user account associated with the process to verify if it has been compromised or if there are any signs of unauthorized access. +- Correlate the alert with other security events or logs, such as Windows Event Logs or network traffic logs, to gather additional context and identify potential lateral movement or further compromise. +- Assess the file directory from which the script was executed, ensuring it is not a known safe location like "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads", which is excluded in the query. + +### False positive analysis + +- Legitimate system processes may occasionally trigger the rule if they perform operations that mimic NTLM negotiation patterns. To manage this, users can create exceptions for specific processes known to be safe by excluding their file paths or hashes. +- Security tools or network monitoring solutions that perform NTLM authentication checks might generate false positives. Users should identify these tools and exclude their associated scripts or directories from the detection rule. +- Automated scripts for system administration that involve NTLM authentication could be flagged. Review these scripts and, if verified as safe, add them to an exclusion list based on their directory or script block text. +- PowerShell scripts used for legitimate penetration testing or security assessments may trigger alerts. Ensure these activities are documented and exclude the relevant scripts or directories during the testing period. +- Regular updates or patches from Microsoft might include scripts that temporarily match the detection criteria. Monitor updates and adjust exclusions as necessary to prevent false positives from these legitimate updates. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further credential relay or unauthorized access. +- Terminate any suspicious PowerShell processes identified by the detection rule to halt ongoing malicious activities. +- Conduct a thorough review of recent authentication logs and network traffic from the isolated system to identify any lateral movement or additional compromised accounts. +- Reset passwords for any accounts suspected to be compromised, ensuring that new credentials are not reused or easily guessable. +- Apply patches and updates to the affected system and any other vulnerable systems to mitigate known exploits used in pass-the-hash attacks. +- Implement network segmentation to limit the spread of similar attacks in the future, focusing on restricting access to critical systems and sensitive data. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" references = [ "https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-WMIExec.ps1", "https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-SMBExec.ps1", @@ -68,41 +101,6 @@ event.category:process and host.os.type:windows and ) and not file.directory : "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads" ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential PowerShell Pass-the-Hash/Relay Script - -PowerShell is a powerful scripting language used for task automation and configuration management in Windows environments. Adversaries exploit PowerShell to perform pass-the-hash attacks, where they use stolen hashed credentials to authenticate without knowing the actual password. The detection rule identifies scripts attempting to execute such attacks by monitoring for specific NTLM negotiation patterns and hex sequences indicative of credential relay activities, while excluding legitimate system processes. - -### Possible investigation steps - -- Review the PowerShell script block text associated with the alert to identify any suspicious patterns or hex sequences, such as "NTLMSSPNegotiate" or specific hex values like "4E544C4D53535000". -- Check the process execution details, including the parent process and command line arguments, to determine if the script was executed by a legitimate user or process. -- Investigate the source and destination IP addresses involved in the NTLM negotiation to identify any unusual or unauthorized network activity. -- Examine the user account associated with the process to verify if it has been compromised or if there are any signs of unauthorized access. -- Correlate the alert with other security events or logs, such as Windows Event Logs or network traffic logs, to gather additional context and identify potential lateral movement or further compromise. -- Assess the file directory from which the script was executed, ensuring it is not a known safe location like "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads", which is excluded in the query. - -### False positive analysis - -- Legitimate system processes may occasionally trigger the rule if they perform operations that mimic NTLM negotiation patterns. To manage this, users can create exceptions for specific processes known to be safe by excluding their file paths or hashes. -- Security tools or network monitoring solutions that perform NTLM authentication checks might generate false positives. Users should identify these tools and exclude their associated scripts or directories from the detection rule. -- Automated scripts for system administration that involve NTLM authentication could be flagged. Review these scripts and, if verified as safe, add them to an exclusion list based on their directory or script block text. -- PowerShell scripts used for legitimate penetration testing or security assessments may trigger alerts. Ensure these activities are documented and exclude the relevant scripts or directories during the testing period. -- Regular updates or patches from Microsoft might include scripts that temporarily match the detection criteria. Monitor updates and adjust exclusions as necessary to prevent false positives from these legitimate updates. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further credential relay or unauthorized access. -- Terminate any suspicious PowerShell processes identified by the detection rule to halt ongoing malicious activities. -- Conduct a thorough review of recent authentication logs and network traffic from the isolated system to identify any lateral movement or additional compromised accounts. -- Reset passwords for any accounts suspected to be compromised, ensuring that new credentials are not reused or easily guessable. -- Apply patches and updates to the affected system and any other vulnerable systems to mitigate known exploits used in pass-the-hash attacks. -- Implement network segmentation to limit the spread of similar attacks in the future, focusing on restricting access to critical systems and sensitive data. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] diff --git a/rules/windows/credential_access_posh_request_ticket.toml b/rules/windows/credential_access_posh_request_ticket.toml index f2e118fe2..fefc704e0 100644 --- a/rules/windows/credential_access_posh_request_ticket.toml +++ b/rules/windows/credential_access_posh_request_ticket.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/24" integration = ["windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_posh_veeam_sql.toml b/rules/windows/credential_access_posh_veeam_sql.toml index d5fe9c974..4135f1a25 100644 --- a/rules/windows/credential_access_posh_veeam_sql.toml +++ b/rules/windows/credential_access_posh_veeam_sql.toml @@ -2,9 +2,7 @@ creation_date = "2024/03/14" integration = ["windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,40 @@ index = ["winlogbeat-*", "logs-windows.powershell*"] language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Veeam Credential Access Capabilities" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating PowerShell Script with Veeam Credential Access Capabilities + +PowerShell, a powerful scripting language in Windows environments, can be exploited by attackers to access and decrypt sensitive credentials, such as those stored by Veeam in MSSQL databases. Adversaries may leverage this to compromise backup data, facilitating ransomware attacks. The detection rule identifies suspicious script activity by monitoring specific database interactions and decryption attempts, flagging potential credential access threats. + +### Possible investigation steps + +- Review the PowerShell script block text associated with the alert to identify any references to "[dbo].[Credentials]" and "Veeam" or "VeeamBackup" to confirm potential credential access attempts. +- Check the event logs for the specific host where the alert was triggered to gather additional context about the process execution, including the user account involved and the script's origin. +- Investigate any recent changes or access to the MSSQL database containing Veeam credentials to determine if there were unauthorized access attempts or modifications. +- Analyze the use of "ProtectedStorage]::GetLocalString" within the script to understand if it was used to decrypt or access sensitive information. +- Correlate the alert with other security events or logs from the same host or network segment to identify any related suspicious activities or patterns that could indicate a broader attack. + +### False positive analysis + +- Routine administrative scripts that query MSSQL databases for maintenance purposes may trigger the rule. To manage this, identify and whitelist specific scripts or processes that are known to be safe and regularly executed by trusted administrators. +- Scheduled tasks or automated backup verification processes that access Veeam credentials for legitimate reasons can be mistaken for malicious activity. Exclude these tasks by specifying their unique identifiers or execution paths in the monitoring system. +- Security audits or compliance checks that involve accessing credential information for validation purposes might be flagged. Coordinate with the audit team to document these activities and create exceptions for their scripts. +- Development or testing environments where PowerShell scripts are used to simulate credential access for testing purposes can generate false positives. Implement environment-specific exclusions to prevent these from being flagged in production monitoring. +- Third-party monitoring tools that interact with Veeam credentials for health checks or performance monitoring may inadvertently trigger alerts. Work with the tool vendors to understand their access patterns and exclude them if they are verified as non-threatening. + +### Response and remediation + +- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration. +- Terminate any suspicious PowerShell processes identified by the detection rule to halt ongoing credential access attempts. +- Change all Veeam-related credentials and any other potentially compromised credentials stored in the MSSQL database to prevent further unauthorized access. +- Conduct a thorough review of backup integrity and ensure that no unauthorized modifications or deletions have occurred. +- Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional systems are affected. +- Implement enhanced monitoring for PowerShell activity and MSSQL database access to detect similar threats in the future. +- Review and update access controls and permissions for Veeam and MSSQL databases to ensure they follow the principle of least privilege.""" references = [ "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", "https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/", @@ -63,40 +95,6 @@ event.category:process and host.os.type:windows and "ProtectedStorage]::GetLocalString" ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating PowerShell Script with Veeam Credential Access Capabilities - -PowerShell, a powerful scripting language in Windows environments, can be exploited by attackers to access and decrypt sensitive credentials, such as those stored by Veeam in MSSQL databases. Adversaries may leverage this to compromise backup data, facilitating ransomware attacks. The detection rule identifies suspicious script activity by monitoring specific database interactions and decryption attempts, flagging potential credential access threats. - -### Possible investigation steps - -- Review the PowerShell script block text associated with the alert to identify any references to "[dbo].[Credentials]" and "Veeam" or "VeeamBackup" to confirm potential credential access attempts. -- Check the event logs for the specific host where the alert was triggered to gather additional context about the process execution, including the user account involved and the script's origin. -- Investigate any recent changes or access to the MSSQL database containing Veeam credentials to determine if there were unauthorized access attempts or modifications. -- Analyze the use of "ProtectedStorage]::GetLocalString" within the script to understand if it was used to decrypt or access sensitive information. -- Correlate the alert with other security events or logs from the same host or network segment to identify any related suspicious activities or patterns that could indicate a broader attack. - -### False positive analysis - -- Routine administrative scripts that query MSSQL databases for maintenance purposes may trigger the rule. To manage this, identify and whitelist specific scripts or processes that are known to be safe and regularly executed by trusted administrators. -- Scheduled tasks or automated backup verification processes that access Veeam credentials for legitimate reasons can be mistaken for malicious activity. Exclude these tasks by specifying their unique identifiers or execution paths in the monitoring system. -- Security audits or compliance checks that involve accessing credential information for validation purposes might be flagged. Coordinate with the audit team to document these activities and create exceptions for their scripts. -- Development or testing environments where PowerShell scripts are used to simulate credential access for testing purposes can generate false positives. Implement environment-specific exclusions to prevent these from being flagged in production monitoring. -- Third-party monitoring tools that interact with Veeam credentials for health checks or performance monitoring may inadvertently trigger alerts. Work with the tool vendors to understand their access patterns and exclude them if they are verified as non-threatening. - -### Response and remediation - -- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration. -- Terminate any suspicious PowerShell processes identified by the detection rule to halt ongoing credential access attempts. -- Change all Veeam-related credentials and any other potentially compromised credentials stored in the MSSQL database to prevent further unauthorized access. -- Conduct a thorough review of backup integrity and ensure that no unauthorized modifications or deletions have occurred. -- Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional systems are affected. -- Implement enhanced monitoring for PowerShell activity and MSSQL database access to detect similar threats in the future. -- Review and update access controls and permissions for Veeam and MSSQL databases to ensure they follow the principle of least privilege.""" [[rule.threat]] diff --git a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml index e3a407c17..be2132762 100644 --- a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml +++ b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml @@ -2,9 +2,7 @@ creation_date = "2021/09/27" integration = ["windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,38 +15,6 @@ index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Potential Credential Access via DuplicateHandle in LSASS" -references = ["https://github.com/CCob/MirrorDump"] -risk_score = 47 -rule_id = "02a4576a-7480-4284-9327-548a806b5e48" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.code == "10" and - - /* LSASS requesting DuplicateHandle access right to another process */ - process.name : "lsass.exe" and winlog.event_data.GrantedAccess == "0x40" and - - /* call is coming from an unknown executable region */ - winlog.event_data.CallTrace : "*UNKNOWN*" -''' note = """## Triage and analysis > **Disclaimer**: @@ -83,6 +49,38 @@ The Local Security Authority Subsystem Service (LSASS) is crucial for enforcing - Review and update endpoint protection configurations to ensure they are capable of detecting and blocking similar unauthorized access attempts in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for LSASS and related processes to detect any future attempts to exploit the DuplicateHandle function.""" +references = ["https://github.com/CCob/MirrorDump"] +risk_score = 47 +rule_id = "02a4576a-7480-4284-9327-548a806b5e48" +setup = """## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.code == "10" and + + /* LSASS requesting DuplicateHandle access right to another process */ + process.name : "lsass.exe" and winlog.event_data.GrantedAccess == "0x40" and + + /* call is coming from an unknown executable region */ + winlog.event_data.CallTrace : "*UNKNOWN*" +''' [[rule.threat]] diff --git a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml index 990d0407c..bb46707c1 100644 --- a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml +++ b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml @@ -2,9 +2,7 @@ creation_date = "2022/04/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,6 +25,41 @@ index = [ language = "eql" license = "Elastic License v2" name = "Potential Local NTLM Relay via HTTP" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Local NTLM Relay via HTTP + +NTLM, a suite of Microsoft security protocols, is often targeted by adversaries for credential theft. Attackers may exploit the Windows Printer Spooler service to coerce NTLM authentication over HTTP, potentially elevating privileges. The detection rule identifies suspicious rundll32.exe executions invoking WebDAV client DLLs with specific arguments, signaling attempts to access named pipes via HTTP, indicative of NTLM relay attacks. + +### Possible investigation steps + +- Review the process execution details for rundll32.exe, focusing on the specific arguments related to davclnt.dll and DavSetCookie, to confirm the presence of suspicious WebDAV client activity. +- Investigate the network connections initiated by the rundll32.exe process to identify any HTTP requests targeting named pipes, such as those containing "/print/pipe/", "/pipe/spoolss", or "/pipe/srvsvc". +- Check the system's event logs for any related authentication attempts or failures around the time of the alert to identify potential NTLM relay activity. +- Analyze the history of the Windows Printer Spooler service on the affected host to determine if it has been recently manipulated or exploited. +- Correlate the alert with other security events or alerts from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related suspicious activities or patterns. +- Assess the user account associated with the NTLM authentication attempt to determine if it has been compromised or is being used in an unauthorized manner. + +### False positive analysis + +- Legitimate administrative tasks using rundll32.exe with WebDAV client DLLs may trigger the rule. Review the context of the execution, such as the user account and the timing, to determine if it aligns with expected administrative activities. +- Automated software deployment or update processes might use similar rundll32.exe calls. Verify if the process is part of a scheduled or known deployment task and consider excluding these specific processes from the rule. +- Some third-party applications may use WebDAV for legitimate purposes, which could mimic the behavior detected by the rule. Identify these applications and create exceptions for their known processes to prevent false alerts. +- System maintenance scripts or tools that interact with network resources via HTTP might inadvertently match the rule's criteria. Ensure these scripts are documented and exclude them if they are verified as non-threatening. +- Regularly review and update the exclusion list to accommodate changes in legitimate software behavior, ensuring that only verified false positives are excluded to maintain the rule's effectiveness. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement. +- Terminate any suspicious rundll32.exe processes identified in the alert to stop ongoing malicious activity. +- Conduct a thorough review of the affected system's event logs and network traffic to identify any additional indicators of compromise or related malicious activity. +- Reset credentials for any accounts that may have been exposed or compromised during the attack to prevent unauthorized access. +- Apply the latest security patches and updates to the Windows Printer Spooler service and related components to mitigate known vulnerabilities. +- Implement network segmentation to limit the exposure of critical services and reduce the risk of similar attacks in the future. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken.""" references = [ "https://github.com/med0x2e/NTLMRelay2Self", "https://github.com/topotam/PetitPotam", @@ -63,41 +96,6 @@ process where host.os.type == "windows" and event.type == "start" and /* Access to named pipe via http */ process.args : ("http*/print/pipe/*", "http*/pipe/spoolss", "http*/pipe/srvsvc") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Local NTLM Relay via HTTP - -NTLM, a suite of Microsoft security protocols, is often targeted by adversaries for credential theft. Attackers may exploit the Windows Printer Spooler service to coerce NTLM authentication over HTTP, potentially elevating privileges. The detection rule identifies suspicious rundll32.exe executions invoking WebDAV client DLLs with specific arguments, signaling attempts to access named pipes via HTTP, indicative of NTLM relay attacks. - -### Possible investigation steps - -- Review the process execution details for rundll32.exe, focusing on the specific arguments related to davclnt.dll and DavSetCookie, to confirm the presence of suspicious WebDAV client activity. -- Investigate the network connections initiated by the rundll32.exe process to identify any HTTP requests targeting named pipes, such as those containing "/print/pipe/", "/pipe/spoolss", or "/pipe/srvsvc". -- Check the system's event logs for any related authentication attempts or failures around the time of the alert to identify potential NTLM relay activity. -- Analyze the history of the Windows Printer Spooler service on the affected host to determine if it has been recently manipulated or exploited. -- Correlate the alert with other security events or alerts from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related suspicious activities or patterns. -- Assess the user account associated with the NTLM authentication attempt to determine if it has been compromised or is being used in an unauthorized manner. - -### False positive analysis - -- Legitimate administrative tasks using rundll32.exe with WebDAV client DLLs may trigger the rule. Review the context of the execution, such as the user account and the timing, to determine if it aligns with expected administrative activities. -- Automated software deployment or update processes might use similar rundll32.exe calls. Verify if the process is part of a scheduled or known deployment task and consider excluding these specific processes from the rule. -- Some third-party applications may use WebDAV for legitimate purposes, which could mimic the behavior detected by the rule. Identify these applications and create exceptions for their known processes to prevent false alerts. -- System maintenance scripts or tools that interact with network resources via HTTP might inadvertently match the rule's criteria. Ensure these scripts are documented and exclude them if they are verified as non-threatening. -- Regularly review and update the exclusion list to accommodate changes in legitimate software behavior, ensuring that only verified false positives are excluded to maintain the rule's effectiveness. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement. -- Terminate any suspicious rundll32.exe processes identified in the alert to stop ongoing malicious activity. -- Conduct a thorough review of the affected system's event logs and network traffic to identify any additional indicators of compromise or related malicious activity. -- Reset credentials for any accounts that may have been exposed or compromised during the attack to prevent unauthorized access. -- Apply the latest security patches and updates to the Windows Printer Spooler service and related components to mitigate known vulnerabilities. -- Implement network segmentation to limit the exposure of critical services and reduce the risk of similar attacks in the future. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken.""" [[rule.threat]] diff --git a/rules/windows/credential_access_saved_creds_vault_winlog.toml b/rules/windows/credential_access_saved_creds_vault_winlog.toml index 9e5891452..47689c749 100644 --- a/rules/windows/credential_access_saved_creds_vault_winlog.toml +++ b/rules/windows/credential_access_saved_creds_vault_winlog.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,38 +16,6 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Multiple Vault Web Credentials Read" -references = [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382", - "https://www.elastic.co/security-labs/detect-credential-access", -] -risk_score = 47 -rule_id = "44fc462c-1159-4fa8-b1b7-9b6296ab4f96" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -sequence by winlog.computer_name, winlog.process.pid with maxspan=1s - - /* 2 consecutive vault reads from same pid for web creds */ - - [any where event.code : "5382" and - (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and - not winlog.event_data.SubjectLogonId : "0x3e7" and - not winlog.event_data.Resource : "http://localhost/"] - - [any where event.code : "5382" and - (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and - not winlog.event_data.SubjectLogonId : "0x3e7" and - not winlog.event_data.Resource : "http://localhost/"] -''' note = """## Triage and analysis > **Disclaimer**: @@ -85,6 +51,38 @@ Windows Credential Manager stores credentials for web logins, apps, and networks - Implement network segmentation to limit access to critical systems and data, reducing the risk of lateral movement. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach. - Enhance monitoring and logging on the affected system and similar endpoints to detect any future attempts at credential dumping or unauthorized access.""" +references = [ + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382", + "https://www.elastic.co/security-labs/detect-credential-access", +] +risk_score = 47 +rule_id = "44fc462c-1159-4fa8-b1b7-9b6296ab4f96" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +sequence by winlog.computer_name, winlog.process.pid with maxspan=1s + + /* 2 consecutive vault reads from same pid for web creds */ + + [any where event.code : "5382" and + (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and + not winlog.event_data.SubjectLogonId : "0x3e7" and + not winlog.event_data.Resource : "http://localhost/"] + + [any where event.code : "5382" and + (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and + not winlog.event_data.SubjectLogonId : "0x3e7" and + not winlog.event_data.Resource : "http://localhost/"] +''' [[rule.threat]] diff --git a/rules/windows/credential_access_saved_creds_vaultcmd.toml b/rules/windows/credential_access_saved_creds_vaultcmd.toml index ae5484897..bcb205d1e 100644 --- a/rules/windows/credential_access_saved_creds_vaultcmd.toml +++ b/rules/windows/credential_access_saved_creds_vaultcmd.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -28,36 +26,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Searching for Saved Credentials via VaultCmd" -references = [ - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/", - "https://www.elastic.co/security-labs/detect-credential-access", -] -risk_score = 47 -rule_id = "be8afaed-4bcd-4e0a-b5f9-5562003dde81" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - (?process.pe.original_file_name:"vaultcmd.exe" or process.name:"vaultcmd.exe") and - process.args:"/list*" -''' note = """## Triage and analysis > **Disclaimer**: @@ -92,6 +60,36 @@ Windows Credential Manager stores credentials for websites, applications, and ne - Implement enhanced monitoring on the affected system and similar endpoints for any further attempts to use VaultCmd.exe or other credential dumping tools. - Escalate the incident to the security operations center (SOC) or incident response team for a comprehensive investigation and to determine the scope of the breach. - Review and update endpoint protection configurations to ensure that similar threats are detected and blocked in the future, leveraging threat intelligence and MITRE ATT&CK framework insights.""" +references = [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/", + "https://www.elastic.co/security-labs/detect-credential-access", +] +risk_score = 47 +rule_id = "be8afaed-4bcd-4e0a-b5f9-5562003dde81" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + (?process.pe.original_file_name:"vaultcmd.exe" or process.name:"vaultcmd.exe") and + process.args:"/list*" +''' [[rule.threat]] diff --git a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml index 61855c5b2..45b36774c 100644 --- a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml +++ b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/27" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_shadow_credentials.toml b/rules/windows/credential_access_shadow_credentials.toml index dfb617abe..74c193f95 100644 --- a/rules/windows/credential_access_shadow_credentials.toml +++ b/rules/windows/credential_access_shadow_credentials.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_spn_attribute_modified.toml b/rules/windows/credential_access_spn_attribute_modified.toml index 6af1a73f9..a06b4dba8 100644 --- a/rules/windows/credential_access_spn_attribute_modified.toml +++ b/rules/windows/credential_access_spn_attribute_modified.toml @@ -2,9 +2,7 @@ creation_date = "2022/02/22" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml index b96e8bf26..a1e9768b4 100644 --- a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml +++ b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/17" integration = ["windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/credential_access_suspicious_lsass_access_generic.toml b/rules/windows/credential_access_suspicious_lsass_access_generic.toml index a92818305..04c1ee583 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_generic.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_generic.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/22" integration = ["windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,6 +12,41 @@ index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Lsass Process Access" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious Lsass Process Access + +The Local Security Authority Subsystem Service (LSASS) is crucial for enforcing security policies and managing user logins in Windows environments. Adversaries often target LSASS to extract credentials, enabling unauthorized access. The detection rule identifies unusual access attempts to LSASS by filtering out legitimate processes and access patterns, focusing on anomalies that suggest credential dumping activities. + +### Possible investigation steps + +- Review the process details that triggered the alert, focusing on the process name and executable path to determine if it is a known legitimate application or potentially malicious. +- Examine the GrantedAccess value in the event data to understand the level of access attempted on the LSASS process and compare it against typical access patterns. +- Investigate the parent process of the suspicious process to identify how it was spawned and assess if it is part of a legitimate workflow or an anomaly. +- Check the CallTrace field for any unusual or suspicious DLLs that might indicate malicious activity or exploitation attempts. +- Correlate the alert with other security events or logs from the same host to identify any related suspicious activities or patterns, such as network connections or file modifications. +- Verify the host's security posture, including the status of antivirus or endpoint protection solutions, to ensure they are functioning correctly and have not been tampered with. + +### False positive analysis + +- Legitimate security tools like Sysinternals Process Explorer and Process Monitor can trigger false positives. Exclude these by adding their process names to the exception list. +- Windows Defender and other antivirus software may access LSASS for legitimate scanning purposes. Exclude their executable paths from the detection rule to prevent false alerts. +- System processes such as csrss.exe, lsm.exe, and wmiprvse.exe are known to access LSASS as part of normal operations. Ensure these are included in the process executable exceptions to avoid unnecessary alerts. +- Software updates and installers, like those from Cisco AnyConnect or Oracle, may access LSASS during legitimate operations. Add these specific paths to the exclusion list to reduce false positives. +- Custom enterprise applications that interact with LSASS for authentication purposes should be identified and their paths added to the exceptions to prevent disruption in monitoring. + +### Response and remediation + +- Isolate the affected system from the network immediately to prevent further unauthorized access or lateral movement by the adversary. +- Terminate any suspicious processes identified in the alert that are attempting to access the LSASS process, ensuring that legitimate processes are not disrupted. +- Conduct a memory dump analysis of the affected system to identify any malicious tools or scripts used for credential dumping, focusing on the LSASS process. +- Change all potentially compromised credentials, especially those with administrative privileges, to prevent unauthorized access using stolen credentials. +- Apply patches and updates to the affected system to address any vulnerabilities that may have been exploited by the adversary. +- Monitor the network for any signs of further suspicious activity or attempts to access LSASS on other systems, using enhanced logging and alerting mechanisms. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" references = ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"] risk_score = 47 rule_id = "128468bf-cab1-4637-99ea-fdf3780a4609" @@ -74,41 +107,6 @@ process where host.os.type == "windows" and event.code == "10" and ) and not winlog.event_data.CallTrace : ("*mpengine.dll*", "*appresolver.dll*", "*sysmain.dll*") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious Lsass Process Access - -The Local Security Authority Subsystem Service (LSASS) is crucial for enforcing security policies and managing user logins in Windows environments. Adversaries often target LSASS to extract credentials, enabling unauthorized access. The detection rule identifies unusual access attempts to LSASS by filtering out legitimate processes and access patterns, focusing on anomalies that suggest credential dumping activities. - -### Possible investigation steps - -- Review the process details that triggered the alert, focusing on the process name and executable path to determine if it is a known legitimate application or potentially malicious. -- Examine the GrantedAccess value in the event data to understand the level of access attempted on the LSASS process and compare it against typical access patterns. -- Investigate the parent process of the suspicious process to identify how it was spawned and assess if it is part of a legitimate workflow or an anomaly. -- Check the CallTrace field for any unusual or suspicious DLLs that might indicate malicious activity or exploitation attempts. -- Correlate the alert with other security events or logs from the same host to identify any related suspicious activities or patterns, such as network connections or file modifications. -- Verify the host's security posture, including the status of antivirus or endpoint protection solutions, to ensure they are functioning correctly and have not been tampered with. - -### False positive analysis - -- Legitimate security tools like Sysinternals Process Explorer and Process Monitor can trigger false positives. Exclude these by adding their process names to the exception list. -- Windows Defender and other antivirus software may access LSASS for legitimate scanning purposes. Exclude their executable paths from the detection rule to prevent false alerts. -- System processes such as csrss.exe, lsm.exe, and wmiprvse.exe are known to access LSASS as part of normal operations. Ensure these are included in the process executable exceptions to avoid unnecessary alerts. -- Software updates and installers, like those from Cisco AnyConnect or Oracle, may access LSASS during legitimate operations. Add these specific paths to the exclusion list to reduce false positives. -- Custom enterprise applications that interact with LSASS for authentication purposes should be identified and their paths added to the exceptions to prevent disruption in monitoring. - -### Response and remediation - -- Isolate the affected system from the network immediately to prevent further unauthorized access or lateral movement by the adversary. -- Terminate any suspicious processes identified in the alert that are attempting to access the LSASS process, ensuring that legitimate processes are not disrupted. -- Conduct a memory dump analysis of the affected system to identify any malicious tools or scripts used for credential dumping, focusing on the LSASS process. -- Change all potentially compromised credentials, especially those with administrative privileges, to prevent unauthorized access using stolen credentials. -- Apply patches and updates to the affected system to address any vulnerabilities that may have been exploited by the adversary. -- Monitor the network for any signs of further suspicious activity or attempts to access LSASS on other systems, using enhanced logging and alerting mechanisms. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] diff --git a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml index 7de6d5c13..53f21c1eb 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/07" integration = ["windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,41 @@ index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Potential Credential Access via LSASS Memory Dump" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Credential Access via LSASS Memory Dump + +LSASS (Local Security Authority Subsystem Service) is crucial for managing Windows security policies and storing sensitive data like user credentials. Adversaries exploit this by using tools that leverage MiniDumpWriteDump from libraries like DBGHelp.dll to extract credentials. The detection rule identifies suspicious LSASS access by monitoring for these libraries in call traces, excluding legitimate crash handlers, thus flagging potential credential theft attempts. + +### Possible investigation steps + +- Review the process details associated with the alert, focusing on the process name, executable path, and parent process to determine if the process accessing LSASS is legitimate or suspicious. +- Examine the call trace details to confirm the presence of DBGHelp.dll or DBGCore.dll, which are indicative of potential credential dumping attempts. +- Check for any recent crash reports or legitimate use of WerFault.exe, WerFaultSecure.exe, or similar processes that might explain the LSASS access as a non-malicious event. +- Investigate the user account context under which the suspicious process is running to assess if it aligns with expected behavior or if it indicates potential compromise. +- Correlate the event with other security logs or alerts to identify any related suspicious activities, such as unauthorized access attempts or lateral movement within the network. +- Assess the risk and impact by determining if any sensitive credentials could have been exposed, and consider isolating the affected system to prevent further compromise. + +### False positive analysis + +- Legitimate crash handlers like WerFault.exe may access LSASS during system crashes. To prevent these from being flagged, ensure that the rule excludes processes such as WerFault.exe, WerFaultSecure.exe, and their SysWOW64 counterparts. +- Debugging tools used by developers or IT administrators might trigger this rule if they access LSASS for legitimate purposes. Consider creating exceptions for known and trusted debugging tools within your environment. +- Security software or endpoint protection solutions may perform similar actions as part of their normal operations. Verify with your security vendor and exclude these processes if they are confirmed to be benign. +- Automated system diagnostics or maintenance scripts that interact with LSASS for health checks could be misidentified. Review and whitelist these scripts if they are part of routine system management tasks. +- Ensure that any custom or third-party applications that require access to LSASS for legitimate reasons are documented and excluded from the rule to avoid unnecessary alerts. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further credential access or lateral movement by the adversary. +- Terminate any suspicious processes that are accessing the LSASS memory, especially those involving DBGHelp.dll or DBGCore.dll, to stop the credential dumping activity. +- Conduct a thorough review of the affected system's security logs to identify any unauthorized access or changes, focusing on event code "10" and call traces involving LSASS. +- Change passwords for all accounts that were active on the affected system, prioritizing high-privilege accounts, to mitigate the risk of compromised credentials being used. +- Restore the affected system from a known good backup to ensure that any malicious changes or tools are removed. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems may be affected. +- Implement enhanced monitoring and alerting for similar suspicious activities, focusing on LSASS access and the use of MiniDumpWriteDump, to improve detection and response capabilities.""" references = [ "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://www.elastic.co/security-labs/detect-credential-access", @@ -59,41 +92,6 @@ process where host.os.type == "windows" and event.code == "10" and "?:\\Windows\\System32\\WerFaultSecure.exe" ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Credential Access via LSASS Memory Dump - -LSASS (Local Security Authority Subsystem Service) is crucial for managing Windows security policies and storing sensitive data like user credentials. Adversaries exploit this by using tools that leverage MiniDumpWriteDump from libraries like DBGHelp.dll to extract credentials. The detection rule identifies suspicious LSASS access by monitoring for these libraries in call traces, excluding legitimate crash handlers, thus flagging potential credential theft attempts. - -### Possible investigation steps - -- Review the process details associated with the alert, focusing on the process name, executable path, and parent process to determine if the process accessing LSASS is legitimate or suspicious. -- Examine the call trace details to confirm the presence of DBGHelp.dll or DBGCore.dll, which are indicative of potential credential dumping attempts. -- Check for any recent crash reports or legitimate use of WerFault.exe, WerFaultSecure.exe, or similar processes that might explain the LSASS access as a non-malicious event. -- Investigate the user account context under which the suspicious process is running to assess if it aligns with expected behavior or if it indicates potential compromise. -- Correlate the event with other security logs or alerts to identify any related suspicious activities, such as unauthorized access attempts or lateral movement within the network. -- Assess the risk and impact by determining if any sensitive credentials could have been exposed, and consider isolating the affected system to prevent further compromise. - -### False positive analysis - -- Legitimate crash handlers like WerFault.exe may access LSASS during system crashes. To prevent these from being flagged, ensure that the rule excludes processes such as WerFault.exe, WerFaultSecure.exe, and their SysWOW64 counterparts. -- Debugging tools used by developers or IT administrators might trigger this rule if they access LSASS for legitimate purposes. Consider creating exceptions for known and trusted debugging tools within your environment. -- Security software or endpoint protection solutions may perform similar actions as part of their normal operations. Verify with your security vendor and exclude these processes if they are confirmed to be benign. -- Automated system diagnostics or maintenance scripts that interact with LSASS for health checks could be misidentified. Review and whitelist these scripts if they are part of routine system management tasks. -- Ensure that any custom or third-party applications that require access to LSASS for legitimate reasons are documented and excluded from the rule to avoid unnecessary alerts. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further credential access or lateral movement by the adversary. -- Terminate any suspicious processes that are accessing the LSASS memory, especially those involving DBGHelp.dll or DBGCore.dll, to stop the credential dumping activity. -- Conduct a thorough review of the affected system's security logs to identify any unauthorized access or changes, focusing on event code "10" and call traces involving LSASS. -- Change passwords for all accounts that were active on the affected system, prioritizing high-privilege accounts, to mitigate the risk of compromised credentials being used. -- Restore the affected system from a known good backup to ensure that any malicious changes or tools are removed. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems may be affected. -- Implement enhanced monitoring and alerting for similar suspicious activities, focusing on LSASS access and the use of MiniDumpWriteDump, to improve detection and response capabilities.""" [[rule.threat]] diff --git a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml index 16f3f87d2..f9333fac3 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/14" integration = ["windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,35 +16,6 @@ index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "kuery" license = "Elastic License v2" name = "Potential LSASS Memory Dump via PssCaptureSnapShot" -references = [ - "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", - "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en", -] -risk_score = 73 -rule_id = "0f93cb9a-1931-48c2-8cd0-f173fd3e5283" -setup = """## Setup - -This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold -rule cardinality feature. -""" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "threshold" - -query = ''' -event.category:process and host.os.type:windows and event.code:10 and - winlog.event_data.TargetImage:("C:\\Windows\\system32\\lsass.exe" or - "c:\\Windows\\system32\\lsass.exe" or - "c:\\Windows\\System32\\lsass.exe") -''' note = """## Triage and analysis > **Disclaimer**: @@ -81,6 +50,35 @@ PssCaptureSnapShot is a Windows feature used for capturing process snapshots, ai - Apply the latest security patches and updates to the affected system to address any vulnerabilities that may have been exploited. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Enhance monitoring and detection capabilities by ensuring that similar suspicious activities are logged and alerted on, using the specific query fields and threat indicators identified in this alert.""" +references = [ + "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", + "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en", +] +risk_score = 73 +rule_id = "0f93cb9a-1931-48c2-8cd0-f173fd3e5283" +setup = """## Setup + +This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold +rule cardinality feature. +""" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "threshold" + +query = ''' +event.category:process and host.os.type:windows and event.code:10 and + winlog.event_data.TargetImage:("C:\\Windows\\system32\\lsass.exe" or + "c:\\Windows\\system32\\lsass.exe" or + "c:\\Windows\\System32\\lsass.exe") +''' [[rule.threat]] diff --git a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml index 0dea3f19e..e0616fc1f 100644 --- a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml +++ b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml @@ -2,9 +2,7 @@ creation_date = "2022/02/16" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml index 66828323b..a019bfa0a 100644 --- a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml +++ b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml @@ -2,9 +2,7 @@ creation_date = "2021/12/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/credential_access_veeam_commands.toml b/rules/windows/credential_access_veeam_commands.toml index cc7609557..26d95dd35 100644 --- a/rules/windows/credential_access_veeam_commands.toml +++ b/rules/windows/credential_access_veeam_commands.toml @@ -2,9 +2,7 @@ creation_date = "2024/03/14" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,36 +25,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Potential Veeam Credential Access Command" -references = ["https://thedfirreport.com/2021/12/13/diavol-ransomware/"] -risk_score = 47 -rule_id = "b661f86d-1c23-4ce7-a59e-2edbdba28247" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - ( - (process.name : "sqlcmd.exe" or ?process.pe.original_file_name : "sqlcmd.exe") or - process.args : ("Invoke-Sqlcmd", "Invoke-SqlExecute", "Invoke-DbaQuery", "Invoke-SqlQuery") - ) and - process.args : "*[VeeamBackup].[dbo].[Credentials]*" -''' note = """## Triage and analysis > **Disclaimer**: @@ -92,6 +60,36 @@ Veeam credentials stored in MSSQL databases are crucial for managing backup oper - Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional systems are compromised. - Implement enhanced monitoring on systems storing Veeam credentials to detect similar suspicious activities in the future. - Review and update access controls and permissions for MSSQL databases to ensure only authorized personnel have access to Veeam credentials.""" +references = ["https://thedfirreport.com/2021/12/13/diavol-ransomware/"] +risk_score = 47 +rule_id = "b661f86d-1c23-4ce7-a59e-2edbdba28247" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + ( + (process.name : "sqlcmd.exe" or ?process.pe.original_file_name : "sqlcmd.exe") or + process.args : ("Invoke-Sqlcmd", "Invoke-SqlExecute", "Invoke-DbaQuery", "Invoke-SqlQuery") + ) and + process.args : "*[VeeamBackup].[dbo].[Credentials]*" +''' [[rule.threat]] diff --git a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml index 7ccc4b488..c6a8a05a7 100644 --- a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml +++ b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml @@ -2,9 +2,7 @@ creation_date = "2021/11/27" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,30 +15,6 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Potential LSASS Clone Creation via PssCaptureSnapShot" -references = [ - "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", - "https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2", -] -risk_score = 73 -rule_id = "a16612dd-b30e-4d41-86a0-ebe70974ec00" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Sysmon", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.code:"4688" and - process.executable : "?:\\Windows\\System32\\lsass.exe" and - process.parent.executable : "?:\\Windows\\System32\\lsass.exe" -''' note = """## Triage and analysis > **Disclaimer**: @@ -76,6 +50,30 @@ PssCaptureSnapShot is a Windows API used for creating snapshots of processes, of - Review and enhance endpoint security configurations to ensure that LSASS process memory is protected from unauthorized access, such as enabling Credential Guard if applicable. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach. - Implement additional monitoring and alerting for similar suspicious activities, focusing on process creation events involving LSASS, to improve early detection of future attempts.""" +references = [ + "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", + "https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2", +] +risk_score = 73 +rule_id = "a16612dd-b30e-4d41-86a0-ebe70974ec00" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.code:"4688" and + process.executable : "?:\\Windows\\System32\\lsass.exe" and + process.parent.executable : "?:\\Windows\\System32\\lsass.exe" +''' [[rule.threat]] diff --git a/rules/windows/credential_access_wbadmin_ntds.toml b/rules/windows/credential_access_wbadmin_ntds.toml index 29b5cd8b8..d8e4b5920 100644 --- a/rules/windows/credential_access_wbadmin_ntds.toml +++ b/rules/windows/credential_access_wbadmin_ntds.toml @@ -2,9 +2,7 @@ creation_date = "2024/06/05" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,34 +25,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "NTDS Dump via Wbadmin" -references = [ - "https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960" -] -risk_score = 47 -rule_id = "d93e61db-82d6-4095-99aa-714988118064" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - (process.name : "wbadmin.exe" or ?process.pe.original_file_name : "wbadmin.exe") and - process.args : "recovery" and process.command_line : "*ntds.dit*" -''' note = """## Triage and analysis > **Disclaimer**: @@ -89,6 +59,32 @@ Wbadmin is a Windows utility for backup and recovery, often used by administrato - Restore the NTDS.dit file from a known good backup if any unauthorized modifications are detected. - Implement enhanced monitoring and logging for wbadmin.exe usage across all domain controllers to detect future unauthorized access attempts. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network.""" +references = ["https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960"] +risk_score = 47 +rule_id = "d93e61db-82d6-4095-99aa-714988118064" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + (process.name : "wbadmin.exe" or ?process.pe.original_file_name : "wbadmin.exe") and + process.args : "recovery" and process.command_line : "*ntds.dit*" +''' [[rule.threat]] @@ -113,8 +109,6 @@ reference = "https://attack.mitre.org/techniques/T1003/003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/credential_access_wireless_creds_dumping.toml b/rules/windows/credential_access_wireless_creds_dumping.toml index 6a4271c9d..fb7134167 100644 --- a/rules/windows/credential_access_wireless_creds_dumping.toml +++ b/rules/windows/credential_access_wireless_creds_dumping.toml @@ -2,9 +2,7 @@ creation_date = "2022/11/01" integration = ["endpoint", "system", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index 6043131dc..d2011685a 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml index 726fe7434..33b194d55 100644 --- a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml +++ b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/17" integration = ["windows", "endpoint", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/03" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -39,7 +37,14 @@ Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusu attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Suspicious Antimalware Scan Interface DLL" @@ -105,7 +110,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint" + "Data Source: Microsoft Defender for Endpoint", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_amsi_bypass_powershell.toml b/rules/windows/defense_evasion_amsi_bypass_powershell.toml index 20ebea80e..5d0971d1b 100644 --- a/rules/windows/defense_evasion_amsi_bypass_powershell.toml +++ b/rules/windows/defense_evasion_amsi_bypass_powershell.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_amsienable_key_mod.toml b/rules/windows/defense_evasion_amsienable_key_mod.toml index 0edc49a16..e7e6c4f40 100644 --- a/rules/windows/defense_evasion_amsienable_key_mod.toml +++ b/rules/windows/defense_evasion_amsienable_key_mod.toml @@ -2,9 +2,7 @@ creation_date = "2021/06/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,7 +11,14 @@ Identifies modifications of the AmsiEnable registry key to 0, which disables the adversary can modify this key to disable AMSI protections. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Modification of AmsiEnable Registry Key" diff --git a/rules/windows/defense_evasion_audit_policy_disabled_winlog.toml b/rules/windows/defense_evasion_audit_policy_disabled_winlog.toml index 68b2dd7f3..b34937615 100644 --- a/rules/windows/defense_evasion_audit_policy_disabled_winlog.toml +++ b/rules/windows/defense_evasion_audit_policy_disabled_winlog.toml @@ -2,9 +2,7 @@ creation_date = "2025/01/14" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,11 +11,7 @@ Identifies attempts to disable auditing for some security sensitive audit policy attackers in an attempt to evade detection and forensics on a system. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-windows.forwarded*", - "logs-system.security*" -] +index = ["winlogbeat-*", "logs-windows.forwarded*", "logs-system.security*"] language = "kuery" license = "Elastic License v2" name = "Sensitive Audit Policy Sub-Category Disabled" @@ -132,3 +126,4 @@ reference = "https://attack.mitre.org/techniques/T1562/006/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index 62cef1d7a..79cee43c6 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -2,9 +2,7 @@ creation_date = "2021/11/22" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Austin Songer"] diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index 3dfe685d3..35eb79556 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml index c9f9d5418..6536cdf6c 100644 --- a/rules/windows/defense_evasion_clearing_windows_security_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_security_logs.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/12" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic", "Anabella Cristaldi"] diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml index 4251115b3..2ff0537af 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/31" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml index aeeb61a20..97a6da20a 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/31" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -32,7 +30,14 @@ program, and grants the user with the ability to check whether the program has b execution of unsigned or self-signed code, threat actors can craft and execute malicious code. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Code Signing Policy Modification Through Registry" diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml index 55093bd4d..0f14afcfe 100644 --- a/rules/windows/defense_evasion_create_mod_root_certificate.toml +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -2,9 +2,7 @@ creation_date = "2021/02/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -15,7 +13,14 @@ certificate would allow an attacker the ability to masquerade malicious files as """ false_positives = ["Certain applications may install root certificates for the purpose of inspecting SSL traffic."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Creation or Modification of Root Certificate" diff --git a/rules/windows/defense_evasion_cve_2020_0601.toml b/rules/windows/defense_evasion_cve_2020_0601.toml index 5932a2f12..9aca76029 100644 --- a/rules/windows/defense_evasion_cve_2020_0601.toml +++ b/rules/windows/defense_evasion_cve_2020_0601.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/19" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,24 +15,6 @@ index = ["winlogbeat-*", "logs-windows.forwarded*", "logs-system.security*"] language = "kuery" license = "Elastic License v2" name = "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)" -risk_score = 21 -rule_id = "56557cde-d923-4b88-adee-c61b3f3b5dc3" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Use Case: Vulnerability", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "query" - -query = ''' -event.provider:"Microsoft-Windows-Audit-CVE" and message:"[CVE-2020-0601]" and host.os.type:windows -''' note = """## Triage and analysis > **Disclaimer**: @@ -69,6 +49,24 @@ The Windows CryptoAPI is crucial for validating ECC certificates, ensuring secur - Review and update endpoint protection configurations to ensure they are set to detect and block similar spoofing attempts. - Escalate the incident to the security operations center (SOC) for further analysis and to determine if additional systems may be affected. - Implement enhanced monitoring for signs of defense evasion tactics, focusing on event logs and messages related to certificate validation processes.""" +risk_score = 21 +rule_id = "56557cde-d923-4b88-adee-c61b3f3b5dc3" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Use Case: Vulnerability", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.provider:"Microsoft-Windows-Audit-CVE" and message:"[CVE-2020-0601]" and host.os.type:windows +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml index 44c151277..6194cfb85 100644 --- a/rules/windows/defense_evasion_defender_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_defender_disabled_via_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/10/17" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies modifications to the Windows Defender registry settings to disable th started manually. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*"] +index = [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Windows Defender Disabled via Registry Modification" diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index 48eb71e05..6f3582fcc 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/20" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -78,7 +76,7 @@ references = [ "https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf", "https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign", "https://www.elastic.co/security-labs/operation-bleeding-bear", - "https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine" + "https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine", ] risk_score = 47 rule_id = "2c17e5d7-08b9-43b2-b58a-0270d65ac85b" diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index e80066eaf..aa7309054 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_disable_nla.toml b/rules/windows/defense_evasion_disable_nla.toml index ab4dd964e..850dcaa00 100644 --- a/rules/windows/defense_evasion_disable_nla.toml +++ b/rules/windows/defense_evasion_disable_nla.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/25" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -16,39 +14,16 @@ enable persistence methods that require access to the Windows sign-in screen wit Accessibility Features persistence methods, like Sticky Keys. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "logs-windows.sysmon_operational-*"] +index = [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Network-Level Authentication (NLA) Disabled" -references = [ - "https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/", -] -risk_score = 21 -rule_id = "db65f5ba-d1ef-4944-b9e8-7e51060c2b42" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and event.action != "deletion" and registry.value : "UserAuthentication" and - registry.path : ( - "HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication", - "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication", - "MACHINE\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication" - ) and registry.data.strings : ("0", "0x00000000") -''' note = """## Triage and analysis > **Disclaimer**: @@ -82,6 +57,35 @@ Network-Level Authentication (NLA) enhances security for Remote Desktop Protocol - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring on the affected system and similar endpoints to detect any further attempts to disable NLA or other suspicious activities. - Review and update endpoint security policies to ensure that registry changes related to NLA are monitored and alerts are generated for any unauthorized modifications.""" +references = [ + "https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/", +] +risk_score = 21 +rule_id = "db65f5ba-d1ef-4944-b9e8-7e51060c2b42" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.action != "deletion" and registry.value : "UserAuthentication" and + registry.path : ( + "HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication", + "MACHINE\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication" + ) and registry.data.strings : ("0", "0x00000000") +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml index 67929fe2a..928b4cd42 100644 --- a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml +++ b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/31" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,7 +11,14 @@ Identifies attempts to disable PowerShell Script Block Logging via registry modi logging to conceal their activities in the host and evade detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "PowerShell Script Block Logging Disabled" diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index e25d77c4e..7787f5001 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml index c58c50f40..01560dd1a 100644 --- a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml +++ b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -64,8 +62,8 @@ This rule monitors the execution of commands that can tamper the Windows Defende """ references = [ "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps", - "https://www.elastic.co/security-labs/operation-bleeding-bear", - "https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine" + "https://www.elastic.co/security-labs/operation-bleeding-bear", + "https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine", ] risk_score = 47 rule_id = "c8cccb06-faf2-4cd5-886e-2c9636cfcb87" diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index 6d36c1335..73fa5e6be 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/06" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic", "Ivan Ninichuck", "Austin Songer"] diff --git a/rules/windows/defense_evasion_dns_over_https_enabled.toml b/rules/windows/defense_evasion_dns_over_https_enabled.toml index 6f4320c1a..3217e3637 100644 --- a/rules/windows/defense_evasion_dns_over_https_enabled.toml +++ b/rules/windows/defense_evasion_dns_over_https_enabled.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/22" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Austin Songer"] @@ -14,41 +12,17 @@ data. With this enabled, an organization will lose visibility into data such as IP, which are used to determine bad actors. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "DNS-over-HTTPS Enabled via Registry" -references = [ - "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", - "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", -] -risk_score = 21 -rule_id = "a22a09c2-2162-4df0-a356-9aacbeb56a04" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and event.type == "change" and - (registry.path : "*\\SOFTWARE\\Policies\\Microsoft\\Edge\\BuiltInDnsClientEnabled" and - registry.data.strings : ("1", "0x00000001")) or - (registry.path : "*\\SOFTWARE\\Google\\Chrome\\DnsOverHttpsMode" and - registry.data.strings : "secure") or - (registry.path : "*\\SOFTWARE\\Policies\\Mozilla\\Firefox\\DNSOverHTTPS" and - registry.data.strings : ("1", "0x00000001")) -''' note = """## Triage and analysis > **Disclaimer**: @@ -82,6 +56,37 @@ DNS-over-HTTPS (DoH) encrypts DNS queries to enhance privacy and security, preve - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring for registry changes related to DNS settings across the organization to detect similar threats in the future. - Review and update security policies to ensure that DNS-over-HTTPS is only enabled through approved channels and for legitimate purposes, reducing the risk of misuse.""" +references = [ + "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", + "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", +] +risk_score = 21 +rule_id = "a22a09c2-2162-4df0-a356-9aacbeb56a04" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.type == "change" and + (registry.path : "*\\SOFTWARE\\Policies\\Microsoft\\Edge\\BuiltInDnsClientEnabled" and + registry.data.strings : ("1", "0x00000001")) or + (registry.path : "*\\SOFTWARE\\Google\\Chrome\\DnsOverHttpsMode" and + registry.data.strings : "secure") or + (registry.path : "*\\SOFTWARE\\Policies\\Mozilla\\Firefox\\DNSOverHTTPS" and + registry.data.strings : ("1", "0x00000001")) +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index 7f932ca3d..e6b5d1487 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,32 +25,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Suspicious .NET Code Compilation" -risk_score = 47 -rule_id = "201200f1-a99b-43fb-88ed-f65a45c4972c" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.name : ("csc.exe", "vbc.exe") and - process.parent.name : ("wscript.exe", "mshta.exe", "cscript.exe", "wmic.exe", "svchost.exe", "rundll32.exe", "cmstp.exe", "regsvr32.exe") -''' note = """## Triage and analysis > **Disclaimer**: @@ -88,6 +60,32 @@ note = """## Triage and analysis - Restore the system from a known good backup if malicious activity is confirmed and cannot be fully remediated through cleaning. - Implement application whitelisting to prevent unauthorized execution of compilers and scripting engines by non-standard parent processes. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the need for broader organizational response measures.""" +risk_score = 47 +rule_id = "201200f1-a99b-43fb-88ed-f65a45c4972c" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.name : ("csc.exe", "vbc.exe") and + process.parent.name : ("wscript.exe", "mshta.exe", "cscript.exe", "wmic.exe", "svchost.exe", "rundll32.exe", "cmstp.exe", "regsvr32.exe") +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index 56d52cc81..e9ad302d9 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml index cc21a55c6..3518f6d74 100644 --- a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml index 24dc8f1e2..f5b76cd15 100644 --- a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml +++ b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml @@ -2,9 +2,7 @@ creation_date = "2021/09/08" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,6 +25,41 @@ index = [ language = "eql" license = "Elastic License v2" name = "Control Panel Process with Unusual Arguments" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Control Panel Process with Unusual Arguments + +The Control Panel in Windows is a system utility that allows users to view and adjust system settings. Adversaries may exploit this by using control.exe to execute malicious code under the guise of legitimate processes. The detection rule identifies anomalies in command-line arguments, such as unexpected file types or suspicious paths, which may indicate an attempt to evade defenses or execute unauthorized actions. + +### Possible investigation steps + +- Review the command line arguments of the control.exe process to identify any unusual file types or suspicious paths, such as image file extensions or paths like */AppData/Local/*. +- Check the parent process of control.exe to determine if it was spawned by a legitimate application or a potentially malicious one. +- Investigate the user account associated with the process to verify if the activity aligns with their typical behavior or if it appears suspicious. +- Examine recent file modifications or creations in directories like \\AppData\\Local\\ or \\Users\\Public\\ to identify any unauthorized or unexpected changes. +- Correlate the event with other security alerts or logs from data sources like Microsoft Defender for Endpoint or Sysmon to gather additional context on the potential threat. +- Assess the network activity of the host during the time of the alert to identify any unusual outbound connections that may indicate data exfiltration or command and control communication. + +### False positive analysis + +- Image file paths in command-line arguments may trigger false positives if users or applications are legitimately accessing image files through control.exe. To mitigate this, create exceptions for known applications or user activities that frequently access image files. +- Paths involving AppData or Users\\Public directories might be flagged if legitimate software installations or updates use these locations. Review and whitelist specific software processes that are known to use these directories for legitimate purposes. +- Relative path traversal patterns like ../../.. could be used by legitimate scripts or applications for configuration purposes. Identify and exclude these scripts or applications from the detection rule if they are verified as non-malicious. +- Frequent use of control.exe with specific command-line arguments by system administrators or IT personnel for legitimate system management tasks can be excluded by creating user-based exceptions for these roles. +- If certain security tools or monitoring software are known to trigger this rule due to their operational behavior, consider excluding these tools after confirming their legitimacy and necessity. + +### Response and remediation + +- Isolate the affected system from the network to prevent further malicious activity and lateral movement. +- Terminate the suspicious control.exe process to stop any ongoing malicious execution. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious files or remnants. +- Review and clean up any unauthorized changes or files in the directories specified in the alert, such as AppData/Local or Users/Public, to ensure no persistence mechanisms remain. +- Restore any affected files or system settings from a known good backup to ensure system integrity. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised. +- Implement additional monitoring and alerting for similar command-line anomalies to enhance detection and prevent recurrence of this threat.""" references = ["https://www.joesandbox.com/analysis/476188/1/html"] risk_score = 73 rule_id = "416697ae-e468-4093-a93d-59661fa619ec" @@ -63,41 +96,6 @@ process where host.os.type == "windows" and event.type == "start" and "*\\AppData\\Local\\*" ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Control Panel Process with Unusual Arguments - -The Control Panel in Windows is a system utility that allows users to view and adjust system settings. Adversaries may exploit this by using control.exe to execute malicious code under the guise of legitimate processes. The detection rule identifies anomalies in command-line arguments, such as unexpected file types or suspicious paths, which may indicate an attempt to evade defenses or execute unauthorized actions. - -### Possible investigation steps - -- Review the command line arguments of the control.exe process to identify any unusual file types or suspicious paths, such as image file extensions or paths like */AppData/Local/*. -- Check the parent process of control.exe to determine if it was spawned by a legitimate application or a potentially malicious one. -- Investigate the user account associated with the process to verify if the activity aligns with their typical behavior or if it appears suspicious. -- Examine recent file modifications or creations in directories like \\AppData\\Local\\ or \\Users\\Public\\ to identify any unauthorized or unexpected changes. -- Correlate the event with other security alerts or logs from data sources like Microsoft Defender for Endpoint or Sysmon to gather additional context on the potential threat. -- Assess the network activity of the host during the time of the alert to identify any unusual outbound connections that may indicate data exfiltration or command and control communication. - -### False positive analysis - -- Image file paths in command-line arguments may trigger false positives if users or applications are legitimately accessing image files through control.exe. To mitigate this, create exceptions for known applications or user activities that frequently access image files. -- Paths involving AppData or Users\\Public directories might be flagged if legitimate software installations or updates use these locations. Review and whitelist specific software processes that are known to use these directories for legitimate purposes. -- Relative path traversal patterns like ../../.. could be used by legitimate scripts or applications for configuration purposes. Identify and exclude these scripts or applications from the detection rule if they are verified as non-malicious. -- Frequent use of control.exe with specific command-line arguments by system administrators or IT personnel for legitimate system management tasks can be excluded by creating user-based exceptions for these roles. -- If certain security tools or monitoring software are known to trigger this rule due to their operational behavior, consider excluding these tools after confirming their legitimacy and necessity. - -### Response and remediation - -- Isolate the affected system from the network to prevent further malicious activity and lateral movement. -- Terminate the suspicious control.exe process to stop any ongoing malicious execution. -- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious files or remnants. -- Review and clean up any unauthorized changes or files in the directories specified in the alert, such as AppData/Local or Users/Public, to ensure no persistence mechanisms remain. -- Restore any affected files or system settings from a known good backup to ensure system integrity. -- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised. -- Implement additional monitoring and alerting for similar command-line anomalies to enhance detection and prevent recurrence of this threat.""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index 56c9510a9..2cc57b1fc 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index c6ef3c615..93810f621 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index c4dd1fecb..72634c8b5 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,28 +16,6 @@ index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_ language = "kuery" license = "Elastic License v2" name = "Microsoft Build Engine Started by a Script Process" -risk_score = 21 -rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "new_terms" - -query = ''' -host.os.type:windows and event.category:process and event.type:start and ( - process.name.caseless:"msbuild.exe" or process.pe.original_file_name:"MSBuild.exe") and - process.parent.name:("cmd.exe" or "powershell.exe" or "pwsh.exe" or "powershell_ise.exe" or "cscript.exe" or - "wscript.exe" or "mshta.exe") -''' note = """## Triage and analysis > **Disclaimer**: @@ -75,6 +51,28 @@ The Microsoft Build Engine (MSBuild) is a platform for building applications, ty - Reset credentials for any user accounts that were active on the affected system during the time of the alert to prevent unauthorized access. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for MSBuild and script interpreter activities across the network to detect and respond to similar threats in the future.""" +risk_score = 21 +rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +host.os.type:windows and event.category:process and event.type:start and ( + process.name.caseless:"msbuild.exe" or process.pe.original_file_name:"MSBuild.exe") and + process.parent.name:("cmd.exe" or "powershell.exe" or "pwsh.exe" or "powershell_ise.exe" or "cscript.exe" or + "wscript.exe" or "mshta.exe") +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index b235d0ccc..c2e91fd65 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -28,32 +26,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Microsoft Build Engine Started by a System Process" -risk_score = 47 -rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.name : "MSBuild.exe" and - process.parent.name : ("explorer.exe", "wmiprvse.exe") -''' note = """## Triage and analysis > **Disclaimer**: @@ -89,6 +61,32 @@ The Microsoft Build Engine (MSBuild) is a platform for building applications, ty - Restore the system from a known good backup if any critical system files or applications have been altered or corrupted. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for MSBuild.exe and related processes to detect similar activities in the future, ensuring alerts are configured for rapid response.""" +risk_score = 47 +rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.name : "MSBuild.exe" and + process.parent.name : ("explorer.exe", "wmiprvse.exe") +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index 0dbd8efef..94f438353 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -40,7 +38,13 @@ indicate an attempt to run unnoticed or undetected. """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Microsoft Build Engine Using an Alternate Name" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index bd07774ed..1ca07de5e 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -29,28 +27,6 @@ index = [ language = "kuery" license = "Elastic License v2" name = "Microsoft Build Engine Started an Unusual Process" -references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"] -risk_score = 21 -rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "new_terms" - -query = ''' -host.os.type:windows and event.category:process and event.type:start and process.parent.name:("MSBuild.exe" or "msbuild.exe") and -process.name:("csc.exe" or "iexplore.exe" or "powershell.exe") -''' note = """## Triage and analysis > **Disclaimer**: @@ -86,6 +62,28 @@ The Microsoft Build Engine (MSBuild) is a platform for building applications, of - Escalate the incident to the security operations team for further analysis and to determine if the threat is part of a larger attack campaign. - Implement additional monitoring and logging for MSBuild and related processes to detect any future misuse or anomalies promptly. - Review and update endpoint protection configurations to enhance detection and prevention capabilities against similar threats, ensuring that security controls are effectively blocking unauthorized script execution.""" +references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"] +risk_score = 21 +rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +host.os.type:windows and event.category:process and event.type:start and process.parent.name:("MSBuild.exe" or "msbuild.exe") and +process.name:("csc.exe" or "iexplore.exe" or "powershell.exe") +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index 00c2ef05f..90ccf139c 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/03/12" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,10 +12,51 @@ starting after being renamed or from a non-standard path. This is uncommon behav defenses via side loading a malicious DLL within the memory space of one of those processes. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Potential DLL Side-Loading via Trusted Microsoft Programs" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential DLL Side-Loading via Trusted Microsoft Programs + +DLL side-loading exploits the DLL search order to load malicious code into trusted Microsoft programs, which are often whitelisted by security tools. Adversaries rename or relocate these programs to execute unauthorized DLLs, evading detection. The detection rule identifies unusual execution paths or renamed instances of these programs, signaling potential misuse and enabling timely threat response. + +### Possible investigation steps + +- Review the process details to confirm the original file name and the path from which the process was executed. Check if the process.pe.original_file_name matches any of the specified trusted programs like "WinWord.exe", "EXPLORER.EXE", "w3wp.exe", or "DISM.EXE". +- Investigate the process execution path to determine if it deviates from the standard paths listed in the query, such as "?:\\Windows\\explorer.exe" or "?:\\Program Files\\Microsoft Office\\root\\Office*\\WINWORD.EXE". +- Examine the process creation history and parent process to identify any unusual or suspicious parent-child relationships that might indicate malicious activity. +- Check for any recent file modifications or creations in the directory from which the process was executed, which could suggest the presence of a malicious DLL. +- Correlate the event with other security logs or alerts from data sources like Elastic Endgame, Elastic Defend, Sysmon, or Microsoft Defender for Endpoint to gather additional context and identify potential patterns of malicious behavior. +- Assess the risk and impact of the event by considering the risk score and severity level provided, and determine if immediate containment or further investigation is necessary. + +### False positive analysis + +- Legitimate software updates or installations may temporarily execute trusted Microsoft programs from non-standard paths. Users can create exceptions for known update processes to prevent false alerts. +- Custom enterprise applications might use renamed instances of trusted Microsoft programs for legitimate purposes. Identify and whitelist these specific applications to avoid unnecessary alerts. +- Virtual environments or sandboxed applications may execute trusted programs from unusual paths as part of their normal operation. Review and exclude these environments if they are known and trusted. +- Security or IT administrative tools might mimic trusted Microsoft programs for monitoring or management tasks. Verify these tools and add them to an exception list if they are part of standard operations. +- Development or testing environments often involve renamed or relocated executables for debugging purposes. Ensure these environments are recognized and excluded from the detection rule to reduce false positives. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread of the potential threat and unauthorized access. +- Terminate the suspicious process identified by the detection rule to stop any ongoing malicious activity. +- Conduct a forensic analysis of the affected system to identify any malicious DLLs or additional compromised files, and remove them. +- Restore the affected system from a known good backup to ensure all malicious changes are reverted. +- Update and patch all software on the affected system, focusing on the trusted Microsoft programs identified in the alert, to mitigate vulnerabilities exploited by DLL side-loading. +- Monitor the network for any signs of lateral movement or additional compromised systems, using the indicators of compromise identified during the investigation. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems or data have been affected.""" risk_score = 73 rule_id = "1160dcdb-0a0a-4a79-91d8-9b84616edebd" setup = """## Setup @@ -57,41 +96,6 @@ process where host.os.type == "windows" and event.type == "start" and "?:\\Windows\\System32\\inetsrv\\w3wp.exe", "?:\\Windows\\SysWOW64\\inetsrv\\w3wp.exe") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential DLL Side-Loading via Trusted Microsoft Programs - -DLL side-loading exploits the DLL search order to load malicious code into trusted Microsoft programs, which are often whitelisted by security tools. Adversaries rename or relocate these programs to execute unauthorized DLLs, evading detection. The detection rule identifies unusual execution paths or renamed instances of these programs, signaling potential misuse and enabling timely threat response. - -### Possible investigation steps - -- Review the process details to confirm the original file name and the path from which the process was executed. Check if the process.pe.original_file_name matches any of the specified trusted programs like "WinWord.exe", "EXPLORER.EXE", "w3wp.exe", or "DISM.EXE". -- Investigate the process execution path to determine if it deviates from the standard paths listed in the query, such as "?:\\Windows\\explorer.exe" or "?:\\Program Files\\Microsoft Office\\root\\Office*\\WINWORD.EXE". -- Examine the process creation history and parent process to identify any unusual or suspicious parent-child relationships that might indicate malicious activity. -- Check for any recent file modifications or creations in the directory from which the process was executed, which could suggest the presence of a malicious DLL. -- Correlate the event with other security logs or alerts from data sources like Elastic Endgame, Elastic Defend, Sysmon, or Microsoft Defender for Endpoint to gather additional context and identify potential patterns of malicious behavior. -- Assess the risk and impact of the event by considering the risk score and severity level provided, and determine if immediate containment or further investigation is necessary. - -### False positive analysis - -- Legitimate software updates or installations may temporarily execute trusted Microsoft programs from non-standard paths. Users can create exceptions for known update processes to prevent false alerts. -- Custom enterprise applications might use renamed instances of trusted Microsoft programs for legitimate purposes. Identify and whitelist these specific applications to avoid unnecessary alerts. -- Virtual environments or sandboxed applications may execute trusted programs from unusual paths as part of their normal operation. Review and exclude these environments if they are known and trusted. -- Security or IT administrative tools might mimic trusted Microsoft programs for monitoring or management tasks. Verify these tools and add them to an exception list if they are part of standard operations. -- Development or testing environments often involve renamed or relocated executables for debugging purposes. Ensure these environments are recognized and excluded from the detection rule to reduce false positives. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread of the potential threat and unauthorized access. -- Terminate the suspicious process identified by the detection rule to stop any ongoing malicious activity. -- Conduct a forensic analysis of the affected system to identify any malicious DLLs or additional compromised files, and remove them. -- Restore the affected system from a known good backup to ensure all malicious changes are reverted. -- Update and patch all software on the affected system, focusing on the trusted Microsoft programs identified in the alert, to mitigate vulnerabilities exploited by DLL side-loading. -- Monitor the network for any signs of lateral movement or additional compromised systems, using the indicators of compromise identified during the investigation. -- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems or data have been affected.""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml index f47b122f1..4b4e6f4e9 100644 --- a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic", "Dennis Perto"] @@ -15,10 +13,49 @@ side-loading a malicious DLL within the memory space of one of those processes. """ false_positives = ["Microsoft Antimalware Service Executable installed on non default installation path."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Potential DLL Side-Loading via Microsoft Antimalware Service Executable" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential DLL Side-Loading via Microsoft Antimalware Service Executable + +The Microsoft Antimalware Service Executable, a core component of Windows Defender, is crucial for real-time protection against malware. Adversaries exploit its trust by renaming it or executing it from non-standard paths to load malicious DLLs, bypassing security measures. The detection rule identifies such anomalies by monitoring process names and paths, flagging deviations from expected behavior to uncover potential threats. + +### Possible investigation steps + +- Review the process details to confirm if the process name is MsMpEng.exe but is executing from a non-standard path. Check the process.executable field to identify the exact path and verify if it deviates from the expected directories. +- Investigate the parent process of the suspicious MsMpEng.exe instance to determine how it was initiated. This can provide insights into whether the process was started by a legitimate application or a potentially malicious one. +- Examine the system for any recent file modifications or creations in the directory where the suspicious MsMpEng.exe is located. This can help identify if a malicious DLL was recently placed in the same directory. +- Check for any network connections or communications initiated by the suspicious MsMpEng.exe process. This can help determine if the process is attempting to communicate with external servers, which may indicate malicious activity. +- Look for any other processes or activities on the host that may indicate compromise, such as unusual user account activity or other processes running from unexpected locations. This can help assess the broader impact of the potential threat. + +### False positive analysis + +- Legitimate software updates or installations may temporarily rename or relocate the Microsoft Antimalware Service Executable. Users should verify if any software updates or installations occurred around the time of the alert and consider excluding these paths if they are known and trusted. +- Custom security or IT management tools might execute the executable from non-standard paths for monitoring or testing purposes. Confirm with IT or security teams if such tools are in use and add these paths to the exclusion list if they are verified as safe. +- Virtualization or sandbox environments may replicate the executable in different locations for testing or analysis. Check if the environment is part of a controlled setup and exclude these paths if they are part of legitimate operations. +- Backup or recovery processes might involve copying the executable to alternate locations. Ensure these processes are legitimate and consider excluding these paths if they are part of routine operations. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further spread of the potential threat. +- Terminate any suspicious processes identified by the detection rule, specifically those involving MsMpEng.exe running from non-standard paths. +- Conduct a thorough scan of the affected system using an updated antivirus or endpoint detection and response (EDR) tool to identify and remove any malicious DLLs or other malware. +- Review and restore any altered or deleted system files from a known good backup to ensure system integrity. +- Investigate the source of the DLL side-loading attempt to determine if it was part of a broader attack campaign, and gather forensic evidence for further analysis. +- Escalate the incident to the security operations center (SOC) or incident response team for a deeper investigation and to assess the need for further containment measures. +- Implement additional monitoring and alerting for similar anomalies in process execution paths to enhance detection capabilities and prevent recurrence.""" references = [ "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/", ] @@ -60,39 +97,6 @@ process where host.os.type == "windows" and event.type == "start" and "?:\\Program Files (x86)\\Microsoft Security Client\\*.exe")) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential DLL Side-Loading via Microsoft Antimalware Service Executable - -The Microsoft Antimalware Service Executable, a core component of Windows Defender, is crucial for real-time protection against malware. Adversaries exploit its trust by renaming it or executing it from non-standard paths to load malicious DLLs, bypassing security measures. The detection rule identifies such anomalies by monitoring process names and paths, flagging deviations from expected behavior to uncover potential threats. - -### Possible investigation steps - -- Review the process details to confirm if the process name is MsMpEng.exe but is executing from a non-standard path. Check the process.executable field to identify the exact path and verify if it deviates from the expected directories. -- Investigate the parent process of the suspicious MsMpEng.exe instance to determine how it was initiated. This can provide insights into whether the process was started by a legitimate application or a potentially malicious one. -- Examine the system for any recent file modifications or creations in the directory where the suspicious MsMpEng.exe is located. This can help identify if a malicious DLL was recently placed in the same directory. -- Check for any network connections or communications initiated by the suspicious MsMpEng.exe process. This can help determine if the process is attempting to communicate with external servers, which may indicate malicious activity. -- Look for any other processes or activities on the host that may indicate compromise, such as unusual user account activity or other processes running from unexpected locations. This can help assess the broader impact of the potential threat. - -### False positive analysis - -- Legitimate software updates or installations may temporarily rename or relocate the Microsoft Antimalware Service Executable. Users should verify if any software updates or installations occurred around the time of the alert and consider excluding these paths if they are known and trusted. -- Custom security or IT management tools might execute the executable from non-standard paths for monitoring or testing purposes. Confirm with IT or security teams if such tools are in use and add these paths to the exclusion list if they are verified as safe. -- Virtualization or sandbox environments may replicate the executable in different locations for testing or analysis. Check if the environment is part of a controlled setup and exclude these paths if they are part of legitimate operations. -- Backup or recovery processes might involve copying the executable to alternate locations. Ensure these processes are legitimate and consider excluding these paths if they are part of routine operations. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further spread of the potential threat. -- Terminate any suspicious processes identified by the detection rule, specifically those involving MsMpEng.exe running from non-standard paths. -- Conduct a thorough scan of the affected system using an updated antivirus or endpoint detection and response (EDR) tool to identify and remove any malicious DLLs or other malware. -- Review and restore any altered or deleted system files from a known good backup to ensure system integrity. -- Investigate the source of the DLL side-loading attempt to determine if it was part of a broader attack campaign, and gather forensic evidence for further analysis. -- Escalate the incident to the security operations center (SOC) or incident response team for a deeper investigation and to assess the need for further containment measures. -- Implement additional monitoring and alerting for similar anomalies in process execution paths to enhance detection capabilities and prevent recurrence.""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index aafffc956..f9a26ca9d 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,34 +12,17 @@ when the name or location of a file is manipulated as a means of tricking a user benign file type but is actually executable code. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Executable File Creation with Multiple Extensions" -risk_score = 47 -rule_id = "8b2b3a62-a598-4293-bc14-3d5fa22bb98f" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -file where host.os.type == "windows" and event.type == "creation" and file.extension : "exe" and - file.name regex~ """.*\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\.exe""" and - not (process.executable : ("?:\\Windows\\System32\\msiexec.exe", "C:\\Users\\*\\QGIS_SCCM\\Files\\QGIS-OSGeo4W-*-Setup-x86_64.exe") and - file.path : "?:\\Program Files\\QGIS *\\apps\\grass\\*.exe") -''' note = """## Triage and analysis > **Disclaimer**: @@ -76,6 +57,30 @@ In Windows environments, adversaries may exploit file extensions to disguise mal - Review and restore any altered system configurations or files to their original state to ensure system integrity. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for similar file creation activities to improve detection and response capabilities for future incidents.""" +risk_score = 47 +rule_id = "8b2b3a62-a598-4293-bc14-3d5fa22bb98f" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where host.os.type == "windows" and event.type == "creation" and file.extension : "exe" and + file.name regex~ """.*\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\.exe""" and + not (process.executable : ("?:\\Windows\\System32\\msiexec.exe", "C:\\Users\\*\\QGIS_SCCM\\Files\\QGIS-OSGeo4W-*-Setup-x86_64.exe") and + file.path : "?:\\Program Files\\QGIS *\\apps\\grass\\*.exe") +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_from_unusual_directory.toml b/rules/windows/defense_evasion_from_unusual_directory.toml index 2ee0007f9..f75dd62ad 100644 --- a/rules/windows/defense_evasion_from_unusual_directory.toml +++ b/rules/windows/defense_evasion_from_unusual_directory.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -108,8 +106,8 @@ This rule identifies processes that are executed from suspicious default Windows - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = [ -"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine", -"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry" + "https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine", + "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry", ] risk_score = 47 rule_id = "ebfe1448-7fac-4d59-acea-181bd89b1f7f" diff --git a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml index 5e37948e8..edecd6a9b 100644 --- a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml +++ b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,22 +11,17 @@ Identifies registry write modifications to hide an encoded portable executable. defense evasion by avoiding the storing of malicious content directly on disk. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "winlogbeat-*", "logs-m365_defender.event-*"] +index = [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*", + "logs-sentinel_one_cloud_funnel.*", + "winlogbeat-*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Encoded Executable Stored in the Registry" -risk_score = 47 -rule_id = "93c1ce76-494c-4f01-8167-35edfb52f7b1" -severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and -/* update here with encoding combinations */ - registry.data.strings : "TVqQAAMAAAAEAAAA*" -''' note = """## Triage and analysis > **Disclaimer**: @@ -63,6 +56,29 @@ Windows Registry is a hierarchical database storing low-level settings for the O - Restore the system from a known good backup if the integrity of the system is compromised and cannot be assured through cleaning. - Monitor the system and network for any signs of re-infection or similar registry modifications, adjusting detection rules if necessary to enhance future threat identification. - Escalate the incident to the security operations center (SOC) or relevant cybersecurity team for further analysis and to determine if additional systems are affected.""" +risk_score = 47 +rule_id = "93c1ce76-494c-4f01-8167-35edfb52f7b1" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and +/* update here with encoding combinations */ + registry.data.strings : "TVqQAAMAAAAEAAAA*" +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index 0dc795434..60048de8e 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_indirect_exec_forfiles.toml b/rules/windows/defense_evasion_indirect_exec_forfiles.toml index e458499fd..81da810b4 100644 --- a/rules/windows/defense_evasion_indirect_exec_forfiles.toml +++ b/rules/windows/defense_evasion_indirect_exec_forfiles.toml @@ -2,15 +2,13 @@ creation_date = "2025/02/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -Detects attempts to execute a command via the forfiles Windows utility. Adversaries may use this utility to proxy execution via -a trusted parent process. +Detects attempts to execute a command via the forfiles Windows utility. Adversaries may use this utility to proxy +execution via a trusted parent process. """ from = "now-9m" index = [ diff --git a/rules/windows/defense_evasion_injection_msbuild.toml b/rules/windows/defense_evasion_injection_msbuild.toml index 214f3fe79..742f00543 100755 --- a/rules/windows/defense_evasion_injection_msbuild.toml +++ b/rules/windows/defense_evasion_injection_msbuild.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["windows"] maturity = "production" -updated_date = "2025/02/25" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,27 +15,6 @@ index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Process Injection by the Microsoft Build Engine" -risk_score = 21 -rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Privilege Escalation", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and - event.provider == "Microsoft-Windows-Sysmon" and - /* CreateRemoteThread */ - event.code == "8" and process.name: "MSBuild.exe" -''' note = """## Triage and analysis > **Disclaimer**: @@ -74,6 +51,27 @@ The Microsoft Build Engine (MSBuild) is a platform for building applications, of - Escalate the incident to the security operations center (SOC) or incident response team for a comprehensive investigation and to determine the scope of the intrusion. - Implement application whitelisting to prevent unauthorized execution of MSBuild.exe or similar tools in non-development environments. - Enhance monitoring and detection capabilities by ensuring Sysmon is configured to log detailed process creation and thread injection events across the network.""" +risk_score = 21 +rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and + event.provider == "Microsoft-Windows-Sysmon" and + /* CreateRemoteThread */ + event.code == "8" and process.name: "MSBuild.exe" +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_installutil_beacon.toml b/rules/windows/defense_evasion_installutil_beacon.toml index d0f651bb2..68a0577f7 100644 --- a/rules/windows/defense_evasion_installutil_beacon.toml +++ b/rules/windows/defense_evasion_installutil_beacon.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -22,27 +20,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "InstallUtil Process Making Network Connections" -risk_score = 47 -rule_id = "a13167f1-eec2-4015-9631-1fee60406dcf" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */ - -sequence by process.entity_id - [process where host.os.type == "windows" and event.type == "start" and process.name : "installutil.exe"] - [network where host.os.type == "windows" and process.name : "installutil.exe" and network.direction : ("outgoing", "egress")] -''' note = """## Triage and analysis > **Disclaimer**: @@ -78,6 +55,27 @@ InstallUtil.exe is a legitimate Windows utility used for installing and uninstal - Restore the affected system from a known good backup if malicious activity is confirmed and cannot be fully remediated. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement network monitoring and alerting for unusual outbound connections from critical systems to enhance detection of similar threats in the future.""" +risk_score = 47 +rule_id = "a13167f1-eec2-4015-9631-1fee60406dcf" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */ + +sequence by process.entity_id + [process where host.os.type == "windows" and event.type == "start" and process.name : "installutil.exe"] + [network where host.os.type == "windows" and process.name : "installutil.exe" and network.direction : ("outgoing", "egress")] +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml b/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml index bf4b4be6a..7e7b3ddda 100644 --- a/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml +++ b/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml @@ -1,16 +1,14 @@ [metadata] creation_date = "2024/07/24" -integration = ["endpoint", "windows", "system","sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] +integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -An adversary can use the Windows command line debugging utility cdb.exe to execute commands or shellcode. This rule looks -for those instances and where the cdb.exe binary is outside of the normal WindowsKit installation paths. +An adversary can use the Windows command line debugging utility cdb.exe to execute commands or shellcode. This rule +looks for those instances and where the cdb.exe binary is outside of the normal WindowsKit installation paths. """ from = "now-9m" index = [ @@ -25,38 +23,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Execution via Windows Command Debugging Utility" -references = ["https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/"] -risk_score = 47 -rule_id = "bdfaddc4-4438-48b4-bc43-9f5cf8151c46" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Crowdstrike", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - (?process.pe.original_file_name == "CDB.Exe" or process.name : "cdb.exe") and - process.args : ("-cf", "-c", "-pd") and - not process.executable : ( - "?:\\Program Files (x86)\\*\\cdb.exe", - "?:\\Program Files\\*\\cdb.exe", - "\\Device\\HarddiskVolume?\\Program Files (x86)\\*\\cdb.exe", - "\\Device\\HarddiskVolume?\\Program Files\\*\\cdb.exe" - ) -''' note = """## Triage and analysis > **Disclaimer**: @@ -91,6 +57,38 @@ The Windows command line debugging utility, cdb.exe, is a legitimate tool used f - Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. - Implement application whitelisting to prevent unauthorized execution of cdb.exe from non-standard paths. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger attack campaign.""" +references = ["https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/"] +risk_score = 47 +rule_id = "bdfaddc4-4438-48b4-bc43-9f5cf8151c46" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + (?process.pe.original_file_name == "CDB.Exe" or process.name : "cdb.exe") and + process.args : ("-cf", "-c", "-pd") and + not process.executable : ( + "?:\\Program Files (x86)\\*\\cdb.exe", + "?:\\Program Files\\*\\cdb.exe", + "\\Device\\HarddiskVolume?\\Program Files (x86)\\*\\cdb.exe", + "\\Device\\HarddiskVolume?\\Program Files\\*\\cdb.exe" + ) +''' [[rule.threat]] @@ -101,7 +99,6 @@ name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 08fd91506..659a6260d 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -26,6 +24,41 @@ index = [ language = "eql" license = "Elastic License v2" name = "Suspicious Endpoint Security Parent Process" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious Endpoint Security Parent Process + +Endpoint security solutions, like Elastic and Microsoft Defender, monitor and protect systems by analyzing process behaviors. Adversaries may exploit these processes through techniques like process hollowing, where malicious code is injected into legitimate processes to evade detection. The detection rule identifies anomalies by flagging unexpected parent processes of security executables, excluding known benign paths and arguments, thus highlighting potential threats. + +### Possible investigation steps + +- Review the process details for the flagged executable (e.g., esensor.exe or elastic-endpoint.exe) to understand its expected behavior and any recent changes in its configuration or deployment. +- Examine the parent process executable path and name to determine if it is a known legitimate process or potentially malicious. Pay special attention to paths not listed in the known benign paths, such as those outside "?:\\Program Files\\Elastic\\*" or "?:\\Windows\\System32\\*". +- Investigate the command-line arguments used by the parent process to identify any unusual or suspicious patterns that could indicate malicious activity, especially if they do not match the benign arguments like "test", "version", or "status". +- Check the historical activity of the parent process to see if it has been involved in other suspicious activities or if it has a history of spawning security-related processes. +- Correlate the alert with other security events or logs from data sources like Elastic Endgame, Microsoft Defender for Endpoint, or Sysmon to gather additional context and identify any related suspicious activities. +- Assess the risk and impact of the alert by considering the environment, the criticality of the affected systems, and any potential data exposure or operational disruption. + +### False positive analysis + +- Security tools or scripts that automate tasks may trigger false positives if they launch endpoint security processes with unexpected parent processes. To manage this, identify and document these tools, then add their parent executable paths to the exclusion list. +- System administrators or IT personnel may use command-line tools like PowerShell or cmd.exe for legitimate maintenance tasks. If these tasks frequently trigger alerts, consider adding specific command-line arguments used in these tasks to the exclusion list. +- Software updates or installations might temporarily cause unexpected parent processes for security executables. Monitor these activities and, if they are routine and verified, add the associated parent executable paths to the exclusion list. +- Custom scripts or third-party applications that interact with security processes can also lead to false positives. Review these scripts or applications, and if they are deemed safe, include their parent executable paths in the exclusion list. +- Regularly review and update the exclusion list to ensure it reflects the current environment and operational practices, minimizing the risk of overlooking new legitimate processes. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity. +- Terminate the suspicious process identified by the alert to stop any ongoing malicious activity and prevent further code execution. +- Conduct a forensic analysis of the affected system to identify any additional indicators of compromise, such as unauthorized changes or additional malicious files. +- Restore the system from a known good backup if any malicious activity or unauthorized changes are confirmed, ensuring that the backup is clean and uncompromised. +- Update endpoint security solutions and apply any available patches to address vulnerabilities that may have been exploited by the adversary. +- Monitor the network and systems for any signs of re-infection or similar suspicious activities, using enhanced logging and alerting based on the identified threat indicators. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems may be affected.""" risk_score = 47 rule_id = "b41a13c6-ba45-4bab-a534-df53d0cfed6a" severity = "medium" @@ -72,41 +105,6 @@ process where host.os.type == "windows" and event.type == "start" and ) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious Endpoint Security Parent Process - -Endpoint security solutions, like Elastic and Microsoft Defender, monitor and protect systems by analyzing process behaviors. Adversaries may exploit these processes through techniques like process hollowing, where malicious code is injected into legitimate processes to evade detection. The detection rule identifies anomalies by flagging unexpected parent processes of security executables, excluding known benign paths and arguments, thus highlighting potential threats. - -### Possible investigation steps - -- Review the process details for the flagged executable (e.g., esensor.exe or elastic-endpoint.exe) to understand its expected behavior and any recent changes in its configuration or deployment. -- Examine the parent process executable path and name to determine if it is a known legitimate process or potentially malicious. Pay special attention to paths not listed in the known benign paths, such as those outside "?:\\Program Files\\Elastic\\*" or "?:\\Windows\\System32\\*". -- Investigate the command-line arguments used by the parent process to identify any unusual or suspicious patterns that could indicate malicious activity, especially if they do not match the benign arguments like "test", "version", or "status". -- Check the historical activity of the parent process to see if it has been involved in other suspicious activities or if it has a history of spawning security-related processes. -- Correlate the alert with other security events or logs from data sources like Elastic Endgame, Microsoft Defender for Endpoint, or Sysmon to gather additional context and identify any related suspicious activities. -- Assess the risk and impact of the alert by considering the environment, the criticality of the affected systems, and any potential data exposure or operational disruption. - -### False positive analysis - -- Security tools or scripts that automate tasks may trigger false positives if they launch endpoint security processes with unexpected parent processes. To manage this, identify and document these tools, then add their parent executable paths to the exclusion list. -- System administrators or IT personnel may use command-line tools like PowerShell or cmd.exe for legitimate maintenance tasks. If these tasks frequently trigger alerts, consider adding specific command-line arguments used in these tasks to the exclusion list. -- Software updates or installations might temporarily cause unexpected parent processes for security executables. Monitor these activities and, if they are routine and verified, add the associated parent executable paths to the exclusion list. -- Custom scripts or third-party applications that interact with security processes can also lead to false positives. Review these scripts or applications, and if they are deemed safe, include their parent executable paths in the exclusion list. -- Regularly review and update the exclusion list to ensure it reflects the current environment and operational practices, minimizing the risk of overlooking new legitimate processes. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity. -- Terminate the suspicious process identified by the alert to stop any ongoing malicious activity and prevent further code execution. -- Conduct a forensic analysis of the affected system to identify any additional indicators of compromise, such as unauthorized changes or additional malicious files. -- Restore the system from a known good backup if any malicious activity or unauthorized changes are confirmed, ensuring that the backup is clean and uncompromised. -- Update endpoint security solutions and apply any available patches to address vulnerabilities that may have been exploited by the adversary. -- Monitor the network and systems for any signs of re-infection or similar suspicious activities, using enhanced logging and alerting based on the identified threat indicators. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems may be affected.""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index 15635fea2..2a4129e82 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/01" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -39,7 +37,13 @@ Identifies a suspicious AutoIt process execution. Malware written as an AutoIt s executable to avoid detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Renamed AutoIt Scripts Interpreter" diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index 30695cdb2..f7808e814 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -20,11 +18,45 @@ index = [ "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", - "logs-m365_defender.event-*" - ] + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Suspicious WerFault Child Process" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious WerFault Child Process + +WerFault.exe is a Windows error reporting tool that handles application crashes. Adversaries may exploit it by manipulating the SilentProcessExit registry key to execute malicious processes stealthily. The detection rule identifies unusual child processes of WerFault.exe, focusing on specific command-line arguments indicative of this abuse, while excluding known legitimate executables, thus highlighting potential threats. + +### Possible investigation steps + +- Review the command line arguments of the suspicious child process to confirm the presence of "-s", "-t", and "-c" flags, which indicate potential abuse of the SilentProcessExit mechanism. +- Examine the process executable path to ensure it is not one of the known legitimate executables ("?:\\Windows\\SysWOW64\\Initcrypt.exe", "?:\\Program Files (x86)\\Heimdal\\Heimdal.Guard.exe") that are excluded from the detection rule. +- Investigate the network connections established by the suspicious process to identify any unusual or unauthorized external communications. +- Analyze file writes and modifications made by the process to detect any unauthorized changes or potential indicators of compromise. +- Check the parent process tree to understand the context of how WerFault.exe was invoked and identify any preceding suspicious activities or processes. +- Correlate the event with other security alerts or logs from data sources like Elastic Endgame, Elastic Defend, Microsoft Defender for Endpoint, Sysmon, or SentinelOne to gather additional context and assess the scope of the potential threat. + +### False positive analysis + +- Legitimate software updates or installations may trigger WerFault.exe with command-line arguments similar to those used in the SilentProcessExit mechanism. Users should verify the digital signature of the executable and check if it aligns with known update processes. +- Security software or system management tools might use WerFault.exe for legitimate purposes. Users can create exceptions for these known tools by adding their executables to the exclusion list in the detection rule. +- Custom scripts or enterprise applications that utilize WerFault.exe for error handling could be flagged. Review the process details and, if verified as non-threatening, add these scripts or applications to the exclusion list. +- Frequent occurrences of the same process being flagged can indicate a benign pattern. Users should monitor these patterns and, if consistently verified as safe, update the rule to exclude these specific processes. + +### Response and remediation + +- Isolate the affected system from the network to prevent further potential malicious activity and lateral movement. +- Terminate the suspicious child process of WerFault.exe immediately to halt any ongoing malicious actions. +- Conduct a thorough review of the SilentProcessExit registry key to identify and remove any unauthorized entries that may have been used to execute the malicious process. +- Restore any altered or deleted files from a known good backup to ensure system integrity and recover any lost data. +- Update and run a full antivirus and anti-malware scan on the affected system to detect and remove any additional threats or remnants of the attack. +- Monitor network traffic and system logs for any signs of persistence mechanisms or further attempts to exploit the SilentProcessExit mechanism. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" references = [ "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/", "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", @@ -61,40 +93,6 @@ process where host.os.type == "windows" and event.type == "start" and not process.executable : ("?:\\Windows\\SysWOW64\\Initcrypt.exe", "?:\\Program Files (x86)\\Heimdal\\Heimdal.Guard.exe") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious WerFault Child Process - -WerFault.exe is a Windows error reporting tool that handles application crashes. Adversaries may exploit it by manipulating the SilentProcessExit registry key to execute malicious processes stealthily. The detection rule identifies unusual child processes of WerFault.exe, focusing on specific command-line arguments indicative of this abuse, while excluding known legitimate executables, thus highlighting potential threats. - -### Possible investigation steps - -- Review the command line arguments of the suspicious child process to confirm the presence of "-s", "-t", and "-c" flags, which indicate potential abuse of the SilentProcessExit mechanism. -- Examine the process executable path to ensure it is not one of the known legitimate executables ("?:\\Windows\\SysWOW64\\Initcrypt.exe", "?:\\Program Files (x86)\\Heimdal\\Heimdal.Guard.exe") that are excluded from the detection rule. -- Investigate the network connections established by the suspicious process to identify any unusual or unauthorized external communications. -- Analyze file writes and modifications made by the process to detect any unauthorized changes or potential indicators of compromise. -- Check the parent process tree to understand the context of how WerFault.exe was invoked and identify any preceding suspicious activities or processes. -- Correlate the event with other security alerts or logs from data sources like Elastic Endgame, Elastic Defend, Microsoft Defender for Endpoint, Sysmon, or SentinelOne to gather additional context and assess the scope of the potential threat. - -### False positive analysis - -- Legitimate software updates or installations may trigger WerFault.exe with command-line arguments similar to those used in the SilentProcessExit mechanism. Users should verify the digital signature of the executable and check if it aligns with known update processes. -- Security software or system management tools might use WerFault.exe for legitimate purposes. Users can create exceptions for these known tools by adding their executables to the exclusion list in the detection rule. -- Custom scripts or enterprise applications that utilize WerFault.exe for error handling could be flagged. Review the process details and, if verified as non-threatening, add these scripts or applications to the exclusion list. -- Frequent occurrences of the same process being flagged can indicate a benign pattern. Users should monitor these patterns and, if consistently verified as safe, update the rule to exclude these specific processes. - -### Response and remediation - -- Isolate the affected system from the network to prevent further potential malicious activity and lateral movement. -- Terminate the suspicious child process of WerFault.exe immediately to halt any ongoing malicious actions. -- Conduct a thorough review of the SilentProcessExit registry key to identify and remove any unauthorized entries that may have been used to execute the malicious process. -- Restore any altered or deleted files from a known good backup to ensure system integrity and recover any lost data. -- Update and run a full antivirus and anti-malware scan on the affected system to detect and remove any additional threats or remnants of the attack. -- Monitor network traffic and system logs for any signs of persistence mechanisms or further attempts to exploit the SilentProcessExit mechanism. -- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" [[rule.threat]] @@ -109,8 +107,6 @@ reference = "https://attack.mitre.org/techniques/T1036/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -128,9 +124,6 @@ reference = "https://attack.mitre.org/techniques/T1546/012/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index 663acbc61..736a8830f 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -28,6 +26,41 @@ index = [ language = "eql" license = "Elastic License v2" name = "Program Files Directory Masquerading" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Program Files Directory Masquerading + +The Program Files directories in Windows are trusted locations for legitimate software. Adversaries may exploit this trust by creating similarly named directories to execute malicious files, bypassing security measures. The detection rule identifies suspicious executions from these masquerading paths, excluding known legitimate directories, to flag potential threats. This helps in identifying defense evasion tactics used by attackers. + +### Possible investigation steps + +- Review the process executable path to confirm if it matches any known masquerading patterns, such as unexpected directories containing "Program Files" in their path. +- Check the parent process of the suspicious executable to determine how it was launched and assess if the parent process is legitimate or potentially malicious. +- Investigate the user account associated with the process execution to determine if it has low privileges and if the activity aligns with typical user behavior. +- Correlate the event with other security logs or alerts from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related suspicious activities or patterns. +- Examine the file hash of the executable to see if it matches known malware signatures or if it has been flagged in threat intelligence databases. +- Assess the network activity associated with the process to identify any unusual outbound connections that could indicate data exfiltration or command-and-control communication. + +### False positive analysis + +- Legitimate software installations or updates may create temporary directories resembling Program Files paths. Users can monitor installation logs and exclude these specific paths if they are verified as part of a legitimate process. +- Some enterprise applications may use custom directories that mimic Program Files for compatibility reasons. IT administrators should document these paths and add them to the exclusion list to prevent false alerts. +- Development environments might create test directories with similar naming conventions. Developers should ensure these paths are excluded during active development phases to avoid unnecessary alerts. +- Security tools or scripts that perform regular checks or updates might execute from non-standard directories. Verify these tools and add their execution paths to the exception list if they are confirmed safe. +- Backup or recovery software might temporarily use directories that resemble Program Files for storing executable files. Confirm the legitimacy of these operations and exclude the paths if they are part of routine backup processes. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity. +- Terminate any suspicious processes identified as executing from masquerading directories to halt any ongoing malicious actions. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious files or remnants. +- Review and restore any altered system configurations or settings to their original state to ensure system integrity. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. +- Implement additional monitoring on the affected system and similar environments to detect any recurrence of the threat or similar tactics. +- Update security policies and access controls to prevent unauthorized creation of directories that mimic trusted paths, enhancing defenses against similar masquerading attempts.""" risk_score = 47 rule_id = "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14" severity = "medium" @@ -76,41 +109,6 @@ process where host.os.type == "windows" and event.type == "start" and ) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Program Files Directory Masquerading - -The Program Files directories in Windows are trusted locations for legitimate software. Adversaries may exploit this trust by creating similarly named directories to execute malicious files, bypassing security measures. The detection rule identifies suspicious executions from these masquerading paths, excluding known legitimate directories, to flag potential threats. This helps in identifying defense evasion tactics used by attackers. - -### Possible investigation steps - -- Review the process executable path to confirm if it matches any known masquerading patterns, such as unexpected directories containing "Program Files" in their path. -- Check the parent process of the suspicious executable to determine how it was launched and assess if the parent process is legitimate or potentially malicious. -- Investigate the user account associated with the process execution to determine if it has low privileges and if the activity aligns with typical user behavior. -- Correlate the event with other security logs or alerts from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related suspicious activities or patterns. -- Examine the file hash of the executable to see if it matches known malware signatures or if it has been flagged in threat intelligence databases. -- Assess the network activity associated with the process to identify any unusual outbound connections that could indicate data exfiltration or command-and-control communication. - -### False positive analysis - -- Legitimate software installations or updates may create temporary directories resembling Program Files paths. Users can monitor installation logs and exclude these specific paths if they are verified as part of a legitimate process. -- Some enterprise applications may use custom directories that mimic Program Files for compatibility reasons. IT administrators should document these paths and add them to the exclusion list to prevent false alerts. -- Development environments might create test directories with similar naming conventions. Developers should ensure these paths are excluded during active development phases to avoid unnecessary alerts. -- Security tools or scripts that perform regular checks or updates might execute from non-standard directories. Verify these tools and add their execution paths to the exception list if they are confirmed safe. -- Backup or recovery software might temporarily use directories that resemble Program Files for storing executable files. Confirm the legitimacy of these operations and exclude the paths if they are part of routine backup processes. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity. -- Terminate any suspicious processes identified as executing from masquerading directories to halt any ongoing malicious actions. -- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious files or remnants. -- Review and restore any altered system configurations or settings to their original state to ensure system integrity. -- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. -- Implement additional monitoring on the affected system and similar environments to detect any recurrence of the threat or similar tactics. -- Update security policies and access controls to prevent unauthorized creation of directories that mimic trusted paths, enhancing defenses against similar masquerading attempts.""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_masquerading_werfault.toml b/rules/windows/defense_evasion_masquerading_werfault.toml index fde26ca2c..e9adbf559 100644 --- a/rules/windows/defense_evasion_masquerading_werfault.toml +++ b/rules/windows/defense_evasion_masquerading_werfault.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml index 8d7ee1807..a7ff9008d 100644 --- a/rules/windows/defense_evasion_microsoft_defender_tampering.toml +++ b/rules/windows/defense_evasion_microsoft_defender_tampering.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Austin Songer"] @@ -20,7 +18,7 @@ index = [ "logs-windows.sysmon_operational-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "endgame-*" + "endgame-*", ] language = "eql" license = "Elastic License v2" diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index 4e470e8ba..aa1255cc9 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml index f749a8499..ceeaf6ad5 100644 --- a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml +++ b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/12" integration = ["windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ Macros. Adversaries may abuse these security settings to modify the default beha future macros and/or disable security warnings, which could increase their chances of establishing persistence. """ from = "now-9m" -index = ["winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "MS Office Macro Security Registry Modifications" diff --git a/rules/windows/defense_evasion_msbuild_making_network_connections.toml b/rules/windows/defense_evasion_msbuild_making_network_connections.toml index a3fb8499c..5f9e89575 100644 --- a/rules/windows/defense_evasion_msbuild_making_network_connections.toml +++ b/rules/windows/defense_evasion_msbuild_making_network_connections.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_mshta_beacon.toml b/rules/windows/defense_evasion_mshta_beacon.toml index 103bb66ac..005708045 100644 --- a/rules/windows/defense_evasion_mshta_beacon.toml +++ b/rules/windows/defense_evasion_mshta_beacon.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -22,32 +20,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Mshta Making Network Connections" -references = [ - "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", -] -risk_score = 47 -rule_id = "c2d90150-0133-451c-a783-533e736c12d7" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -sequence by process.entity_id with maxspan=10m - [process where host.os.type == "windows" and event.type == "start" and process.name : "mshta.exe" and - not process.parent.name : "Microsoft.ConfigurationManagement.exe" and - not (process.parent.executable : "C:\\Amazon\\Amazon Assistant\\amazonAssistantService.exe" or - process.parent.executable : "C:\\TeamViewer\\TeamViewer.exe") and - not process.args : "ADSelfService_Enroll.hta"] - [network where host.os.type == "windows" and process.name : "mshta.exe"] -''' note = """## Triage and analysis > **Disclaimer**: @@ -81,6 +53,32 @@ Mshta.exe is a legitimate Windows utility used to execute Microsoft HTML Applica - Restore the system from a known good backup if malicious activity is confirmed and cannot be fully remediated. - Implement application whitelisting to prevent unauthorized execution of mshta.exe and similar system binaries. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network.""" +references = [ + "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", +] +risk_score = 47 +rule_id = "c2d90150-0133-451c-a783-533e736c12d7" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +sequence by process.entity_id with maxspan=10m + [process where host.os.type == "windows" and event.type == "start" and process.name : "mshta.exe" and + not process.parent.name : "Microsoft.ConfigurationManagement.exe" and + not (process.parent.executable : "C:\\Amazon\\Amazon Assistant\\amazonAssistantService.exe" or + process.parent.executable : "C:\\TeamViewer\\TeamViewer.exe") and + not process.args : "ADSelfService_Enroll.hta"] + [network where host.os.type == "windows" and process.name : "mshta.exe"] +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml b/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml index dde8076da..448e41579 100644 --- a/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml +++ b/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml @@ -2,9 +2,7 @@ creation_date = "2024/09/09" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,42 +11,15 @@ Identifies the execution of an MsiExec service child process followed by network abuse Windows Installers for initial access and delivery of malware. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "MsiExec Service Child Process With Network Connection" -risk_score = 47 -rule_id = "65432f4a-e716-4cc1-ab11-931c4966da2d" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -sequence by process.entity_id with maxspan=1m - [process where host.os.type == "windows" and event.type : "start" and - process.parent.name : "msiexec.exe" and process.parent.args : "/v" and - not process.executable : - ("?:\\Windows\\System32\\msiexec.exe", - "?:\\Windows\\sysWOW64\\msiexec.exe", - "?:\\Windows\\system32\\srtasks.exe", - "?:\\Windows\\syswow64\\srtasks.exe", - "?:\\Windows\\sys*\\taskkill.exe", - "?:\\Program Files\\*.exe", - "?:\\Program Files (x86)\\*.exe", - "?:\\Windows\\Installer\\MSI*.tmp", - "?:\\Windows\\Microsoft.NET\\Framework*\\RegSvcs.exe") and - not (process.name : ("rundll32.exe", "regsvr32.exe") and process.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*"))] -[any where host.os.type == "windows" and event.category in ("network", "dns") and process.name != null] -''' note = """## Triage and analysis > **Disclaimer**: @@ -84,6 +55,38 @@ MsiExec is a Windows utility for installing, maintaining, and removing software. - Reset credentials and review access permissions for any accounts that may have been compromised or used during the attack. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and detection rules to identify similar threats in the future, focusing on unusual MsiExec activity and network connections.""" +risk_score = 47 +rule_id = "65432f4a-e716-4cc1-ab11-931c4966da2d" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +sequence by process.entity_id with maxspan=1m + [process where host.os.type == "windows" and event.type : "start" and + process.parent.name : "msiexec.exe" and process.parent.args : "/v" and + not process.executable : + ("?:\\Windows\\System32\\msiexec.exe", + "?:\\Windows\\sysWOW64\\msiexec.exe", + "?:\\Windows\\system32\\srtasks.exe", + "?:\\Windows\\syswow64\\srtasks.exe", + "?:\\Windows\\sys*\\taskkill.exe", + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Windows\\Installer\\MSI*.tmp", + "?:\\Windows\\Microsoft.NET\\Framework*\\RegSvcs.exe") and + not (process.name : ("rundll32.exe", "regsvr32.exe") and process.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*"))] +[any where host.os.type == "windows" and event.category in ("network", "dns") and process.name != null] +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_msxsl_network.toml b/rules/windows/defense_evasion_msxsl_network.toml index 4049b815d..188993ffe 100644 --- a/rules/windows/defense_evasion_msxsl_network.toml +++ b/rules/windows/defense_evasion_msxsl_network.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -22,31 +20,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Network Connection via MsXsl" -references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"] -risk_score = 21 -rule_id = "b86afe07-0d98-4738-b15d-8d7465f95ff5" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -sequence by process.entity_id - [process where host.os.type == "windows" and process.name : "msxsl.exe" and event.type == "start"] - [network where host.os.type == "windows" and process.name : "msxsl.exe" and - not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", - "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", - "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", - "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", - "FE80::/10", "FF00::/8")] -''' note = """## Triage and analysis > **Disclaimer**: @@ -81,6 +54,31 @@ MsXsl.exe is a legitimate Windows utility used to transform XML data using XSLT - Restore the affected system from a known good backup if any critical system files or configurations have been altered. - Implement network segmentation to limit the ability of msxsl.exe or similar utilities to make unauthorized external connections in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or data have been impacted.""" +references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"] +risk_score = 21 +rule_id = "b86afe07-0d98-4738-b15d-8d7465f95ff5" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +sequence by process.entity_id + [process where host.os.type == "windows" and process.name : "msxsl.exe" and event.type == "start"] + [network where host.os.type == "windows" and process.name : "msxsl.exe" and + not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", + "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", + "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", + "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", + "FE80::/10", "FF00::/8")] +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index a8a58c8db..2fd614a2b 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml index c2a8f625a..eaf45cb6e 100644 --- a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml +++ b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml @@ -2,9 +2,7 @@ creation_date = "2022/11/01" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,43 +12,17 @@ default) and is set to 1, then remote connections from all local members of Admi high-integrity tokens during negotiation. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Local Account TokenFilter Policy Disabled" -references = [ - "https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439", - "https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167", - "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf", -] -risk_score = 47 -rule_id = "07b1ef73-1fde-4a49-a34a-5dd40011b076" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Resources: Investigation Guide" -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and event.type == "change" and - registry.value : "LocalAccountTokenFilterPolicy" and - registry.path : ( - "HKLM\\*\\LocalAccountTokenFilterPolicy", - "\\REGISTRY\\MACHINE\\*\\LocalAccountTokenFilterPolicy", - "MACHINE\\*\\LocalAccountTokenFilterPolicy" - ) and registry.data.strings : ("1", "0x00000001") -''' note = """## Triage and analysis > **Disclaimer**: @@ -85,6 +57,39 @@ The LocalAccountTokenFilterPolicy is a Windows registry setting that, when enabl - Deploy endpoint detection and response (EDR) tools to monitor for any further suspicious activities or attempts to modify registry settings. - Escalate the incident to the security operations center (SOC) for further investigation and to determine if the threat is part of a larger attack campaign. - Implement additional network segmentation and access controls to limit administrative access to critical systems and reduce the risk of similar threats.""" +references = [ + "https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439", + "https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167", + "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf", +] +risk_score = 47 +rule_id = "07b1ef73-1fde-4a49-a34a-5dd40011b076" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.type == "change" and + registry.value : "LocalAccountTokenFilterPolicy" and + registry.path : ( + "HKLM\\*\\LocalAccountTokenFilterPolicy", + "\\REGISTRY\\MACHINE\\*\\LocalAccountTokenFilterPolicy", + "MACHINE\\*\\LocalAccountTokenFilterPolicy" + ) and registry.data.strings : ("1", "0x00000001") +''' [[rule.threat]] @@ -104,8 +109,6 @@ reference = "https://attack.mitre.org/techniques/T1562/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_posh_assembly_load.toml b/rules/windows/defense_evasion_posh_assembly_load.toml index 4808f0345..69108cc31 100644 --- a/rules/windows/defense_evasion_posh_assembly_load.toml +++ b/rules/windows/defense_evasion_posh_assembly_load.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/03/19" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -124,7 +122,15 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" @@ -152,21 +158,19 @@ event.category:process and host.os.type:windows and not user.id : "S-1-5-18" ''' + [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Monitoring Host Temporary Files*\\\\AvailabilityGroupMonitoring.ps1" - +case_insensitive = true +value = """ +C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\Monitoring Host Temporary +Files*\\AvailabilityGroupMonitoring.ps1 +""" [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1620" -name = "Reflective Code Loading" -reference = "https://attack.mitre.org/techniques/T1620/" - [[rule.threat.technique]] id = "T1055" name = "Process Injection" @@ -182,6 +186,11 @@ name = "Portable Executable Injection" reference = "https://attack.mitre.org/techniques/T1055/002/" +[[rule.threat.technique]] +id = "T1620" +name = "Reflective Code Loading" +reference = "https://attack.mitre.org/techniques/T1620/" + [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_posh_compressed.toml b/rules/windows/defense_evasion_posh_compressed.toml index 8f267c300..f18e497a3 100644 --- a/rules/windows/defense_evasion_posh_compressed.toml +++ b/rules/windows/defense_evasion_posh_compressed.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/03" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -124,7 +122,14 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" @@ -142,13 +147,14 @@ event.category:process and host.os.type:windows and not user.id : "S-1-5-18" ''' + [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\\*" - +case_insensitive = true +value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\\*" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_posh_encryption.toml b/rules/windows/defense_evasion_posh_encryption.toml index 6a1bc0512..dd131d442 100644 --- a/rules/windows/defense_evasion_posh_encryption.toml +++ b/rules/windows/defense_evasion_posh_encryption.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/23" integration = ["windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_posh_obfuscation.toml b/rules/windows/defense_evasion_posh_obfuscation.toml index cb7a98c5b..2cdc2a47e 100644 --- a/rules/windows/defense_evasion_posh_obfuscation.toml +++ b/rules/windows/defense_evasion_posh_obfuscation.toml @@ -2,9 +2,7 @@ creation_date = "2024/07/03" integration = ["windows"] maturity = "production" -updated_date = "2025/01/22" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,57 +15,6 @@ index = ["winlogbeat-*", "logs-windows.powershell*"] language = "kuery" license = "Elastic License v2" name = "Potential PowerShell Obfuscated Script" -references = ["https://github.com/danielbohannon/Invoke-Obfuscation"] -risk_score = 47 -rule_id = "8025db49-c57c-4fc0-bd86-7ccd6d10a35a" -setup = """## Setup - -The 'PowerShell Script Block Logging' logging policy must be enabled. -Steps to implement the logging policy with Advanced Audit Configuration: - -``` -Computer Configuration > -Administrative Templates > -Windows PowerShell > -Turn on PowerShell Script Block Logging (Enable) -``` - -Steps to implement the logging policy via registry: - -``` -reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 -``` -""" -severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "query" - -query = ''' -event.category:process and host.os.type:windows and - powershell.file.script_block_text : ( - "[string]::join" or - "-Join" or - "[convert]::toint16" or - "[char][int]$_" or - ("ConvertTo-SecureString" and "PtrToStringAuto") or - ".GetNetworkCredential().password" or - "-BXor" or - ("replace" and "char") or - "[array]::reverse" or - "-replace" - ) and - powershell.file.script_block_text : ( - ("$pSHoMe[" and "+$pSHoMe[") or - ("$ShellId[" and "+$ShellId[") or - ("$env:ComSpec[4" and "25]-Join") or - (("Set-Variable" or "SV" or "Set-Item") and "OFS") or - ("*MDR*" and "Name[3,11,2]") or - ("$VerbosePreference" and "[1,3]+'X'-Join''") or - ("rahc" or "ekovin" or "gnirts" or "ecnereferpesobrev" or "ecalper" or "cepsmoc" or "dillehs") or - ("System.Management.Automation.$([cHAr]" or "System.$([cHAr]" or ")+[cHAR]([byte]") - ) -''' note = """## Triage and analysis > **Disclaimer**: @@ -103,6 +50,65 @@ PowerShell is a powerful scripting language used for task automation and configu - Update and patch the affected system to ensure all security vulnerabilities are addressed, reducing the risk of exploitation. - Monitor the system and network for any signs of re-infection or similar obfuscation patterns to ensure the threat has been fully mitigated. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" +references = ["https://github.com/danielbohannon/Invoke-Obfuscation"] +risk_score = 47 +rule_id = "8025db49-c57c-4fc0-bd86-7ccd6d10a35a" +setup = """## Setup + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` +""" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.category:process and host.os.type:windows and + powershell.file.script_block_text : ( + "[string]::join" or + "-Join" or + "[convert]::toint16" or + "[char][int]$_" or + ("ConvertTo-SecureString" and "PtrToStringAuto") or + ".GetNetworkCredential().password" or + "-BXor" or + ("replace" and "char") or + "[array]::reverse" or + "-replace" + ) and + powershell.file.script_block_text : ( + ("$pSHoMe[" and "+$pSHoMe[") or + ("$ShellId[" and "+$ShellId[") or + ("$env:ComSpec[4" and "25]-Join") or + (("Set-Variable" or "SV" or "Set-Item") and "OFS") or + ("*MDR*" and "Name[3,11,2]") or + ("$VerbosePreference" and "[1,3]+'X'-Join''") or + ("rahc" or "ekovin" or "gnirts" or "ecnereferpesobrev" or "ecalper" or "cepsmoc" or "dillehs") or + ("System.Management.Automation.$([cHAr]" or "System.$([cHAr]" or ")+[cHAR]([byte]") + ) +''' + [[rule.threat]] framework = "MITRE ATT&CK" @@ -121,8 +127,6 @@ reference = "https://attack.mitre.org/techniques/T1140/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_posh_process_injection.toml b/rules/windows/defense_evasion_posh_process_injection.toml index 9d74159fa..dfe1ced0f 100644 --- a/rules/windows/defense_evasion_posh_process_injection.toml +++ b/rules/windows/defense_evasion_posh_process_injection.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/14" integration = ["windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index 2521ce2dc..583d589cb 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/15" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Austin Songer"] diff --git a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml index d76195296..353a2156c 100644 --- a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml +++ b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml @@ -2,9 +2,7 @@ creation_date = "2022/05/31" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,10 +11,51 @@ Identifies potential abuse of the Microsoft Diagnostics Troubleshooting Wizard ( binary execution via malicious process arguments. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Suspicious Microsoft Diagnostics Wizard Execution" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious Microsoft Diagnostics Wizard Execution + +The Microsoft Diagnostics Troubleshooting Wizard (MSDT) is a legitimate tool used for diagnosing and resolving issues within Windows environments. However, adversaries can exploit MSDT to execute malicious commands by manipulating its process arguments, effectively using it as a proxy for harmful activities. The detection rule identifies such abuse by monitoring for unusual execution patterns, such as atypical file paths, unexpected parent processes, and non-standard executable locations, which are indicative of potential misuse. This proactive detection helps in mitigating risks associated with defense evasion tactics. + +### Possible investigation steps + +- Review the process arguments to identify any suspicious patterns, such as "IT_RebrowseForFile=*", "ms-msdt:/id", "ms-msdt:-id", or "*FromBase64*", which may indicate malicious intent. +- Examine the parent process of msdt.exe to determine if it was launched by an unexpected or potentially malicious process like cmd.exe, powershell.exe, or mshta.exe. +- Check the file path of the msdt.exe executable to ensure it matches the standard locations (?:\\Windows\\system32\\msdt.exe or ?:\\Windows\\SysWOW64\\msdt.exe) and investigate any deviations. +- Investigate the user account associated with the process execution to determine if the activity aligns with their typical behavior or if it appears suspicious. +- Correlate the event with other security alerts or logs from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related malicious activities or patterns. +- Assess the risk score and severity of the alert to prioritize the investigation and determine if immediate action is required to mitigate potential threats. + +### False positive analysis + +- Legitimate troubleshooting activities by IT staff using MSDT may trigger alerts. To manage this, create exceptions for known IT user accounts or specific machines frequently used for diagnostics. +- Automated scripts or software updates that utilize MSDT for legitimate purposes can cause false positives. Identify these scripts and whitelist their execution paths or parent processes. +- Custom diagnostic tools that leverage MSDT might be flagged. Review these tools and exclude their specific process arguments or executable paths if they are verified as safe. +- Non-standard installations of MSDT in custom environments could be misidentified. Ensure that any legitimate non-standard paths are documented and excluded from monitoring. +- Frequent use of MSDT in virtualized environments for testing purposes may lead to alerts. Consider excluding these environments or specific virtual machines from the rule. + +### Response and remediation + +- Isolate the affected system from the network to prevent further malicious activity and lateral movement. +- Terminate the suspicious msdt.exe process to stop any ongoing malicious execution. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or processes. +- Review and analyze the process arguments and parent processes associated with the msdt.exe execution to identify potential entry points or related malicious activities. +- Restore any affected files or system components from a known good backup to ensure system integrity. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised. +- Implement enhanced monitoring and logging for msdt.exe and related processes to detect and respond to similar threats in the future.""" references = [ "https://twitter.com/nao_sec/status/1530196847679401984", "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", @@ -53,41 +92,6 @@ process where host.os.type == "windows" and event.type == "start" and (process.pe.original_file_name == "msdt.exe" and not process.executable : ("?:\\Windows\\system32\\msdt.exe", "?:\\Windows\\SysWOW64\\msdt.exe")) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious Microsoft Diagnostics Wizard Execution - -The Microsoft Diagnostics Troubleshooting Wizard (MSDT) is a legitimate tool used for diagnosing and resolving issues within Windows environments. However, adversaries can exploit MSDT to execute malicious commands by manipulating its process arguments, effectively using it as a proxy for harmful activities. The detection rule identifies such abuse by monitoring for unusual execution patterns, such as atypical file paths, unexpected parent processes, and non-standard executable locations, which are indicative of potential misuse. This proactive detection helps in mitigating risks associated with defense evasion tactics. - -### Possible investigation steps - -- Review the process arguments to identify any suspicious patterns, such as "IT_RebrowseForFile=*", "ms-msdt:/id", "ms-msdt:-id", or "*FromBase64*", which may indicate malicious intent. -- Examine the parent process of msdt.exe to determine if it was launched by an unexpected or potentially malicious process like cmd.exe, powershell.exe, or mshta.exe. -- Check the file path of the msdt.exe executable to ensure it matches the standard locations (?:\\Windows\\system32\\msdt.exe or ?:\\Windows\\SysWOW64\\msdt.exe) and investigate any deviations. -- Investigate the user account associated with the process execution to determine if the activity aligns with their typical behavior or if it appears suspicious. -- Correlate the event with other security alerts or logs from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related malicious activities or patterns. -- Assess the risk score and severity of the alert to prioritize the investigation and determine if immediate action is required to mitigate potential threats. - -### False positive analysis - -- Legitimate troubleshooting activities by IT staff using MSDT may trigger alerts. To manage this, create exceptions for known IT user accounts or specific machines frequently used for diagnostics. -- Automated scripts or software updates that utilize MSDT for legitimate purposes can cause false positives. Identify these scripts and whitelist their execution paths or parent processes. -- Custom diagnostic tools that leverage MSDT might be flagged. Review these tools and exclude their specific process arguments or executable paths if they are verified as safe. -- Non-standard installations of MSDT in custom environments could be misidentified. Ensure that any legitimate non-standard paths are documented and excluded from monitoring. -- Frequent use of MSDT in virtualized environments for testing purposes may lead to alerts. Consider excluding these environments or specific virtual machines from the rule. - -### Response and remediation - -- Isolate the affected system from the network to prevent further malicious activity and lateral movement. -- Terminate the suspicious msdt.exe process to stop any ongoing malicious execution. -- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or processes. -- Review and analyze the process arguments and parent processes associated with the msdt.exe execution to identify potential entry points or related malicious activities. -- Restore any affected files or system components from a known good backup to ensure system integrity. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised. -- Implement enhanced monitoring and logging for msdt.exe and related processes to detect and respond to similar threats in the future.""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml index 00de7eaa0..665669451 100644 --- a/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml +++ b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml @@ -2,9 +2,7 @@ creation_date = "2024/05/31" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -21,41 +19,11 @@ index = [ "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", - "endgame-*" + "endgame-*", ] language = "eql" license = "Elastic License v2" name = "DNS Global Query Block List Modified or Disabled" -references = [ - "https://cube0x0.github.io/Pocing-Beyond-DA/", - "https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing", - "https://www.netspi.com/blog/technical-blog/network-penetration-testing/adidns-revisited/" -] -risk_score = 47 -rule_id = "57bfa0a9-37c0-44d6-b724-54bf16787492" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and event.type == "change" and -( - (registry.value : "EnableGlobalQueryBlockList" and registry.data.strings : ("0", "0x00000000")) or - (registry.value : "GlobalQueryBlockList" and not registry.data.strings : "wpad") -) -''' note = """## Triage and analysis > **Disclaimer**: @@ -90,6 +58,36 @@ The DNS Global Query Block List (GQBL) is a security feature in Windows environm - Monitor network traffic for signs of WPAD spoofing or other related attacks, and implement network segmentation to limit the impact of potential threats. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Update security policies and procedures to include specific measures for monitoring and protecting the DNS Global Query Block List, ensuring rapid detection and response to similar threats in the future.""" +references = [ + "https://cube0x0.github.io/Pocing-Beyond-DA/", + "https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing", + "https://www.netspi.com/blog/technical-blog/network-penetration-testing/adidns-revisited/", +] +risk_score = 47 +rule_id = "57bfa0a9-37c0-44d6-b724-54bf16787492" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.type == "change" and +( + (registry.value : "EnableGlobalQueryBlockList" and registry.data.strings : ("0", "0x00000000")) or + (registry.value : "GlobalQueryBlockList" and not registry.data.strings : "wpad") +) +''' [[rule.threat]] @@ -109,8 +107,6 @@ reference = "https://attack.mitre.org/techniques/T1562/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_right_to_left_override.toml b/rules/windows/defense_evasion_right_to_left_override.toml index b9666969c..2b351c4f4 100644 --- a/rules/windows/defense_evasion_right_to_left_override.toml +++ b/rules/windows/defense_evasion_right_to_left_override.toml @@ -2,9 +2,7 @@ creation_date = "2025/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/22" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -25,31 +23,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "File with Right-to-Left Override Character (RTLO) Created/Executed" -risk_score = 47 -rule_id = "7e763fd1-228a-4d43-be88-3ffc14cd7de1" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -any where host.os.type == "windows" and event.category in ("file", "process") and - ( - (event.type == "creation" and file.path : "*\u{202E}*") or - (event.type == "start" and process.name : "*\u{202E}*") - ) -''' note = """## Triage and analysis > **Disclaimer**: @@ -85,6 +58,31 @@ The RTLO character reverses text direction, often used to disguise file extensio - Review and analyze system logs and security alerts to determine the extent of the compromise and identify any lateral movement or additional affected systems. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional containment measures are necessary. - Implement enhanced monitoring and detection rules to identify future attempts to use RTLO characters for masquerading, ensuring that similar threats are detected promptly.""" +risk_score = 47 +rule_id = "7e763fd1-228a-4d43-be88-3ffc14cd7de1" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +any where host.os.type == "windows" and event.category in ("file", "process") and + ( + (event.type == "creation" and file.path : "*\u{202E}*") or + (event.type == "start" and process.name : "*\u{202E}*") + ) +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_root_dir_ads_creation.toml b/rules/windows/defense_evasion_root_dir_ads_creation.toml index 53311fc30..6c2740ef0 100644 --- a/rules/windows/defense_evasion_root_dir_ads_creation.toml +++ b/rules/windows/defense_evasion_root_dir_ads_creation.toml @@ -2,9 +2,7 @@ creation_date = "2024/03/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -25,32 +23,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Alternate Data Stream Creation/Execution at Volume Root Directory" -references = ["https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/"] -risk_score = 47 -rule_id = "ff6cf8b9-b76c-4cc1-ac1b-4935164d1029" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -any where host.os.type == "windows" and event.category in ("file", "process") and - ( - (event.type == "creation" and file.path regex~ """[A-Z]:\\:.+""") or - (event.type == "start" and process.executable regex~ """[A-Z]:\\:.+""") - ) -''' note = """## Triage and analysis > **Disclaimer**: @@ -86,6 +58,32 @@ Alternate Data Streams (ADS) in Windows allow files to contain multiple streams - Restore affected files from a known good backup to ensure system integrity and remove any compromised data. - Monitor network traffic for unusual patterns or connections that may indicate ongoing malicious activity or data exfiltration attempts. - Escalate the incident to the security operations center (SOC) or relevant IT security team for further investigation and to assess the need for broader organizational response measures.""" +references = ["https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/"] +risk_score = 47 +rule_id = "ff6cf8b9-b76c-4cc1-ac1b-4935164d1029" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +any where host.os.type == "windows" and event.category in ("file", "process") and + ( + (event.type == "creation" and file.path regex~ """[A-Z]:\\:.+""") or + (event.type == "start" and process.executable regex~ """[A-Z]:\\:.+""") + ) +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_rundll32_no_arguments.toml b/rules/windows/defense_evasion_rundll32_no_arguments.toml index 6979c9fba..03fa7fb9c 100644 --- a/rules/windows/defense_evasion_rundll32_no_arguments.toml +++ b/rules/windows/defense_evasion_rundll32_no_arguments.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_sc_sdset.toml b/rules/windows/defense_evasion_sc_sdset.toml index 3bb8cbf9a..e543bd70b 100644 --- a/rules/windows/defense_evasion_sc_sdset.toml +++ b/rules/windows/defense_evasion_sc_sdset.toml @@ -2,51 +2,24 @@ creation_date = "2024/07/16" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/01/10" +updated_date = "2025/03/20" [rule] author = ["Elastic"] -description = """ -Identifies DACL modifications to deny access to a service, making it unstoppable, or hide it from system and users. -""" +description = "Identifies DACL modifications to deny access to a service, making it unstoppable, or hide it from system and users.\n" from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*", + "logs-crowdstrike.fdr*", +] language = "eql" license = "Elastic License v2" name = "Service DACL Modification via sc.exe" -references = [ - "https://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html", - "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml", - "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/" -] -risk_score = 47 -rule_id = "5188c68e-d3de-4e96-994d-9e242269446f" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Crowdstrike" -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - (process.name : "sc.exe" or ?process.pe.original_file_name : "sc.exe") and - process.args : "sdset" and process.args : "*D;*" and - process.args : ("*;IU*", "*;SU*", "*;BA*", "*;SY*", "*;WD*") -''' note = """## Triage and analysis > **Disclaimer**: @@ -83,6 +56,37 @@ The `sc.exe` utility in Windows is used to manage services, including modifying - Implement additional monitoring on the affected system and similar systems to detect any further attempts to modify service DACLs, using enhanced logging and alerting mechanisms. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the attack is part of a larger campaign. - Review and update endpoint protection policies to prevent similar threats in the future, ensuring that all systems are equipped with the latest security patches and configurations.""" +references = [ + "https://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html", + "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml", + "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", +] +risk_score = 47 +rule_id = "5188c68e-d3de-4e96-994d-9e242269446f" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + (process.name : "sc.exe" or ?process.pe.original_file_name : "sc.exe") and + process.args : "sdset" and process.args : "*D;*" and + process.args : ("*;IU*", "*;SU*", "*;BA*", "*;SY*", "*;WD*") +''' [[rule.threat]] @@ -93,12 +97,10 @@ name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml index e809d1593..78e006e81 100644 --- a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +++ b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,38 +12,17 @@ move laterally or persist locally. The AT command has been deprecated since Wind exists for backwards compatibility. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Scheduled Tasks AT Command Enabled" -references = ["https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"] -risk_score = 47 -rule_id = "9aa0e1f6-52ce-42e1-abb3-09657cee2698" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and event.type == "change" and - registry.path : ( - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt", - "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt", - "MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt" - ) and registry.data.strings : ("1", "0x00000001") -''' note = """## Triage and analysis > **Disclaimer**: @@ -80,6 +57,34 @@ The AT command, a legacy Windows utility, schedules tasks for execution, often u - Monitor network traffic and logs for any signs of data exfiltration or communication with known malicious IP addresses or domains. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. - Implement enhanced monitoring and alerting for similar registry changes across the network to detect and respond to future attempts promptly.""" +references = ["https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"] +risk_score = 47 +rule_id = "9aa0e1f6-52ce-42e1-abb3-09657cee2698" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.type == "change" and + registry.path : ( + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt", + "MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt" + ) and registry.data.strings : ("1", "0x00000001") +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_script_via_html_app.toml b/rules/windows/defense_evasion_script_via_html_app.toml index efb57856d..37e27fdbf 100644 --- a/rules/windows/defense_evasion_script_via_html_app.toml +++ b/rules/windows/defense_evasion_script_via_html_app.toml @@ -2,16 +2,13 @@ creation_date = "2020/09/09" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -Identifies the execution of scripts via HTML applications using Windows utilities rundll32.exe or mshta.exe. -Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed -binaries. +Identifies the execution of scripts via HTML applications using Windows utilities rundll32.exe or mshta.exe. Adversaries +may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries. """ from = "now-9m" index = [ @@ -25,6 +22,39 @@ index = [ language = "eql" license = "Elastic License v2" name = "Script Execution via Microsoft HTML Application" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Script Execution via Microsoft HTML Application + +Microsoft HTML Applications (HTA) allow scripts to run in a trusted environment, often using utilities like `rundll32.exe` or `mshta.exe`. Adversaries exploit this by executing malicious scripts under the guise of legitimate processes, bypassing defenses. The detection rule identifies suspicious script execution patterns, such as unusual command lines or execution from common download locations, to flag potential abuse. + +### Possible investigation steps + +- Review the process command line details to identify any suspicious patterns or indicators of malicious activity, such as the presence of script execution commands like "eval", "GetObject", or "WScript.Shell". +- Check the parent process executable path to determine if the process was spawned by a known legitimate application or if it deviates from expected behavior, especially if it is not from the specified exceptions like Citrix, Microsoft Office, or Quokka.Works GTInstaller. +- Investigate the origin of the HTA file, particularly if it was executed from common download locations like the Downloads folder or temporary archive extraction paths, to assess if it was downloaded from the internet or extracted from an archive. +- Analyze the process arguments and count to identify any unusual or unexpected parameters that could indicate malicious intent, especially if the process name is "mshta.exe" and the command line does not include typical HTA or HTM file references. +- Correlate the event with other security logs and alerts from data sources like Sysmon, SentinelOne, or Microsoft Defender for Endpoint to gather additional context and determine if this activity is part of a broader attack pattern. + +### False positive analysis + +- Execution of legitimate scripts by enterprise applications like Citrix, Microsoft Office, or Quokka.Works GTInstaller can trigger false positives. Users can mitigate this by adding these applications to the exclusion list in the detection rule. +- Scripts executed by mshta.exe that do not involve malicious intent, such as internal web applications or administrative scripts, may be flagged. Users should review these scripts and, if deemed safe, exclude them based on specific command line patterns or parent processes. +- HTA files downloaded from trusted internal sources or vendors might be mistakenly identified as threats. Users can create exceptions for these sources by specifying trusted download paths or file hashes. +- Temporary files created by legitimate software installations or updates in user temp directories can be misinterpreted as malicious. Users should monitor these activities and exclude known safe processes or directories from the detection rule. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further spread of the malicious script or unauthorized access. +- Terminate any suspicious processes identified by the detection rule, specifically those involving `rundll32.exe` or `mshta.exe` with unusual command lines. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious files or scripts. +- Review and analyze the command lines and scripts executed to understand the scope and intent of the attack, and identify any additional compromised systems. +- Restore the affected system from a known good backup if malicious activity is confirmed and cannot be fully remediated. +- Implement network segmentation to limit the ability of similar threats to propagate across the network in the future. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or data have been compromised.""" risk_score = 73 rule_id = "181f6b23-3799-445e-9589-0018328a9e46" severity = "high" @@ -80,39 +110,6 @@ process where host.os.type == "windows" and event.type == "start" and process.args : ("?:\\Users\\*\\Temp\\7z*", "?:\\Users\\*\\Temp\\Rar$*", "?:\\Users\\*\\Temp\\Temp?_*", "?:\\Users\\*\\Temp\\BNZ.*")) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Script Execution via Microsoft HTML Application - -Microsoft HTML Applications (HTA) allow scripts to run in a trusted environment, often using utilities like `rundll32.exe` or `mshta.exe`. Adversaries exploit this by executing malicious scripts under the guise of legitimate processes, bypassing defenses. The detection rule identifies suspicious script execution patterns, such as unusual command lines or execution from common download locations, to flag potential abuse. - -### Possible investigation steps - -- Review the process command line details to identify any suspicious patterns or indicators of malicious activity, such as the presence of script execution commands like "eval", "GetObject", or "WScript.Shell". -- Check the parent process executable path to determine if the process was spawned by a known legitimate application or if it deviates from expected behavior, especially if it is not from the specified exceptions like Citrix, Microsoft Office, or Quokka.Works GTInstaller. -- Investigate the origin of the HTA file, particularly if it was executed from common download locations like the Downloads folder or temporary archive extraction paths, to assess if it was downloaded from the internet or extracted from an archive. -- Analyze the process arguments and count to identify any unusual or unexpected parameters that could indicate malicious intent, especially if the process name is "mshta.exe" and the command line does not include typical HTA or HTM file references. -- Correlate the event with other security logs and alerts from data sources like Sysmon, SentinelOne, or Microsoft Defender for Endpoint to gather additional context and determine if this activity is part of a broader attack pattern. - -### False positive analysis - -- Execution of legitimate scripts by enterprise applications like Citrix, Microsoft Office, or Quokka.Works GTInstaller can trigger false positives. Users can mitigate this by adding these applications to the exclusion list in the detection rule. -- Scripts executed by mshta.exe that do not involve malicious intent, such as internal web applications or administrative scripts, may be flagged. Users should review these scripts and, if deemed safe, exclude them based on specific command line patterns or parent processes. -- HTA files downloaded from trusted internal sources or vendors might be mistakenly identified as threats. Users can create exceptions for these sources by specifying trusted download paths or file hashes. -- Temporary files created by legitimate software installations or updates in user temp directories can be misinterpreted as malicious. Users should monitor these activities and exclude known safe processes or directories from the detection rule. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further spread of the malicious script or unauthorized access. -- Terminate any suspicious processes identified by the detection rule, specifically those involving `rundll32.exe` or `mshta.exe` with unusual command lines. -- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious files or scripts. -- Review and analyze the command lines and scripts executed to understand the scope and intent of the attack, and identify any additional compromised systems. -- Restore the affected system from a known good backup if malicious activity is confirmed and cannot be fully remediated. -- Implement network segmentation to limit the ability of similar threats to propagate across the network in the future. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or data have been compromised.""" [[rule.threat]] @@ -121,11 +118,11 @@ framework = "MITRE ATT&CK" id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" + [[rule.threat.technique.subtechnique]] id = "T1218.011" name = "Rundll32" diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index 0afe8f457..bfc81a473 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,7 +11,14 @@ Detects file name patterns generated by the use of Sysinternals SDelete utility file overwrite and rename operations. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Potential Secure File Deletion via SDelete Utility" diff --git a/rules/windows/defense_evasion_sip_provider_mod.toml b/rules/windows/defense_evasion_sip_provider_mod.toml index 04bde56d0..434c2d6eb 100644 --- a/rules/windows/defense_evasion_sip_provider_mod.toml +++ b/rules/windows/defense_evasion_sip_provider_mod.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,41 +12,17 @@ Windows cryptographic system to validate file signatures on the system. This may validation checks or inject code into critical processes. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "SIP Provider Modification" -references = ["https://github.com/mattifestation/PoCSubjectInterfacePackage"] -risk_score = 47 -rule_id = "f2c7b914-eda3-40c2-96ac-d23ef91776ca" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and event.type == "change" and registry.value : ("Dll", "$Dll") and - registry.path: ( - "*\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{*}\\Dll", - "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{*}\\Dll", - "*\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{*}\\$Dll", - "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{*}\\$Dll" - ) and - registry.data.strings:"*.dll" and - not (process.name : "msiexec.exe" and registry.data.strings : "mso.dll") and - not (process.name : "regsvr32.exe" and registry.data.strings == "WINTRUST.DLL") -''' note = """## Triage and analysis > **Disclaimer**: @@ -83,6 +57,37 @@ Subject Interface Package (SIP) providers are integral to Windows' cryptographic - Review and update endpoint protection policies to ensure that similar unauthorized modifications are detected and blocked in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Document the incident details, including the steps taken for containment and remediation, to enhance future response efforts and update threat intelligence databases.""" +references = ["https://github.com/mattifestation/PoCSubjectInterfacePackage"] +risk_score = 47 +rule_id = "f2c7b914-eda3-40c2-96ac-d23ef91776ca" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.type == "change" and registry.value : ("Dll", "$Dll") and + registry.path: ( + "*\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{*}\\Dll", + "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{*}\\Dll", + "*\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{*}\\$Dll", + "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{*}\\$Dll" + ) and + registry.data.strings:"*.dll" and + not (process.name : "msiexec.exe" and registry.data.strings : "mso.dll") and + not (process.name : "regsvr32.exe" and registry.data.strings == "WINTRUST.DLL") +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index 9a2b2cf07..d4273cdcc 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,10 +11,52 @@ Identifies a SolarWinds binary modifying the start type of a service to be disab technique to manipulate relevant security services. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "SolarWinds Process Disabling Services via Registry" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating SolarWinds Process Disabling Services via Registry + +SolarWinds software is integral for network management, often requiring deep system access. Adversaries may exploit this by altering registry settings to disable critical services, evading detection. The detection rule identifies changes to service start types by specific SolarWinds processes, flagging potential misuse aimed at disabling security defenses. This proactive monitoring helps mitigate risks associated with unauthorized registry modifications. + +### Possible investigation steps + +- Review the process name involved in the alert to confirm it matches one of the specified SolarWinds processes, such as "SolarWinds.BusinessLayerHost*.exe" or "NetFlowService*.exe". +- Examine the registry path in the alert to ensure it corresponds to the critical service start type locations, such as "HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start". +- Check the registry data value to verify if it has been set to "4" (disabled), indicating a potential attempt to disable a service. +- Investigate the timeline of the registry change event to identify any preceding or subsequent suspicious activities on the host. +- Correlate the alert with other security logs or alerts from data sources like Sysmon or Microsoft Defender for Endpoint to identify any related malicious activities or patterns. +- Assess the impacted service to determine its role in security operations and evaluate the potential impact of it being disabled. +- Contact the system owner or administrator to verify if the registry change was authorized or part of a legitimate maintenance activity. + +### False positive analysis + +- Routine updates or maintenance by SolarWinds software may trigger registry changes. Verify if the process corresponds to a scheduled update or maintenance task and consider excluding these specific processes during known maintenance windows. +- Legitimate configuration changes by IT administrators using SolarWinds tools can appear as registry modifications. Confirm with the IT team if the changes align with authorized configuration activities and create exceptions for these known activities. +- Automated scripts or tools that utilize SolarWinds processes for legitimate network management tasks might cause false positives. Review the scripts or tools in use and whitelist them if they are verified as safe and necessary for operations. +- Temporary service modifications for troubleshooting purposes by SolarWinds processes can be mistaken for malicious activity. Ensure that any troubleshooting activities are documented and create temporary exceptions during these periods. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized registry modifications and potential lateral movement by the adversary. +- Terminate any suspicious SolarWinds processes identified in the alert, such as "SolarWinds.BusinessLayerHost*.exe" or "NetFlowService*.exe", to halt any ongoing malicious activity. +- Restore the registry settings for the affected services to their original state, ensuring that critical security services are re-enabled and configured to start automatically. +- Conduct a thorough review of the affected system for additional signs of compromise, including unauthorized user accounts, scheduled tasks, or other persistence mechanisms. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach. +- Implement enhanced monitoring on the affected system and similar environments to detect any future unauthorized registry changes, leveraging data sources like Sysmon and Microsoft Defender for Endpoint. +- Review and update access controls and permissions for SolarWinds processes to limit their ability to modify critical system settings, reducing the risk of future exploitation.""" references = [ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", ] @@ -57,41 +97,6 @@ registry where host.os.type == "windows" and event.type == "change" and registry ) and registry.data.strings : ("4", "0x00000004") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating SolarWinds Process Disabling Services via Registry - -SolarWinds software is integral for network management, often requiring deep system access. Adversaries may exploit this by altering registry settings to disable critical services, evading detection. The detection rule identifies changes to service start types by specific SolarWinds processes, flagging potential misuse aimed at disabling security defenses. This proactive monitoring helps mitigate risks associated with unauthorized registry modifications. - -### Possible investigation steps - -- Review the process name involved in the alert to confirm it matches one of the specified SolarWinds processes, such as "SolarWinds.BusinessLayerHost*.exe" or "NetFlowService*.exe". -- Examine the registry path in the alert to ensure it corresponds to the critical service start type locations, such as "HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start". -- Check the registry data value to verify if it has been set to "4" (disabled), indicating a potential attempt to disable a service. -- Investigate the timeline of the registry change event to identify any preceding or subsequent suspicious activities on the host. -- Correlate the alert with other security logs or alerts from data sources like Sysmon or Microsoft Defender for Endpoint to identify any related malicious activities or patterns. -- Assess the impacted service to determine its role in security operations and evaluate the potential impact of it being disabled. -- Contact the system owner or administrator to verify if the registry change was authorized or part of a legitimate maintenance activity. - -### False positive analysis - -- Routine updates or maintenance by SolarWinds software may trigger registry changes. Verify if the process corresponds to a scheduled update or maintenance task and consider excluding these specific processes during known maintenance windows. -- Legitimate configuration changes by IT administrators using SolarWinds tools can appear as registry modifications. Confirm with the IT team if the changes align with authorized configuration activities and create exceptions for these known activities. -- Automated scripts or tools that utilize SolarWinds processes for legitimate network management tasks might cause false positives. Review the scripts or tools in use and whitelist them if they are verified as safe and necessary for operations. -- Temporary service modifications for troubleshooting purposes by SolarWinds processes can be mistaken for malicious activity. Ensure that any troubleshooting activities are documented and create temporary exceptions during these periods. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized registry modifications and potential lateral movement by the adversary. -- Terminate any suspicious SolarWinds processes identified in the alert, such as "SolarWinds.BusinessLayerHost*.exe" or "NetFlowService*.exe", to halt any ongoing malicious activity. -- Restore the registry settings for the affected services to their original state, ensuring that critical security services are re-enabled and configured to start automatically. -- Conduct a thorough review of the affected system for additional signs of compromise, including unauthorized user accounts, scheduled tasks, or other persistence mechanisms. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach. -- Implement enhanced monitoring on the affected system and similar environments to detect any future unauthorized registry changes, leveraging data sources like Sysmon and Microsoft Defender for Endpoint. -- Review and update access controls and permissions for SolarWinds processes to limit their ability to modify critical system settings, reducing the risk of future exploitation.""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml index ae8a631e1..d31877d16 100644 --- a/rules/windows/defense_evasion_suspicious_certutil_commands.toml +++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml index 5d6f59d9c..8d702affb 100644 --- a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml +++ b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/28" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,41 +15,6 @@ index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_ language = "eql" license = "Elastic License v2" name = "Suspicious Execution from a Mounted Device" -references = [ - "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", - "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/", -] -risk_score = 47 -rule_id = "8a1d4831-3ce6-4859-9891-28931fa6101d" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and process.executable : "C:\\*" and - (process.working_directory : "?:\\" and not process.working_directory: "C:\\") and - process.parent.name : "explorer.exe" and - process.name : ("rundll32.exe", "mshta.exe", "powershell.exe", "pwsh.exe", "cmd.exe", "regsvr32.exe", - "cscript.exe", "wscript.exe") -''' note = """## Triage and analysis > **Disclaimer**: @@ -87,6 +50,41 @@ In Windows environments, script interpreters and signed binaries are essential f - Update and patch the system to close any vulnerabilities that may have been exploited by the attacker. - Monitor for any recurrence of similar activities by enhancing logging and alerting mechanisms, focusing on process execution from non-standard directories. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +references = [ + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", + "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/", +] +risk_score = 47 +rule_id = "8a1d4831-3ce6-4859-9891-28931fa6101d" +setup = """## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and process.executable : "C:\\*" and + (process.working_directory : "?:\\" and not process.working_directory: "C:\\") and + process.parent.name : "explorer.exe" and + process.name : ("rundll32.exe", "mshta.exe", "powershell.exe", "pwsh.exe", "cmd.exe", "regsvr32.exe", + "cscript.exe", "wscript.exe") +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml index f7dc5f1cb..30a19f5a7 100644 --- a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,43 +11,18 @@ Identifies a suspicious managed code hosting process which could indicate code i code execution. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "endgame-*", "logs-crowdstrike.fdr*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "endgame-*", + "logs-crowdstrike.fdr*", +] language = "eql" license = "Elastic License v2" name = "Suspicious Managed Code Hosting Process" -references = [ - "http://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", -] -risk_score = 73 -rule_id = "acf738b5-b5b2-4acc-bad9-1e18ee234f40" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -file where host.os.type == "windows" and event.type != "deletion" and - file.name : ("wscript.exe.log", - "cscript.exe.log", - "mshta.exe.log", - "wmic.exe.log", - "svchost.exe.log", - "dllhost.exe.log", - "cmstp.exe.log", - "regsvr32.exe.log") -''' note = """## Triage and analysis > **Disclaimer**: @@ -85,6 +58,39 @@ Managed code hosting processes like wscript.exe, cscript.exe, and others are int - Collect and preserve relevant logs and forensic data from the affected system for further analysis and to aid in understanding the scope and impact of the incident. - Notify the security operations center (SOC) or incident response team to escalate the incident for further investigation and to determine if additional systems are affected. - Implement additional monitoring and detection rules to enhance visibility and prevent similar threats in the future, focusing on the specific processes and behaviors identified in the alert.""" +references = [ + "http://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", +] +risk_score = 73 +rule_id = "acf738b5-b5b2-4acc-bad9-1e18ee234f40" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where host.os.type == "windows" and event.type != "deletion" and + file.name : ("wscript.exe.log", + "cscript.exe.log", + "mshta.exe.log", + "wmic.exe.log", + "svchost.exe.log", + "dllhost.exe.log", + "cmstp.exe.log", + "regsvr32.exe.log") +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml index 5d6fd9988..3c06a0f9e 100644 --- a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml +++ b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/11" integration = ["windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml index 29082352f..d6f9837ab 100644 --- a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml +++ b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/24" integration = ["windows"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index b5b791d4e..8b30df05e 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,40 @@ index = ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", language = "eql" license = "Elastic License v2" name = "Suspicious Script Object Execution" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious Script Object Execution + +The scrobj.dll is a legitimate Windows library used for executing scriptlets, often in automation tasks. However, adversaries can exploit it to run malicious scripts within trusted processes, evading detection. The detection rule identifies unusual loading of scrobj.dll in non-standard processes, flagging potential misuse. By excluding common executables, it focuses on anomalous activity, aiding in early threat detection. + +### Possible investigation steps + +- Review the process executable path to confirm if it is indeed non-standard for loading scrobj.dll, as specified in the query. +- Check the parent process of the flagged executable to understand how it was initiated and assess if it aligns with typical behavior. +- Investigate the user account associated with the process execution to determine if it is a legitimate user or potentially compromised. +- Analyze recent activity on the host for any other suspicious behavior or anomalies that might correlate with the alert. +- Examine network connections from the host to identify any unusual or unauthorized external communications that could indicate malicious activity. +- Review historical data for similar alerts on the same host to identify patterns or repeated suspicious behavior. + +### False positive analysis + +- Legitimate administrative scripts may trigger the rule if they are executed using non-standard processes. To handle this, identify and document regular administrative tasks that use scriptlets and exclude these specific processes from the rule. +- Custom enterprise applications that utilize scrobj.dll for legitimate automation purposes might be flagged. Review these applications and add them to the exclusion list if they are verified as safe. +- Scheduled tasks or maintenance scripts that load scrobj.dll in non-standard processes can cause false positives. Regularly audit scheduled tasks and exclude known safe processes from the detection rule. +- Development or testing environments where scriptlets are frequently used for automation may generate alerts. Consider creating a separate rule set for these environments to reduce noise while maintaining security monitoring. + +### Response and remediation + +- Isolate the affected system from the network to prevent further execution of potentially malicious scripts and lateral movement. +- Terminate any suspicious processes identified as loading scrobj.dll in non-standard executables to halt malicious activity. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious scripts or files. +- Review and restore any altered system configurations or settings to their default state to ensure system integrity. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. +- Implement application whitelisting to prevent unauthorized execution of scripts and binaries, focusing on the processes identified in the detection rule. +- Update detection mechanisms to monitor for similar activities across the network, ensuring that any future attempts to exploit scrobj.dll are promptly identified and addressed.""" risk_score = 47 rule_id = "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff" severity = "medium" @@ -58,40 +90,6 @@ any where host.os.type == "windows" and "?:\\Windows\\System32\\wbem\\WMIADAP.exe", "?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious Script Object Execution - -The scrobj.dll is a legitimate Windows library used for executing scriptlets, often in automation tasks. However, adversaries can exploit it to run malicious scripts within trusted processes, evading detection. The detection rule identifies unusual loading of scrobj.dll in non-standard processes, flagging potential misuse. By excluding common executables, it focuses on anomalous activity, aiding in early threat detection. - -### Possible investigation steps - -- Review the process executable path to confirm if it is indeed non-standard for loading scrobj.dll, as specified in the query. -- Check the parent process of the flagged executable to understand how it was initiated and assess if it aligns with typical behavior. -- Investigate the user account associated with the process execution to determine if it is a legitimate user or potentially compromised. -- Analyze recent activity on the host for any other suspicious behavior or anomalies that might correlate with the alert. -- Examine network connections from the host to identify any unusual or unauthorized external communications that could indicate malicious activity. -- Review historical data for similar alerts on the same host to identify patterns or repeated suspicious behavior. - -### False positive analysis - -- Legitimate administrative scripts may trigger the rule if they are executed using non-standard processes. To handle this, identify and document regular administrative tasks that use scriptlets and exclude these specific processes from the rule. -- Custom enterprise applications that utilize scrobj.dll for legitimate automation purposes might be flagged. Review these applications and add them to the exclusion list if they are verified as safe. -- Scheduled tasks or maintenance scripts that load scrobj.dll in non-standard processes can cause false positives. Regularly audit scheduled tasks and exclude known safe processes from the detection rule. -- Development or testing environments where scriptlets are frequently used for automation may generate alerts. Consider creating a separate rule set for these environments to reduce noise while maintaining security monitoring. - -### Response and remediation - -- Isolate the affected system from the network to prevent further execution of potentially malicious scripts and lateral movement. -- Terminate any suspicious processes identified as loading scrobj.dll in non-standard executables to halt malicious activity. -- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious scripts or files. -- Review and restore any altered system configurations or settings to their default state to ensure system integrity. -- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. -- Implement application whitelisting to prevent unauthorized execution of scripts and binaries, focusing on the processes identified in the detection rule. -- Update detection mechanisms to monitor for similar activities across the network, ensuring that any future attempts to exploit scrobj.dll are promptly identified and addressed.""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_suspicious_short_program_name.toml b/rules/windows/defense_evasion_suspicious_short_program_name.toml index 68ef0312a..655aa605b 100644 --- a/rules/windows/defense_evasion_suspicious_short_program_name.toml +++ b/rules/windows/defense_evasion_suspicious_short_program_name.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -40,7 +38,13 @@ is often done by adversaries while staging, executing temporary utilities, or tr on the process name. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Renamed Utility Executed with Short Program Name" diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index 1320e4cf3..45706563e 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -22,30 +20,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Suspicious WMIC XSL Script Execution" -risk_score = 47 -rule_id = "7f370d54-c0eb-4270-ac5a-9a6020585dc6" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -sequence by process.entity_id with maxspan = 2m -[process where host.os.type == "windows" and event.type == "start" and - (process.name : "WMIC.exe" or process.pe.original_file_name : "wmic.exe") and - process.args : ("format*:*", "/format*:*", "*-format*:*") and - not process.command_line : ("* /format:table *", "* /format:table")] -[any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and - (?dll.name : ("jscript.dll", "vbscript.dll") or file.name : ("jscript.dll", "vbscript.dll"))] -''' note = """## Triage and analysis > **Disclaimer**: @@ -81,6 +55,30 @@ Windows Management Instrumentation Command-line (WMIC) is a powerful tool for ma - Restore the system from a known good backup if any critical system files or configurations have been altered. - Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +risk_score = 47 +rule_id = "7f370d54-c0eb-4270-ac5a-9a6020585dc6" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +sequence by process.entity_id with maxspan = 2m +[process where host.os.type == "windows" and event.type == "start" and + (process.name : "WMIC.exe" or process.pe.original_file_name : "wmic.exe") and + process.args : ("format*:*", "/format*:*", "*-format*:*") and + not process.command_line : ("* /format:table *", "* /format:table")] +[any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and + (?dll.name : ("jscript.dll", "vbscript.dll") or file.name : ("jscript.dll", "vbscript.dll"))] +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index 71b4c64cb..2b461a36b 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -148,7 +146,6 @@ reference = "https://attack.mitre.org/techniques/T1055/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -161,3 +158,4 @@ reference = "https://attack.mitre.org/techniques/T1203/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index 81e748f13..8fd05571f 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -39,7 +37,14 @@ Identifies an unexpected executable file being created or modified by a Windows indicate activity related to remote code execution or other forms of exploitation. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Unusual Executable File Creation by a System Critical Process" diff --git a/rules/windows/defense_evasion_timestomp_sysmon.toml b/rules/windows/defense_evasion_timestomp_sysmon.toml index 09ad7e813..2416be7f5 100644 --- a/rules/windows/defense_evasion_timestomp_sysmon.toml +++ b/rules/windows/defense_evasion_timestomp_sysmon.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -updated_date = "2025/02/25" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,6 +16,41 @@ index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "File Creation Time Changed" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating File Creation Time Changed +File creation timestamps are crucial for tracking file history and integrity. Adversaries may alter these timestamps, a tactic known as timestomping, to disguise malicious files as benign. This detection rule leverages Sysmon logs to identify suspicious changes in file creation times, excluding trusted processes and file types, thus highlighting potential evasion attempts by attackers. + +### Possible investigation steps + +- Review the Sysmon logs to confirm the event code 2, which indicates a file creation time change, and verify the associated process and file details. +- Identify the process executable path that triggered the alert and determine if it is outside the list of trusted paths specified in the query. +- Check the file extension and name to ensure they are not part of the excluded types such as "temp", "tmp", or "LOG". +- Investigate the user account associated with the event to determine if it is a non-system account, as the query excludes "SYSTEM", "Local Service", and "Network Service". +- Correlate the file creation time change event with other security events or logs to identify any related suspicious activities or patterns. +- Assess the file's location and context to determine if it is in a sensitive or unusual directory that could indicate malicious intent. +- If necessary, perform a deeper forensic analysis on the file and process to identify any potential malicious behavior or indicators of compromise. + +### False positive analysis + +- Trusted software updates or installations may alter file creation times. Exclude known update processes like msiexec.exe from detection to reduce noise. +- System maintenance tasks, such as disk cleanup, can modify timestamps. Exclude cleanmgr.exe to prevent these benign changes from triggering alerts. +- User-initiated actions in trusted applications like Chrome or Firefox might change file creation times. Exclude these applications to avoid unnecessary alerts. +- Temporary files created by legitimate processes may have altered timestamps. Exclude file extensions like temp and tmp to minimize false positives. +- System accounts such as SYSTEM or Local Service may perform legitimate file operations. Exclude these user names to focus on suspicious activities. + +### Response and remediation + +- Isolate the affected system from the network to prevent further malicious activity and lateral movement by the adversary. +- Conduct a thorough review of the file in question to determine if it is malicious. Use a combination of antivirus scans and manual analysis to assess the file's behavior and origin. +- If the file is confirmed to be malicious, remove it from the system and any other locations it may have been copied to. Ensure that all associated processes are terminated. +- Restore any affected files from a known good backup to ensure data integrity and continuity. +- Review and update endpoint protection settings to ensure that similar threats are detected and blocked in the future. This may include adjusting Sysmon configurations to enhance logging and detection capabilities. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been compromised. +- Document the incident, including all actions taken, to improve future response efforts and update threat intelligence databases with any new indicators of compromise (IOCs) identified.""" risk_score = 47 rule_id = "166727ab-6768-4e26-b80c-948b228ffc06" severity = "medium" @@ -54,41 +87,6 @@ file where host.os.type == "windows" and not file.extension : ("temp", "tmp", "~tmp", "xml", "newcfg") and not user.name : ("SYSTEM", "Local Service", "Network Service") and not file.name : ("LOG", "temp-index", "license.rtf", "iconcache_*.db") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating File Creation Time Changed -File creation timestamps are crucial for tracking file history and integrity. Adversaries may alter these timestamps, a tactic known as timestomping, to disguise malicious files as benign. This detection rule leverages Sysmon logs to identify suspicious changes in file creation times, excluding trusted processes and file types, thus highlighting potential evasion attempts by attackers. - -### Possible investigation steps - -- Review the Sysmon logs to confirm the event code 2, which indicates a file creation time change, and verify the associated process and file details. -- Identify the process executable path that triggered the alert and determine if it is outside the list of trusted paths specified in the query. -- Check the file extension and name to ensure they are not part of the excluded types such as "temp", "tmp", or "LOG". -- Investigate the user account associated with the event to determine if it is a non-system account, as the query excludes "SYSTEM", "Local Service", and "Network Service". -- Correlate the file creation time change event with other security events or logs to identify any related suspicious activities or patterns. -- Assess the file's location and context to determine if it is in a sensitive or unusual directory that could indicate malicious intent. -- If necessary, perform a deeper forensic analysis on the file and process to identify any potential malicious behavior or indicators of compromise. - -### False positive analysis - -- Trusted software updates or installations may alter file creation times. Exclude known update processes like msiexec.exe from detection to reduce noise. -- System maintenance tasks, such as disk cleanup, can modify timestamps. Exclude cleanmgr.exe to prevent these benign changes from triggering alerts. -- User-initiated actions in trusted applications like Chrome or Firefox might change file creation times. Exclude these applications to avoid unnecessary alerts. -- Temporary files created by legitimate processes may have altered timestamps. Exclude file extensions like temp and tmp to minimize false positives. -- System accounts such as SYSTEM or Local Service may perform legitimate file operations. Exclude these user names to focus on suspicious activities. - -### Response and remediation - -- Isolate the affected system from the network to prevent further malicious activity and lateral movement by the adversary. -- Conduct a thorough review of the file in question to determine if it is malicious. Use a combination of antivirus scans and manual analysis to assess the file's behavior and origin. -- If the file is confirmed to be malicious, remove it from the system and any other locations it may have been copied to. Ensure that all associated processes are terminated. -- Restore any affected files from a known good backup to ensure data integrity and continuity. -- Review and update endpoint protection settings to ensure that similar threats are detected and blocked in the future. This may include adjusting Sysmon configurations to enhance logging and detection capabilities. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been compromised. -- Document the incident, including all actions taken, to improve future response efforts and update threat intelligence databases with any new indicators of compromise (IOCs) identified.""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index c8905c483..020658983 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -39,7 +37,14 @@ Identifies suspicious creation of Alternate Data Streams on highly targeted file and sometimes done by adversaries to hide malware. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "endgame-*", +] language = "eql" license = "Elastic License v2" name = "Unusual File Creation - Alternate Data Stream" diff --git a/rules/windows/defense_evasion_unusual_dir_ads.toml b/rules/windows/defense_evasion_unusual_dir_ads.toml index 2f097277e..4624bd373 100644 --- a/rules/windows/defense_evasion_unusual_dir_ads.toml +++ b/rules/windows/defense_evasion_unusual_dir_ads.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,33 +11,18 @@ Identifies processes running from an Alternate Data Stream. This is uncommon for by adversaries to hide malware. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "logs-crowdstrike.fdr*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", +] language = "eql" license = "Elastic License v2" name = "Unusual Process Execution Path - Alternate Data Stream" -risk_score = 47 -rule_id = "4bd1c1af-79d4-4d37-9efa-6e0240640242" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.args : "?:\\*:*" and process.args_count == 1 -''' note = """## Triage and analysis > **Disclaimer**: @@ -75,6 +58,29 @@ Alternate Data Streams (ADS) in Windows allow files to contain multiple data str - Restore any affected files or systems from known good backups to ensure system integrity. - Monitor the network for any unusual outbound traffic from the affected system that may indicate data exfiltration attempts. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised.""" +risk_score = 47 +rule_id = "4bd1c1af-79d4-4d37-9efa-6e0240640242" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.args : "?:\\*:*" and process.args_count == 1 +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml index 28aae9651..cb9954662 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/28" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -22,35 +20,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Unusual Network Connection via DllHost" -references = [ - "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", - "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/", - "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", -] -risk_score = 47 -rule_id = "c7894234-7814-44c2-92a9-f7d851ea246a" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -sequence by host.id, process.entity_id with maxspan=1m - [process where host.os.type == "windows" and event.type == "start" and process.name : "dllhost.exe" and process.args_count == 1] - [network where host.os.type == "windows" and process.name : "dllhost.exe" and - not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", - "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", - "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", - "192.175.48.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", - "FF00::/8")] -''' note = """## Triage and analysis > **Disclaimer**: @@ -84,6 +53,35 @@ Dllhost.exe is a legitimate Windows process used to host DLL services. Adversari - Restore the affected system from a known good backup to ensure that any potential backdoors or persistent threats are removed. - Implement network segmentation to limit the ability of similar threats to spread across the network in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional organizational measures are required.""" +references = [ + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", + "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", +] +risk_score = 47 +rule_id = "c7894234-7814-44c2-92a9-f7d851ea246a" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +sequence by host.id, process.entity_id with maxspan=1m + [process where host.os.type == "windows" and event.type == "start" and process.name : "dllhost.exe" and process.args_count == 1] + [network where host.os.type == "windows" and process.name : "dllhost.exe" and + not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", + "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", + "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", + "192.175.48.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", + "FF00::/8")] +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml index f18055065..537786d54 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_unusual_process_network_connection.toml b/rules/windows/defense_evasion_unusual_process_network_connection.toml index 104bf15fb..cf511fd46 100644 --- a/rules/windows/defense_evasion_unusual_process_network_connection.toml +++ b/rules/windows/defense_evasion_unusual_process_network_connection.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index b1eadcddb..a63865675 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -23,30 +21,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Unusual Child Process from a System Virtual Process" -risk_score = 73 -rule_id = "de9bd7e0-49e9-4e92-a64d-53ade2e66af1" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.parent.pid == 4 and process.executable : "?*" and - not process.executable : ("Registry", "MemCompression", "?:\\Windows\\System32\\smss.exe") -''' note = """## Triage and analysis > **Disclaimer**: @@ -83,6 +57,30 @@ In Windows environments, the System process (PID 4) is a critical component resp - Restore the system from a known good backup if malicious activity is confirmed and cannot be fully remediated through other means. - Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for the affected system and similar environments to detect any recurrence of the threat, focusing on process creation events and anomalies related to the System process.""" +risk_score = 73 +rule_id = "de9bd7e0-49e9-4e92-a64d-53ade2e66af1" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.parent.pid == 4 and process.executable : "?*" and + not process.executable : ("Registry", "MemCompression", "?:\\Windows\\System32\\smss.exe") +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index 19e1a789a..355d989be 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "m365_defender", "system"] maturity = "production" -updated_date = "2025/02/24" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml b/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml index 8b47ab9f8..700431e7e 100644 --- a/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml +++ b/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml @@ -2,9 +2,7 @@ creation_date = "2025/02/28" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,7 +11,14 @@ Identifies the creation of a Windows Defender Application Control (WDAC) policy may use a secially crafted WDAC policy to restrict the execution of security products. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "WDAC Policy File by an Unusual Process" @@ -46,7 +51,7 @@ note = """## Triage and analysis """ references = [ "https://github.com/logangoins/Krueger/tree/main", - "https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/" + "https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/", ] risk_score = 73 rule_id = "3aaf37f3-05a1-40a5-bb6e-e380c4f92c52" @@ -81,8 +86,8 @@ name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_windows_filtering_platform.toml b/rules/windows/defense_evasion_windows_filtering_platform.toml index 85d7318e9..2b3015a7d 100644 --- a/rules/windows/defense_evasion_windows_filtering_platform.toml +++ b/rules/windows/defense_evasion_windows_filtering_platform.toml @@ -2,9 +2,7 @@ creation_date = "2023/12/15" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,42 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Potential Evasion via Windows Filtering Platform" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Evasion via Windows Filtering Platform + +The Windows Filtering Platform (WFP) is a set of API and system services that provide a platform for network filtering and packet processing. Adversaries may exploit WFP by creating malicious rules to block endpoint security processes, hindering their ability to send telemetry data. The detection rule identifies patterns of blocked network events linked to security software processes, signaling potential evasion tactics. + +### Possible investigation steps + +- Review the specific network events that triggered the alert, focusing on the event.action values "windows-firewall-packet-block" and "windows-firewall-packet-drop" to understand which processes were blocked. +- Identify the process names involved in the alert from the process.name field and verify if they are related to known endpoint security software, as listed in the query. +- Check the winlog.computer_name field to determine which systems are affected and assess if multiple systems are involved, indicating a broader issue. +- Investigate the recent changes to the Windows Filtering Platform rules on the affected systems to identify any unauthorized or suspicious modifications. +- Correlate the blocked events with any recent security incidents or alerts to determine if there is a pattern or ongoing attack. +- Consult system logs and security software logs on the affected systems for additional context or anomalies around the time of the alert. +- Engage with the system or network administrators to verify if any legitimate changes were made to the WFP rules that could explain the blocked events. + +### False positive analysis + +- Security software updates or installations can trigger multiple block events as they modify network configurations. Users should monitor for these events during known update windows and consider excluding them from alerts. +- Legitimate network troubleshooting or diagnostic tools may temporarily block network traffic as part of their operation. Identify these tools and create exceptions for their processes to prevent false alerts. +- Custom security configurations or policies in enterprise environments might intentionally block certain network activities. Review and document these configurations to differentiate between expected behavior and potential threats. +- Temporary network disruptions or misconfigurations can cause legitimate security processes to be blocked. Regularly audit network settings and ensure they align with security policies to minimize these occurrences. +- Scheduled maintenance or testing of security systems might result in blocked events. Coordinate with IT teams to whitelist these activities during planned maintenance periods. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further malicious activity and data exfiltration. +- Terminate any suspicious processes identified in the alert, particularly those related to endpoint security software, to restore normal security operations. +- Review and remove any unauthorized or suspicious Windows Filtering Platform rules that may have been added to block security processes. +- Conduct a thorough scan of the affected system using a trusted antivirus or endpoint detection and response (EDR) tool to identify and remove any malware or persistent threats. +- Restore any affected security software to its default configuration and ensure it is fully operational and updated. +- Monitor network traffic and system logs for any signs of continued evasion tactics or re-infection attempts. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.""" references = [ "https://github.com/dsnezhkov/shutter/tree/main", "https://github.com/netero1010/EDRSilencer/tree/main", @@ -98,42 +132,6 @@ sequence by winlog.computer_name with maxspan=1m "splunk.exe", "sysmon.exe", "sysmon64.exe", "taniumclient.exe" )] with runs=5 ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Evasion via Windows Filtering Platform - -The Windows Filtering Platform (WFP) is a set of API and system services that provide a platform for network filtering and packet processing. Adversaries may exploit WFP by creating malicious rules to block endpoint security processes, hindering their ability to send telemetry data. The detection rule identifies patterns of blocked network events linked to security software processes, signaling potential evasion tactics. - -### Possible investigation steps - -- Review the specific network events that triggered the alert, focusing on the event.action values "windows-firewall-packet-block" and "windows-firewall-packet-drop" to understand which processes were blocked. -- Identify the process names involved in the alert from the process.name field and verify if they are related to known endpoint security software, as listed in the query. -- Check the winlog.computer_name field to determine which systems are affected and assess if multiple systems are involved, indicating a broader issue. -- Investigate the recent changes to the Windows Filtering Platform rules on the affected systems to identify any unauthorized or suspicious modifications. -- Correlate the blocked events with any recent security incidents or alerts to determine if there is a pattern or ongoing attack. -- Consult system logs and security software logs on the affected systems for additional context or anomalies around the time of the alert. -- Engage with the system or network administrators to verify if any legitimate changes were made to the WFP rules that could explain the blocked events. - -### False positive analysis - -- Security software updates or installations can trigger multiple block events as they modify network configurations. Users should monitor for these events during known update windows and consider excluding them from alerts. -- Legitimate network troubleshooting or diagnostic tools may temporarily block network traffic as part of their operation. Identify these tools and create exceptions for their processes to prevent false alerts. -- Custom security configurations or policies in enterprise environments might intentionally block certain network activities. Review and document these configurations to differentiate between expected behavior and potential threats. -- Temporary network disruptions or misconfigurations can cause legitimate security processes to be blocked. Regularly audit network settings and ensure they align with security policies to minimize these occurrences. -- Scheduled maintenance or testing of security systems might result in blocked events. Coordinate with IT teams to whitelist these activities during planned maintenance periods. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further malicious activity and data exfiltration. -- Terminate any suspicious processes identified in the alert, particularly those related to endpoint security software, to restore normal security operations. -- Review and remove any unauthorized or suspicious Windows Filtering Platform rules that may have been added to block security processes. -- Conduct a thorough scan of the affected system using a trusted antivirus or endpoint detection and response (EDR) tool to identify and remove any malware or persistent threats. -- Restore any affected security software to its default configuration and ensure it is fully operational and updated. -- Monitor network traffic and system logs for any signs of continued evasion tactics or re-infection attempts. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_workfolders_control_execution.toml b/rules/windows/defense_evasion_workfolders_control_execution.toml index b420a15a1..d66cd9d3e 100644 --- a/rules/windows/defense_evasion_workfolders_control_execution.toml +++ b/rules/windows/defense_evasion_workfolders_control_execution.toml @@ -2,9 +2,7 @@ creation_date = "2022/03/02" integration = ["windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/defense_evasion_wsl_bash_exec.toml b/rules/windows/defense_evasion_wsl_bash_exec.toml index fcad58bae..f0dae674a 100644 --- a/rules/windows/defense_evasion_wsl_bash_exec.toml +++ b/rules/windows/defense_evasion_wsl_bash_exec.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -24,6 +22,40 @@ index = [ language = "eql" license = "Elastic License v2" name = "Suspicious Execution via Windows Subsystem for Linux" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious Execution via Windows Subsystem for Linux + +Windows Subsystem for Linux (WSL) allows users to run Linux binaries natively on Windows, providing a seamless integration of Linux tools. Adversaries may exploit WSL to execute Linux commands stealthily, bypassing traditional Windows security measures. The detection rule identifies unusual WSL activity by monitoring specific executable paths, command-line arguments, and parent-child process relationships, flagging deviations from typical usage patterns to uncover potential threats. + +### Possible investigation steps + +- Review the process command line and executable path to determine if the execution of bash.exe or any other Linux binaries is expected or authorized for the user or system in question. +- Investigate the parent-child process relationship, especially focusing on whether wsl.exe is the parent process and if it has spawned any unexpected child processes that are not wslhost.exe. +- Examine the command-line arguments used with wsl.exe for any suspicious or unauthorized commands, such as accessing sensitive files like /etc/shadow or /etc/passwd, or using network tools like curl. +- Check the user's activity history and system logs to identify any patterns of behavior that might indicate misuse or compromise, particularly focusing on any deviations from typical usage patterns. +- Correlate the alert with other security events or logs from data sources like Elastic Endgame, Microsoft Defender for Endpoint, or Sysmon to gather additional context and determine if this is part of a broader attack or isolated incident. + +### False positive analysis + +- Frequent use of WSL for legitimate development tasks may trigger alerts. Users can create exceptions for specific user accounts or directories commonly used for development to reduce noise. +- Automated scripts or tools that utilize WSL for system maintenance or monitoring might be flagged. Identify these scripts and whitelist their specific command-line patterns or parent processes. +- Docker-related processes may cause false positives due to their interaction with WSL. Exclude Docker executable paths from the detection rule to prevent unnecessary alerts. +- Visual Studio Code extensions that interact with WSL can generate alerts. Exclude known non-threatening extensions by specifying their command-line arguments in the exception list. +- Regular system updates or administrative tasks that involve WSL might be misidentified. Document these activities and adjust the detection rule to recognize them as benign. + +### Response and remediation + +- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration. +- Terminate any suspicious processes identified by the detection rule, such as those involving bash.exe or wsl.exe with unusual command-line arguments. +- Conduct a thorough review of the affected system's WSL configuration and installed Linux distributions to identify any unauthorized changes or installations. +- Remove any unauthorized or suspicious Linux binaries or scripts found within the WSL environment. +- Reset credentials for any accounts that may have been compromised, especially if sensitive files like /etc/shadow or /etc/passwd were accessed. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +- Implement enhanced monitoring and logging for WSL activities across the network to detect similar threats in the future, ensuring that alerts are promptly reviewed and acted upon.""" references = [ "https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", @@ -67,40 +99,6 @@ process where host.os.type == "windows" and event.type : "start" and ) and not process.parent.executable : ("?:\\Program Files\\Docker\\*.exe", "?:\\Program Files (x86)\\Docker\\*.exe") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious Execution via Windows Subsystem for Linux - -Windows Subsystem for Linux (WSL) allows users to run Linux binaries natively on Windows, providing a seamless integration of Linux tools. Adversaries may exploit WSL to execute Linux commands stealthily, bypassing traditional Windows security measures. The detection rule identifies unusual WSL activity by monitoring specific executable paths, command-line arguments, and parent-child process relationships, flagging deviations from typical usage patterns to uncover potential threats. - -### Possible investigation steps - -- Review the process command line and executable path to determine if the execution of bash.exe or any other Linux binaries is expected or authorized for the user or system in question. -- Investigate the parent-child process relationship, especially focusing on whether wsl.exe is the parent process and if it has spawned any unexpected child processes that are not wslhost.exe. -- Examine the command-line arguments used with wsl.exe for any suspicious or unauthorized commands, such as accessing sensitive files like /etc/shadow or /etc/passwd, or using network tools like curl. -- Check the user's activity history and system logs to identify any patterns of behavior that might indicate misuse or compromise, particularly focusing on any deviations from typical usage patterns. -- Correlate the alert with other security events or logs from data sources like Elastic Endgame, Microsoft Defender for Endpoint, or Sysmon to gather additional context and determine if this is part of a broader attack or isolated incident. - -### False positive analysis - -- Frequent use of WSL for legitimate development tasks may trigger alerts. Users can create exceptions for specific user accounts or directories commonly used for development to reduce noise. -- Automated scripts or tools that utilize WSL for system maintenance or monitoring might be flagged. Identify these scripts and whitelist their specific command-line patterns or parent processes. -- Docker-related processes may cause false positives due to their interaction with WSL. Exclude Docker executable paths from the detection rule to prevent unnecessary alerts. -- Visual Studio Code extensions that interact with WSL can generate alerts. Exclude known non-threatening extensions by specifying their command-line arguments in the exception list. -- Regular system updates or administrative tasks that involve WSL might be misidentified. Document these activities and adjust the detection rule to recognize them as benign. - -### Response and remediation - -- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration. -- Terminate any suspicious processes identified by the detection rule, such as those involving bash.exe or wsl.exe with unusual command-line arguments. -- Conduct a thorough review of the affected system's WSL configuration and installed Linux distributions to identify any unauthorized changes or installations. -- Remove any unauthorized or suspicious Linux binaries or scripts found within the WSL environment. -- Reset credentials for any accounts that may have been compromised, especially if sensitive files like /etc/shadow or /etc/passwd were accessed. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. -- Implement enhanced monitoring and logging for WSL activities across the network to detect similar threats in the future, ensuring that alerts are promptly reviewed and acted upon.""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_wsl_child_process.toml b/rules/windows/defense_evasion_wsl_child_process.toml index cd43a1c76..a8fa622b3 100644 --- a/rules/windows/defense_evasion_wsl_child_process.toml +++ b/rules/windows/defense_evasion_wsl_child_process.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,6 +25,41 @@ index = [ language = "eql" license = "Elastic License v2" name = "Execution via Windows Subsystem for Linux" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Execution via Windows Subsystem for Linux + +Windows Subsystem for Linux (WSL) allows users to run Linux binaries natively on Windows, providing a seamless integration of Linux tools. Adversaries may exploit WSL to execute malicious scripts or binaries, bypassing traditional Windows security mechanisms. The detection rule identifies suspicious executions initiated by WSL processes, excluding known safe executables, to flag potential misuse for defense evasion. + +### Possible investigation steps + +- Review the process details to identify the executable path and determine if it matches any known malicious or suspicious binaries not listed in the safe executables. +- Investigate the parent process, specifically wsl.exe or wslhost.exe, to understand how the execution was initiated and if it aligns with expected user behavior or scheduled tasks. +- Check the user account associated with the process execution to verify if the activity is consistent with the user's typical behavior or if the account may have been compromised. +- Analyze the event dataset, especially if it is from crowdstrike.fdr, to gather additional context about the process execution and any related activities on the host. +- Correlate the alert with other security events or logs from data sources like Microsoft Defender for Endpoint or SentinelOne to identify any related suspicious activities or patterns. +- Assess the risk score and severity in the context of the organization's environment to prioritize the investigation and response actions accordingly. + +### False positive analysis + +- Legitimate administrative tasks using WSL may trigger alerts. Users can create exceptions for known administrative scripts or binaries that are frequently executed via WSL. +- Development environments often use WSL for compiling or testing code. Exclude specific development tools or scripts that are regularly used by developers to prevent unnecessary alerts. +- Automated system maintenance scripts running through WSL can be mistaken for malicious activity. Identify and whitelist these scripts to reduce false positives. +- Security tools or monitoring solutions that leverage WSL for legitimate purposes should be identified and excluded from detection to avoid interference with their operations. +- Frequent use of WSL by specific users or groups for non-malicious purposes can be managed by creating user-based exceptions, allowing their activities to proceed without triggering alerts. + +### Response and remediation + +- Isolate the affected system from the network to prevent further malicious activity and lateral movement. +- Terminate any suspicious processes identified as being executed via WSL that are not part of the known safe executables list. +- Conduct a thorough review of the affected system's WSL configuration and installed Linux distributions to identify unauthorized changes or installations. +- Remove any unauthorized or malicious scripts and binaries found within the WSL environment. +- Restore the system from a known good backup if malicious activity has compromised system integrity. +- Update and patch the system to ensure all software, including WSL, is up to date to mitigate known vulnerabilities. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" references = ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"] risk_score = 47 rule_id = "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd" @@ -73,41 +106,6 @@ process where host.os.type == "windows" and event.type : "start" and ) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Execution via Windows Subsystem for Linux - -Windows Subsystem for Linux (WSL) allows users to run Linux binaries natively on Windows, providing a seamless integration of Linux tools. Adversaries may exploit WSL to execute malicious scripts or binaries, bypassing traditional Windows security mechanisms. The detection rule identifies suspicious executions initiated by WSL processes, excluding known safe executables, to flag potential misuse for defense evasion. - -### Possible investigation steps - -- Review the process details to identify the executable path and determine if it matches any known malicious or suspicious binaries not listed in the safe executables. -- Investigate the parent process, specifically wsl.exe or wslhost.exe, to understand how the execution was initiated and if it aligns with expected user behavior or scheduled tasks. -- Check the user account associated with the process execution to verify if the activity is consistent with the user's typical behavior or if the account may have been compromised. -- Analyze the event dataset, especially if it is from crowdstrike.fdr, to gather additional context about the process execution and any related activities on the host. -- Correlate the alert with other security events or logs from data sources like Microsoft Defender for Endpoint or SentinelOne to identify any related suspicious activities or patterns. -- Assess the risk score and severity in the context of the organization's environment to prioritize the investigation and response actions accordingly. - -### False positive analysis - -- Legitimate administrative tasks using WSL may trigger alerts. Users can create exceptions for known administrative scripts or binaries that are frequently executed via WSL. -- Development environments often use WSL for compiling or testing code. Exclude specific development tools or scripts that are regularly used by developers to prevent unnecessary alerts. -- Automated system maintenance scripts running through WSL can be mistaken for malicious activity. Identify and whitelist these scripts to reduce false positives. -- Security tools or monitoring solutions that leverage WSL for legitimate purposes should be identified and excluded from detection to avoid interference with their operations. -- Frequent use of WSL by specific users or groups for non-malicious purposes can be managed by creating user-based exceptions, allowing their activities to proceed without triggering alerts. - -### Response and remediation - -- Isolate the affected system from the network to prevent further malicious activity and lateral movement. -- Terminate any suspicious processes identified as being executed via WSL that are not part of the known safe executables list. -- Conduct a thorough review of the affected system's WSL configuration and installed Linux distributions to identify unauthorized changes or installations. -- Remove any unauthorized or malicious scripts and binaries found within the WSL environment. -- Restore the system from a known good backup if malicious activity has compromised system integrity. -- Update and patch the system to ensure all software, including WSL, is up to date to mitigate known vulnerabilities. -- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml index d6481083c..3fbc26826 100644 --- a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml +++ b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_wsl_filesystem.toml b/rules/windows/defense_evasion_wsl_filesystem.toml index f653d30cd..9e1a41269 100644 --- a/rules/windows/defense_evasion_wsl_filesystem.toml +++ b/rules/windows/defense_evasion_wsl_filesystem.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -22,31 +20,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Host Files System Changes via Windows Subsystem for Linux" -references = ["https://github.com/microsoft/WSL"] -risk_score = 47 -rule_id = "e88d1fe9-b2f4-48d4-bace-a026dc745d4b" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -sequence by process.entity_id with maxspan=5m - [process where host.os.type == "windows" and event.type == "start" and - process.name : "dllhost.exe" and - /* Plan9FileSystem CLSID - WSL Host File System Worker */ - process.command_line : "*{DFB65C4C-B34F-435D-AFE9-A86218684AA8}*"] - [file where host.os.type == "windows" and process.name : "dllhost.exe" and not file.path : "?:\\Users\\*\\Downloads\\*"] -''' note = """## Triage and analysis > **Disclaimer**: @@ -81,6 +54,31 @@ Windows Subsystem for Linux (WSL) allows users to run a Linux environment direct - Update and patch the Windows Subsystem for Linux and related components to mitigate any known vulnerabilities that could be exploited. - Monitor for any recurrence of similar activities by setting up alerts for processes and file operations involving "dllhost.exe" and the Plan9FileSystem. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +references = ["https://github.com/microsoft/WSL"] +risk_score = 47 +rule_id = "e88d1fe9-b2f4-48d4-bace-a026dc745d4b" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +sequence by process.entity_id with maxspan=5m + [process where host.os.type == "windows" and event.type == "start" and + process.name : "dllhost.exe" and + /* Plan9FileSystem CLSID - WSL Host File System Worker */ + process.command_line : "*{DFB65C4C-B34F-435D-AFE9-A86218684AA8}*"] + [file where host.os.type == "windows" and process.name : "dllhost.exe" and not file.path : "?:\\Users\\*\\Downloads\\*"] +''' [[rule.threat]] diff --git a/rules/windows/defense_evasion_wsl_kalilinux.toml b/rules/windows/defense_evasion_wsl_kalilinux.toml index 3c99fb560..45c30daed 100644 --- a/rules/windows/defense_evasion_wsl_kalilinux.toml +++ b/rules/windows/defense_evasion_wsl_kalilinux.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,6 +25,40 @@ index = [ language = "eql" license = "Elastic License v2" name = "Attempt to Install Kali Linux via WSL" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Attempt to Install Kali Linux via WSL + +Windows Subsystem for Linux (WSL) allows users to run Linux distributions on Windows, providing a seamless integration of Linux tools. Adversaries may exploit WSL to install Kali Linux, a penetration testing distribution, to evade detection by traditional Windows security tools. The detection rule identifies suspicious processes and file paths associated with Kali Linux installations, flagging potential misuse for defense evasion. + +### Possible investigation steps + +- Review the process details to confirm the presence of "wsl.exe" with arguments indicating an attempt to install or use Kali Linux, such as "-d", "--distribution", "-i", or "--install". +- Check the file paths associated with the Kali Linux installation, such as "?:\\Users\\*\\AppData\\Local\\packages\\kalilinux*" or "?:\\Program Files*\\WindowsApps\\KaliLinux.*\\kali.exe", to verify if the installation files exist on the system. +- Investigate the user account associated with the process to determine if the activity aligns with their typical behavior or if it appears suspicious. +- Correlate the event with other security logs or alerts from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related suspicious activities or patterns. +- Assess the risk and impact of the detected activity by considering the context of the environment and any potential threats posed by the use of Kali Linux on the system. + +### False positive analysis + +- Legitimate use of Kali Linux for development or educational purposes may trigger the rule. Users can create exceptions for specific user accounts or groups known to use Kali Linux for authorized activities. +- Automated scripts or deployment tools that install or configure Kali Linux as part of a legitimate IT process might be flagged. Consider whitelisting these scripts or processes by their hash or path. +- Security researchers or IT professionals conducting penetration testing on a Windows machine may cause false positives. Implement user-based exclusions for these professionals to prevent unnecessary alerts. +- System administrators testing WSL features with various Linux distributions, including Kali, could inadvertently trigger the rule. Establish a policy to document and approve such activities, then exclude them from detection. +- Training environments where Kali Linux is used to teach cybersecurity skills might be mistakenly flagged. Set up environment-specific exclusions to avoid disrupting educational activities. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent any potential lateral movement or data exfiltration. +- Terminate any suspicious processes related to the Kali Linux installation attempt, specifically those involving `wsl.exe` with arguments indicating a Kali distribution. +- Remove any unauthorized installations of Kali Linux by deleting associated files and directories, such as those found in `AppData\\\\Local\\\\packages\\\\kalilinux*` or `Program Files*\\\\WindowsApps\\\\KaliLinux.*`. +- Conduct a thorough review of user accounts and permissions on the affected system to ensure no unauthorized access or privilege escalation has occurred. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +- Implement additional monitoring and alerting for similar activities across the network, focusing on WSL usage and installation attempts of known penetration testing tools. +- Review and update endpoint protection configurations to enhance detection and prevention capabilities against similar threats, leveraging data sources like Microsoft Defender for Endpoint and Sysmon.""" references = ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"] risk_score = 73 rule_id = "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e" @@ -62,40 +94,6 @@ process where host.os.type == "windows" and event.type == "start" and ) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Attempt to Install Kali Linux via WSL - -Windows Subsystem for Linux (WSL) allows users to run Linux distributions on Windows, providing a seamless integration of Linux tools. Adversaries may exploit WSL to install Kali Linux, a penetration testing distribution, to evade detection by traditional Windows security tools. The detection rule identifies suspicious processes and file paths associated with Kali Linux installations, flagging potential misuse for defense evasion. - -### Possible investigation steps - -- Review the process details to confirm the presence of "wsl.exe" with arguments indicating an attempt to install or use Kali Linux, such as "-d", "--distribution", "-i", or "--install". -- Check the file paths associated with the Kali Linux installation, such as "?:\\Users\\*\\AppData\\Local\\packages\\kalilinux*" or "?:\\Program Files*\\WindowsApps\\KaliLinux.*\\kali.exe", to verify if the installation files exist on the system. -- Investigate the user account associated with the process to determine if the activity aligns with their typical behavior or if it appears suspicious. -- Correlate the event with other security logs or alerts from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related suspicious activities or patterns. -- Assess the risk and impact of the detected activity by considering the context of the environment and any potential threats posed by the use of Kali Linux on the system. - -### False positive analysis - -- Legitimate use of Kali Linux for development or educational purposes may trigger the rule. Users can create exceptions for specific user accounts or groups known to use Kali Linux for authorized activities. -- Automated scripts or deployment tools that install or configure Kali Linux as part of a legitimate IT process might be flagged. Consider whitelisting these scripts or processes by their hash or path. -- Security researchers or IT professionals conducting penetration testing on a Windows machine may cause false positives. Implement user-based exclusions for these professionals to prevent unnecessary alerts. -- System administrators testing WSL features with various Linux distributions, including Kali, could inadvertently trigger the rule. Establish a policy to document and approve such activities, then exclude them from detection. -- Training environments where Kali Linux is used to teach cybersecurity skills might be mistakenly flagged. Set up environment-specific exclusions to avoid disrupting educational activities. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent any potential lateral movement or data exfiltration. -- Terminate any suspicious processes related to the Kali Linux installation attempt, specifically those involving `wsl.exe` with arguments indicating a Kali distribution. -- Remove any unauthorized installations of Kali Linux by deleting associated files and directories, such as those found in `AppData\\\\Local\\\\packages\\\\kalilinux*` or `Program Files*\\\\WindowsApps\\\\KaliLinux.*`. -- Conduct a thorough review of user accounts and permissions on the affected system to ensure no unauthorized access or privilege escalation has occurred. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. -- Implement additional monitoring and alerting for similar activities across the network, focusing on WSL usage and installation attempts of known penetration testing tools. -- Review and update endpoint protection configurations to enhance detection and prevention capabilities against similar threats, leveraging data sources like Microsoft Defender for Endpoint and Sysmon.""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_wsl_registry_modification.toml b/rules/windows/defense_evasion_wsl_registry_modification.toml index 912dbf470..04dda33d9 100644 --- a/rules/windows/defense_evasion_wsl_registry_modification.toml +++ b/rules/windows/defense_evasion_wsl_registry_modification.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -19,7 +17,7 @@ index = [ "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", - "logs-sentinel_one_cloud_funnel.*" + "logs-sentinel_one_cloud_funnel.*", ] language = "eql" license = "Elastic License v2" diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index 5f7fdd360..154f03672 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index c6859be0d..79c6b4eb5 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "system", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_command_system_account.toml b/rules/windows/discovery_command_system_account.toml index 6a9ece612..95fbfd10c 100644 --- a/rules/windows/discovery_command_system_account.toml +++ b/rules/windows/discovery_command_system_account.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml index fd505cadc..885e2d7cf 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/27" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index f42ccbff5..aaea4bfe4 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -2,9 +2,7 @@ creation_date = "2022/05/31" integration = ["endpoint", "windows", "system", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/02/22" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_group_policy_object_discovery.toml b/rules/windows/discovery_group_policy_object_discovery.toml index 383c06fb8..fee2c05af 100644 --- a/rules/windows/discovery_group_policy_object_discovery.toml +++ b/rules/windows/discovery_group_policy_object_discovery.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/18" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_high_number_ad_properties.toml b/rules/windows/discovery_high_number_ad_properties.toml index e3f6379ae..52bb2e236 100644 --- a/rules/windows/discovery_high_number_ad_properties.toml +++ b/rules/windows/discovery_high_number_ad_properties.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/29" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,38 +15,6 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Access to LDAP Attributes" -risk_score = 73 -rule_id = "68ad737b-f90a-4fe5-bda6-a68fa460044e" -setup = """The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). -Steps to implement the logging policy with Advanced Audit Configuration: - -Computer Configuration > -Policies > -Windows Settings > -Security Settings > -Advanced Audit Policies Configuration > -Audit Policies > -DS Access > -Audit Directory Service Changes (Success,Failure) -""" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Windows Security Event Logs", - "Data Source: Active Directory", - "Data Source: Windows", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -any where event.code == "4662" and not winlog.event_data.SubjectUserSid : "S-1-5-18" and - winlog.event_data.AccessMaskDescription == "Read Property" and length(winlog.event_data.Properties) >= 2000 -''' note = """## Triage and analysis > **Disclaimer**: @@ -83,6 +49,38 @@ LDAP (Lightweight Directory Access Protocol) is crucial for querying and modifyi - Implement additional monitoring on LDAP queries and Active Directory access to detect similar patterns of excessive attribute queries in the future. - Review and tighten access controls and permissions within Active Directory to ensure that only necessary attributes are accessible to users based on their roles. - Conduct a post-incident review to identify any gaps in security controls and update policies or procedures to prevent recurrence of similar threats.""" +risk_score = 73 +rule_id = "68ad737b-f90a-4fe5-bda6-a68fa460044e" +setup = """The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). +Steps to implement the logging policy with Advanced Audit Configuration: + +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +DS Access > +Audit Directory Service Changes (Success,Failure) +""" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Windows Security Event Logs", + "Data Source: Active Directory", + "Data Source: Windows", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +any where event.code == "4662" and not winlog.event_data.SubjectUserSid : "S-1-5-18" and + winlog.event_data.AccessMaskDescription == "Read Property" and length(winlog.event_data.Properties) >= 2000 +''' [[rule.threat]] diff --git a/rules/windows/discovery_peripheral_device.toml b/rules/windows/discovery_peripheral_device.toml index 91b672472..dcc46b623 100644 --- a/rules/windows/discovery_peripheral_device.toml +++ b/rules/windows/discovery_peripheral_device.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/02" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_posh_invoke_sharefinder.toml b/rules/windows/discovery_posh_invoke_sharefinder.toml index d445261d7..5343b81ad 100644 --- a/rules/windows/discovery_posh_invoke_sharefinder.toml +++ b/rules/windows/discovery_posh_invoke_sharefinder.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/17" integration = ["windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_posh_suspicious_api_functions.toml b/rules/windows/discovery_posh_suspicious_api_functions.toml index 01d1b4681..66ea6c6a2 100644 --- a/rules/windows/discovery_posh_suspicious_api_functions.toml +++ b/rules/windows/discovery_posh_suspicious_api_functions.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/13" integration = ["windows"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2024/10/28" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -78,7 +76,16 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Collection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" @@ -117,13 +124,14 @@ event.category:process and host.os.type:windows and ) ''' + [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*" - +case_insensitive = true +value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -135,6 +143,7 @@ id = "T1069.001" name = "Local Groups" reference = "https://attack.mitre.org/techniques/T1069/001/" + [[rule.threat.technique]] id = "T1087" name = "Account Discovery" @@ -144,16 +153,17 @@ id = "T1087.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1087/001/" -[[rule.threat.technique]] -id = "T1482" -name = "Domain Trust Discovery" -reference = "https://attack.mitre.org/techniques/T1482/" [[rule.threat.technique]] id = "T1135" name = "Network Share Discovery" reference = "https://attack.mitre.org/techniques/T1135/" +[[rule.threat.technique]] +id = "T1482" +name = "Domain Trust Discovery" +reference = "https://attack.mitre.org/techniques/T1482/" + [rule.threat.tactic] id = "TA0007" @@ -181,16 +191,14 @@ reference = "https://attack.mitre.org/techniques/T1106/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1039" name = "Data from Network Shared Drive" reference = "https://attack.mitre.org/techniques/T1039/" + [rule.threat.tactic] id = "TA0009" name = "Collection" diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml index 971ad80dd..06b50368e 100644 --- a/rules/windows/discovery_privileged_localgroup_membership.toml +++ b/rules/windows/discovery_privileged_localgroup_membership.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/15" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -165,33 +164,34 @@ host.os.type:windows and event.category:iam and event.action:user-member-enumera ) ''' + [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."winlog.event_data.CallerProcessName"] -"case_insensitive" = true -"value" = "C:\\\\Program Files (x86)\\\\*.exe" - +case_insensitive = true +value = "C:\\\\Program Files (x86)\\\\*.exe" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."winlog.event_data.CallerProcessName"] -"case_insensitive" = true -"value" = "C:\\\\Program Files\\\\*.exe" - +case_insensitive = true +value = "C:\\\\Program Files\\\\*.exe" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" - [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" reference = "https://attack.mitre.org/techniques/T1069/001/" + + [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -200,7 +200,8 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "winlog.event_data.SubjectUserName", "winlog.event_data.CallerProcessName"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index ed30c3034..0c166da5f 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/02/22" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -76,7 +74,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", - "Data Source: Windows Security Event Logs" + "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml index 3cc541369..74799bd0d 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,6 +25,41 @@ index = [ language = "eql" license = "Elastic License v2" name = "Command Execution via SolarWinds Process" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Command Execution via SolarWinds Process + +SolarWinds is a widely used IT management tool that can be targeted by adversaries to execute unauthorized commands. Attackers may exploit SolarWinds processes to launch command-line interpreters like Cmd.exe or Powershell.exe, potentially leading to system compromise. The detection rule identifies suspicious child processes initiated by specific SolarWinds executables, flagging potential misuse by correlating process start events with known SolarWinds parent processes. This helps in early detection of malicious activities leveraging SolarWinds for command execution. + +### Possible investigation steps + +- Review the alert details to identify the specific SolarWinds parent process that initiated the suspicious child process (Cmd.exe or Powershell.exe) and note the exact executable name and path. +- Examine the timeline of events around the process start event to identify any preceding or subsequent suspicious activities, such as unusual network connections or file modifications. +- Check the user account associated with the process execution to determine if it aligns with expected behavior or if it indicates potential compromise or misuse. +- Investigate the command line arguments used by the child process to assess if they contain any malicious or unexpected commands. +- Correlate the event with other security logs and alerts from data sources like Microsoft Defender for Endpoint or Sysmon to gather additional context and identify potential patterns of malicious behavior. +- Assess the system's current state for any indicators of compromise, such as unauthorized changes to system configurations or the presence of known malware signatures. + +### False positive analysis + +- Routine administrative tasks using SolarWinds may trigger the rule when legitimate scripts are executed via Cmd.exe or Powershell.exe. Users can create exceptions for known maintenance scripts or tasks that are regularly scheduled and verified as safe. +- Automated updates or patches initiated by SolarWinds processes might be flagged. To mitigate this, users should whitelist specific update processes or scripts that are part of the regular update cycle. +- Monitoring or diagnostic activities performed by IT staff using SolarWinds tools can result in false positives. Establish a baseline of normal activities and exclude these from alerts by identifying and documenting regular diagnostic commands. +- Custom scripts developed for internal use that leverage SolarWinds processes could be misidentified as threats. Ensure these scripts are reviewed and approved, then add them to an exception list to prevent unnecessary alerts. +- Third-party integrations with SolarWinds that require command execution might be mistakenly flagged. Verify the legitimacy of these integrations and exclude their associated processes from detection rules. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized command execution and potential lateral movement. +- Terminate any suspicious child processes such as Cmd.exe or Powershell.exe that were initiated by the identified SolarWinds parent processes. +- Conduct a thorough review of the affected system's logs and configurations to identify any unauthorized changes or additional indicators of compromise. +- Restore the system from a known good backup if any unauthorized changes or malicious activities are confirmed. +- Update and patch the SolarWinds software and any other vulnerable applications on the affected system to mitigate known vulnerabilities. +- Implement application whitelisting to prevent unauthorized execution of command-line interpreters from SolarWinds processes. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network.""" references = [ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc", @@ -63,41 +96,6 @@ process.parent.name: ( "SolarwindsDiagnostics*.exe" ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Command Execution via SolarWinds Process - -SolarWinds is a widely used IT management tool that can be targeted by adversaries to execute unauthorized commands. Attackers may exploit SolarWinds processes to launch command-line interpreters like Cmd.exe or Powershell.exe, potentially leading to system compromise. The detection rule identifies suspicious child processes initiated by specific SolarWinds executables, flagging potential misuse by correlating process start events with known SolarWinds parent processes. This helps in early detection of malicious activities leveraging SolarWinds for command execution. - -### Possible investigation steps - -- Review the alert details to identify the specific SolarWinds parent process that initiated the suspicious child process (Cmd.exe or Powershell.exe) and note the exact executable name and path. -- Examine the timeline of events around the process start event to identify any preceding or subsequent suspicious activities, such as unusual network connections or file modifications. -- Check the user account associated with the process execution to determine if it aligns with expected behavior or if it indicates potential compromise or misuse. -- Investigate the command line arguments used by the child process to assess if they contain any malicious or unexpected commands. -- Correlate the event with other security logs and alerts from data sources like Microsoft Defender for Endpoint or Sysmon to gather additional context and identify potential patterns of malicious behavior. -- Assess the system's current state for any indicators of compromise, such as unauthorized changes to system configurations or the presence of known malware signatures. - -### False positive analysis - -- Routine administrative tasks using SolarWinds may trigger the rule when legitimate scripts are executed via Cmd.exe or Powershell.exe. Users can create exceptions for known maintenance scripts or tasks that are regularly scheduled and verified as safe. -- Automated updates or patches initiated by SolarWinds processes might be flagged. To mitigate this, users should whitelist specific update processes or scripts that are part of the regular update cycle. -- Monitoring or diagnostic activities performed by IT staff using SolarWinds tools can result in false positives. Establish a baseline of normal activities and exclude these from alerts by identifying and documenting regular diagnostic commands. -- Custom scripts developed for internal use that leverage SolarWinds processes could be misidentified as threats. Ensure these scripts are reviewed and approved, then add them to an exception list to prevent unnecessary alerts. -- Third-party integrations with SolarWinds that require command execution might be mistakenly flagged. Verify the legitimacy of these integrations and exclude their associated processes from detection rules. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized command execution and potential lateral movement. -- Terminate any suspicious child processes such as Cmd.exe or Powershell.exe that were initiated by the identified SolarWinds parent processes. -- Conduct a thorough review of the affected system's logs and configurations to identify any unauthorized changes or additional indicators of compromise. -- Restore the system from a known good backup if any unauthorized changes or malicious activities are confirmed. -- Update and patch the SolarWinds software and any other vulnerable applications on the affected system to mitigate known vulnerabilities. -- Implement application whitelisting to prevent unauthorized execution of command-line interpreters from SolarWinds processes. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network.""" [[rule.threat]] diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml index 5ae3834e2..403cac210 100644 --- a/rules/windows/execution_com_object_xwizard.toml +++ b/rules/windows/execution_com_object_xwizard.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -28,6 +26,40 @@ index = [ language = "eql" license = "Elastic License v2" name = "Execution of COM object via Xwizard" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Execution of COM object via Xwizard + +The Windows Component Object Model (COM) facilitates communication between software components. Adversaries exploit this by using Xwizard to execute COM objects, bypassing security measures. The detection rule identifies suspicious Xwizard executions by monitoring process starts, checking for unusual arguments, and verifying executable paths, thus flagging potential misuse of COM objects for malicious activities. + +### Possible investigation steps + +- Review the process start event details to confirm the presence of xwizard.exe execution, focusing on the process.name and process.pe.original_file_name fields. +- Examine the process.args field to identify any unusual or suspicious arguments, particularly looking for the "RunWizard" command and any GUIDs or patterns that may indicate malicious activity. +- Verify the process.executable path to ensure it matches the expected system paths (C:\\Windows\\SysWOW64\\xwizard.exe or C:\\Windows\\System32\\xwizard.exe). Investigate any deviations from these paths as potential indicators of compromise. +- Check the parent process of xwizard.exe to understand the context of its execution and identify any potentially malicious parent processes. +- Correlate the event with other security data sources such as Microsoft Defender for Endpoint or Sysmon logs to gather additional context and identify any related suspicious activities or patterns. +- Investigate the user account associated with the process execution to determine if it aligns with expected behavior or if it indicates potential unauthorized access or privilege escalation. + +### False positive analysis + +- Legitimate software installations or updates may trigger the rule if they use Xwizard to execute COM objects. Users can create exceptions for known software update processes by verifying the executable paths and arguments. +- System administrators might use Xwizard for legitimate configuration tasks. To handle this, identify and document regular administrative activities and exclude these from the rule by specifying the expected process arguments and executable paths. +- Automated scripts or management tools that utilize Xwizard for system management tasks can cause false positives. Review and whitelist these scripts or tools by ensuring their execution paths and arguments are consistent with known safe operations. +- Some security tools or monitoring solutions might use Xwizard as part of their normal operations. Confirm these activities with the tool's documentation and exclude them by adding their specific execution patterns to the exception list. + +### Response and remediation + +- Isolate the affected system from the network to prevent further malicious activity and lateral movement. +- Terminate any suspicious xwizard.exe processes identified by the detection rule to halt potential malicious execution. +- Conduct a thorough review of the system's registry for unauthorized COM objects and remove any entries that are not recognized or are deemed malicious. +- Restore the system from a known good backup if unauthorized changes or persistent threats are detected. +- Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. +- Monitor the network for any signs of similar activity or related threats, ensuring that detection systems are tuned to identify variations of this attack. +- Escalate the incident to the security operations center (SOC) or relevant security team for further analysis and to determine if additional systems are affected.""" references = [ "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", @@ -67,40 +99,6 @@ process where host.os.type == "windows" and event.type == "start" and ) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Execution of COM object via Xwizard - -The Windows Component Object Model (COM) facilitates communication between software components. Adversaries exploit this by using Xwizard to execute COM objects, bypassing security measures. The detection rule identifies suspicious Xwizard executions by monitoring process starts, checking for unusual arguments, and verifying executable paths, thus flagging potential misuse of COM objects for malicious activities. - -### Possible investigation steps - -- Review the process start event details to confirm the presence of xwizard.exe execution, focusing on the process.name and process.pe.original_file_name fields. -- Examine the process.args field to identify any unusual or suspicious arguments, particularly looking for the "RunWizard" command and any GUIDs or patterns that may indicate malicious activity. -- Verify the process.executable path to ensure it matches the expected system paths (C:\\Windows\\SysWOW64\\xwizard.exe or C:\\Windows\\System32\\xwizard.exe). Investigate any deviations from these paths as potential indicators of compromise. -- Check the parent process of xwizard.exe to understand the context of its execution and identify any potentially malicious parent processes. -- Correlate the event with other security data sources such as Microsoft Defender for Endpoint or Sysmon logs to gather additional context and identify any related suspicious activities or patterns. -- Investigate the user account associated with the process execution to determine if it aligns with expected behavior or if it indicates potential unauthorized access or privilege escalation. - -### False positive analysis - -- Legitimate software installations or updates may trigger the rule if they use Xwizard to execute COM objects. Users can create exceptions for known software update processes by verifying the executable paths and arguments. -- System administrators might use Xwizard for legitimate configuration tasks. To handle this, identify and document regular administrative activities and exclude these from the rule by specifying the expected process arguments and executable paths. -- Automated scripts or management tools that utilize Xwizard for system management tasks can cause false positives. Review and whitelist these scripts or tools by ensuring their execution paths and arguments are consistent with known safe operations. -- Some security tools or monitoring solutions might use Xwizard as part of their normal operations. Confirm these activities with the tool's documentation and exclude them by adding their specific execution patterns to the exception list. - -### Response and remediation - -- Isolate the affected system from the network to prevent further malicious activity and lateral movement. -- Terminate any suspicious xwizard.exe processes identified by the detection rule to halt potential malicious execution. -- Conduct a thorough review of the system's registry for unauthorized COM objects and remove any entries that are not recognized or are deemed malicious. -- Restore the system from a known good backup if unauthorized changes or persistent threats are detected. -- Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. -- Monitor the network for any signs of similar activity or related threats, ensuring that detection systems are tuned to identify variations of this attack. -- Escalate the incident to the security operations center (SOC) or relevant security team for further analysis and to determine if additional systems are affected.""" [[rule.threat]] diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index de4625a05..ff5bed652 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index 00d3e9316..4c89a8aff 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe" @@ -128,43 +127,45 @@ process.name:("cmd.exe" or "Cmd.exe" or "CMD.EXE") and not process.command_line : "\"cmd.exe\" /C sc control hptpsmarthealthservice 211" ''' + [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."process.args"] -"case_insensitive" = true -"value" = "?:\\\\Windows\\\\system32\\\\silcollector.cmd" - +case_insensitive = true +value = "?:\\\\Windows\\\\system32\\\\silcollector.cmd" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."process.command_line"] -"case_insensitive" = true -"value" = "*?:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat*" - - +case_insensitive = true +value = "*?:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat*" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."process.command_line"] -"case_insensitive" = true -"value" = "*?:\\\\Program Files*\\\\Pulseway\\\\watchdog.bat*" - +case_insensitive = true +value = "*?:\\\\Program Files*\\\\Pulseway\\\\watchdog.bat*" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."process.command_line"] -"case_insensitive" = true -"value" = "cmd /C \".\\\\inetsrv\\\\iissetup.exe /keygen \"" - +case_insensitive = true +value = """ +cmd /C ".\\inetsrv\\iissetup.exe /keygen " +""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -173,7 +174,8 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.command_line", "user.id"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index 40d0ede83..3db3ebe2c 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -2,62 +2,23 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Unusual Parent Process for cmd.exe" -risk_score = 47 -rule_id = "3b47900d-e793-49e8-968f-c90dc3526aa1" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" -severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.name : "cmd.exe" and - process.parent.name : ("lsass.exe", - "csrss.exe", - "epad.exe", - "regsvr32.exe", - "dllhost.exe", - "LogonUI.exe", - "wermgr.exe", - "spoolsv.exe", - "jucheck.exe", - "jusched.exe", - "ctfmon.exe", - "taskhostw.exe", - "GoogleUpdate.exe", - "sppsvc.exe", - "sihost.exe", - "slui.exe", - "SIHClient.exe", - "SearchIndexer.exe", - "SearchProtocolHost.exe", - "FlashPlayerUpdateService.exe", - "WerFault.exe", - "WUDFHost.exe", - "unsecapp.exe", - "wlanext.exe" ) and - not (process.parent.name : "dllhost.exe" and process.parent.args : "/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}") -''' note = """## Triage and analysis > **Disclaimer**: @@ -94,6 +55,61 @@ Cmd.exe is a command-line interpreter on Windows systems, often used for legitim - Update and run a full antivirus and anti-malware scan on the affected system to detect and remove any additional threats. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for cmd.exe and its parent processes to detect similar anomalies in the future.""" +risk_score = 47 +rule_id = "3b47900d-e793-49e8-968f-c90dc3526aa1" +setup = """## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.name : "cmd.exe" and + process.parent.name : ("lsass.exe", + "csrss.exe", + "epad.exe", + "regsvr32.exe", + "dllhost.exe", + "LogonUI.exe", + "wermgr.exe", + "spoolsv.exe", + "jucheck.exe", + "jusched.exe", + "ctfmon.exe", + "taskhostw.exe", + "GoogleUpdate.exe", + "sppsvc.exe", + "sihost.exe", + "slui.exe", + "SIHClient.exe", + "SearchIndexer.exe", + "SearchProtocolHost.exe", + "FlashPlayerUpdateService.exe", + "WerFault.exe", + "WUDFHost.exe", + "unsecapp.exe", + "wlanext.exe" ) and + not (process.parent.name : "dllhost.exe" and process.parent.args : "/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}") +''' [[rule.threat]] diff --git a/rules/windows/execution_command_shell_via_rundll32.toml b/rules/windows/execution_command_shell_via_rundll32.toml index ba8b8c5ee..c0273819d 100644 --- a/rules/windows/execution_command_shell_via_rundll32.toml +++ b/rules/windows/execution_command_shell_via_rundll32.toml @@ -2,47 +2,24 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = "Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code." false_positives = ["Microsoft Windows installers leveraging RunDLL32 for installation."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Command Shell Activity Started via RunDLL32" -risk_score = 21 -rule_id = "9ccf3ce0-0057-440a-91f5-870c6ad39093" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Credential Access", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.name : ("cmd.exe", "powershell.exe") and - process.parent.name : "rundll32.exe" and process.parent.command_line != null and - /* common FPs can be added here */ - not process.parent.args : ("C:\\Windows\\System32\\SHELL32.dll,RunAsNewUser_RunDLL", - "C:\\WINDOWS\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc") -''' note = """## Triage and analysis > **Disclaimer**: @@ -78,6 +55,34 @@ RunDLL32 is a legitimate Windows utility used to execute functions in DLLs, ofte - Reset credentials for any user accounts that were active on the affected system during the time of the alert to prevent unauthorized access. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for rundll32.exe and related processes to detect similar activities in the future and improve response times.""" +risk_score = 21 +rule_id = "9ccf3ce0-0057-440a-91f5-870c6ad39093" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.name : ("cmd.exe", "powershell.exe") and + process.parent.name : "rundll32.exe" and process.parent.command_line != null and + /* common FPs can be added here */ + not process.parent.args : ("C:\\Windows\\System32\\SHELL32.dll,RunAsNewUser_RunDLL", + "C:\\WINDOWS\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc") +''' [[rule.threat]] diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index 89da740cd..15f892254 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,41 +25,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Enumeration Command Spawned via WMIPrvSE" -risk_score = 21 -rule_id = "770e0c4d-b998-41e5-a62e-c7901fd7f470" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and process.command_line != null and - process.name: - ( - "arp.exe", "dsquery.exe", "dsget.exe", "gpresult.exe", "hostname.exe", "ipconfig.exe", "nbtstat.exe", - "net.exe", "net1.exe", "netsh.exe", "netstat.exe", "nltest.exe", "ping.exe", "qprocess.exe", "quser.exe", - "qwinsta.exe", "reg.exe", "sc.exe", "systeminfo.exe", "tasklist.exe", "tracert.exe", "whoami.exe" - ) and - process.parent.name:"wmiprvse.exe" and - not ( - process.name : "sc.exe" and process.args : "RemoteRegistry" and process.args : "start=" and - process.args : ("demand", "disabled") - ) and - not process.args : "tenable_mw_scan" -''' note = """## Triage and analysis > **Disclaimer**: @@ -97,6 +60,41 @@ Windows Management Instrumentation (WMI) is a powerful framework for managing da - Restore the system from a known good backup if any malicious activity is confirmed and cannot be remediated through other means. - Implement additional monitoring on the affected system and network to detect any recurrence of similar suspicious activities. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat has spread to other systems.""" +risk_score = 21 +rule_id = "770e0c4d-b998-41e5-a62e-c7901fd7f470" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and process.command_line != null and + process.name: + ( + "arp.exe", "dsquery.exe", "dsget.exe", "gpresult.exe", "hostname.exe", "ipconfig.exe", "nbtstat.exe", + "net.exe", "net1.exe", "netsh.exe", "netstat.exe", "nltest.exe", "ping.exe", "qprocess.exe", "quser.exe", + "qwinsta.exe", "reg.exe", "sc.exe", "systeminfo.exe", "tasklist.exe", "tracert.exe", "whoami.exe" + ) and + process.parent.name:"wmiprvse.exe" and + not ( + process.name : "sc.exe" and process.args : "RemoteRegistry" and process.args : "start=" and + process.args : ("demand", "disabled") + ) and + not process.args : "tenable_mw_scan" +''' [[rule.threat]] diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index efa858c22..ba3b72eec 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index bcdefc39b..cabd7eb38 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/execution_initial_access_foxmail_exploit.toml b/rules/windows/execution_initial_access_foxmail_exploit.toml index b84a03613..1724e0f67 100644 --- a/rules/windows/execution_initial_access_foxmail_exploit.toml +++ b/rules/windows/execution_initial_access_foxmail_exploit.toml @@ -2,16 +2,13 @@ creation_date = "2024/08/29" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -Identifies the Foxmail client spawning a child process with argument pointing to the Foxmail temp directory. -This may indicate the successful exploitation of a Foxmail vulnerability for initial access and execution via -a malicious email. +Identifies the Foxmail client spawning a child process with argument pointing to the Foxmail temp directory. This may +indicate the successful exploitation of a Foxmail vulnerability for initial access and execution via a malicious email. """ from = "now-9m" index = [ @@ -28,32 +25,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Potential Foxmail Exploitation" -references = ["https://mp.weixin.qq.com/s/F8hNyESBdKhwXkQPgtGpew"] -risk_score = 73 -rule_id = "2c6a6acf-0dcb-404d-89fb-6b0327294cfa" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Windows Security Event Logs", - "Data Source: Elastic Endgame", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.parent.name : "Foxmail.exe" and process.args : ("?:\\Users\\*\\AppData\\*", "\\\\*") -''' note = """## Triage and analysis > **Disclaimer**: @@ -89,6 +60,32 @@ Foxmail, a popular email client, can be exploited by adversaries to gain initial - Apply any available security patches or updates to Foxmail and the operating system to mitigate known vulnerabilities and prevent future exploitation. - Monitor the network and systems for any signs of lateral movement or additional compromise, using indicators of compromise (IOCs) identified during the investigation. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional actions are required based on the scope and impact of the threat.""" +references = ["https://mp.weixin.qq.com/s/F8hNyESBdKhwXkQPgtGpew"] +risk_score = 73 +rule_id = "2c6a6acf-0dcb-404d-89fb-6b0327294cfa" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Windows Security Event Logs", + "Data Source: Elastic Endgame", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "Foxmail.exe" and process.args : ("?:\\Users\\*\\AppData\\*", "\\\\*") +''' [[rule.threat]] @@ -115,3 +112,4 @@ reference = "https://attack.mitre.org/techniques/T1189/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/windows/execution_initial_access_via_msc_file.toml b/rules/windows/execution_initial_access_via_msc_file.toml index 38df66142..5a2423c2e 100644 --- a/rules/windows/execution_initial_access_via_msc_file.toml +++ b/rules/windows/execution_initial_access_via_msc_file.toml @@ -2,9 +2,7 @@ creation_date = "2024/05/12" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/17" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,7 +11,14 @@ Identifies the execution of a child process from a Microsoft Common Console file command in an MSC file in order to trick victims into executing malicious commands. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Unusual Execution via Microsoft Common Console File" diff --git a/rules/windows/execution_initial_access_wps_dll_exploit.toml b/rules/windows/execution_initial_access_wps_dll_exploit.toml index fb3d4878c..b6d8c918d 100644 --- a/rules/windows/execution_initial_access_wps_dll_exploit.toml +++ b/rules/windows/execution_initial_access_wps_dll_exploit.toml @@ -2,55 +2,19 @@ creation_date = "2024/08/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -Identifies the load of a remote library by the WPS Office promecefpluginhost.exe executable. This may indicate the successful -exploitation of CVE-2024-7262 or CVE-2024-7263 via DLL hijack abusing the ksoqing custom protocol handler. +Identifies the load of a remote library by the WPS Office promecefpluginhost.exe executable. This may indicate the +successful exploitation of CVE-2024-7262 or CVE-2024-7263 via DLL hijack abusing the ksoqing custom protocol handler. """ from = "now-9m" -index = [ "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"] +index = ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "WPS Office Exploitation via DLL Hijack" -references = [ - "https://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/", - "https://mp.weixin.qq.com/s/F8hNyESBdKhwXkQPgtGpew" - ] -risk_score = 73 -rule_id = "ac6bc744-e82b-41ad-b58d-90654fa4ebfb" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide" -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -any where host.os.type == "windows" and process.name : "promecefpluginhost.exe" and -( - (event.category == "library" and - ?dll.path : - ("?:\\Users\\*\\AppData\\Local\\Temp\\wps\\INetCache\\*", - "\\Device\\Mup\\**", "\\\\*")) or - - ((event.category == "process" and event.action : "Image loaded*") and - ?file.path : - ("?:\\Users\\*\\AppData\\Local\\Temp\\wps\\INetCache\\*", - "\\Device\\Mup\\**", "\\\\*")) -) -''' note = """## Triage and analysis > **Disclaimer**: @@ -86,6 +50,40 @@ DLL hijacking exploits the way applications load dynamic link libraries (DLLs), - Apply patches or updates for WPS Office to address the vulnerabilities CVE-2024-7262 and CVE-2024-7263, ensuring that the software is up to date and less susceptible to exploitation. - Monitor for any further suspicious activity related to the ksoqing protocol or similar DLL hijacking attempts, using enhanced logging and alerting mechanisms. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.""" +references = [ + "https://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/", + "https://mp.weixin.qq.com/s/F8hNyESBdKhwXkQPgtGpew", +] +risk_score = 73 +rule_id = "ac6bc744-e82b-41ad-b58d-90654fa4ebfb" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +any where host.os.type == "windows" and process.name : "promecefpluginhost.exe" and +( + (event.category == "library" and + ?dll.path : + ("?:\\Users\\*\\AppData\\Local\\Temp\\wps\\INetCache\\*", + "\\Device\\Mup\\**", "\\\\*")) or + + ((event.category == "process" and event.action : "Image loaded*") and + ?file.path : + ("?:\\Users\\*\\AppData\\Local\\Temp\\wps\\INetCache\\*", + "\\Device\\Mup\\**", "\\\\*")) +) +''' [[rule.threat]] @@ -112,3 +110,4 @@ reference = "https://attack.mitre.org/techniques/T1189/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/windows/execution_pdf_written_file.toml b/rules/windows/execution_pdf_written_file.toml index e4f0ffccc..5d19bbcc9 100644 --- a/rules/windows/execution_pdf_written_file.toml +++ b/rules/windows/execution_pdf_written_file.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_posh_hacktool_authors.toml b/rules/windows/execution_posh_hacktool_authors.toml index 533032a57..6963b49e3 100644 --- a/rules/windows/execution_posh_hacktool_authors.toml +++ b/rules/windows/execution_posh_hacktool_authors.toml @@ -2,9 +2,7 @@ creation_date = "2024/05/08" integration = ["windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,6 +16,40 @@ index = ["winlogbeat-*", "logs-windows.powershell*"] language = "kuery" license = "Elastic License v2" name = "Potential PowerShell HackTool Script by Author" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential PowerShell HackTool Script by Author + +PowerShell is a powerful scripting language and automation framework used in Windows environments for task automation and configuration management. Adversaries exploit PowerShell's capabilities to execute malicious scripts, often leveraging well-known offensive tools without altering the original code. The detection rule identifies scripts containing specific author names linked to these tools, flagging potential misuse by recognizing unmodified author artifacts in the script block text. + +### Possible investigation steps + +- Review the PowerShell script block text associated with the alert to identify the specific author name that triggered the detection. This can provide insight into the potential tool or script being used. +- Examine the process details, including the parent process and command line arguments, to understand the context in which the PowerShell script was executed. This can help determine if the execution was part of a legitimate task or a suspicious activity. +- Check the host's recent activity logs for any other unusual or related events, such as network connections, file modifications, or other process executions, to identify potential lateral movement or data exfiltration attempts. +- Investigate the user account under which the PowerShell script was executed to determine if it has been compromised or if the activity aligns with the user's typical behavior. +- Correlate the alert with other security tools and logs, such as antivirus or endpoint detection and response (EDR) solutions, to gather additional context and confirm whether the activity is malicious. + +### False positive analysis + +- Scripts used in legitimate red team exercises may trigger the rule due to the presence of known author names. To manage this, create exceptions for scripts verified as part of authorized security assessments. +- PowerShell scripts from open-source security tools used for internal testing or training might be flagged. Ensure these tools are documented and approved, then exclude them from the rule. +- Automated scripts for system administration that include code snippets from well-known authors could be mistakenly identified. Review and whitelist these scripts if they are part of routine operations. +- Security research and development activities using sample scripts from recognized authors may cause alerts. Maintain a list of such activities and exclude them from detection to avoid unnecessary alerts. +- Internal development teams using PowerShell scripts for legitimate purposes might inadvertently use code from popular authors. Conduct regular reviews and exclude these scripts if they are deemed non-threatening. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further execution of potentially malicious scripts and lateral movement. +- Terminate any suspicious PowerShell processes identified by the alert to halt ongoing malicious activity. +- Conduct a thorough review of the PowerShell script block text to confirm the presence of known offensive tool author names and assess the potential impact. +- Remove any unauthorized or malicious scripts from the affected system and ensure that all legitimate scripts are verified and restored from a clean backup. +- Update endpoint protection and antivirus signatures to detect and block the specific PowerShell scripts and associated indicators of compromise (IOCs) identified in the alert. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +- Implement enhanced monitoring and logging for PowerShell activity across the network to detect similar threats in the future, leveraging the MITRE ATT&CK framework for guidance on relevant techniques and tactics.""" references = [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", ] @@ -81,40 +113,6 @@ host.os.type:windows and event.category:process and "splinter_code" ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential PowerShell HackTool Script by Author - -PowerShell is a powerful scripting language and automation framework used in Windows environments for task automation and configuration management. Adversaries exploit PowerShell's capabilities to execute malicious scripts, often leveraging well-known offensive tools without altering the original code. The detection rule identifies scripts containing specific author names linked to these tools, flagging potential misuse by recognizing unmodified author artifacts in the script block text. - -### Possible investigation steps - -- Review the PowerShell script block text associated with the alert to identify the specific author name that triggered the detection. This can provide insight into the potential tool or script being used. -- Examine the process details, including the parent process and command line arguments, to understand the context in which the PowerShell script was executed. This can help determine if the execution was part of a legitimate task or a suspicious activity. -- Check the host's recent activity logs for any other unusual or related events, such as network connections, file modifications, or other process executions, to identify potential lateral movement or data exfiltration attempts. -- Investigate the user account under which the PowerShell script was executed to determine if it has been compromised or if the activity aligns with the user's typical behavior. -- Correlate the alert with other security tools and logs, such as antivirus or endpoint detection and response (EDR) solutions, to gather additional context and confirm whether the activity is malicious. - -### False positive analysis - -- Scripts used in legitimate red team exercises may trigger the rule due to the presence of known author names. To manage this, create exceptions for scripts verified as part of authorized security assessments. -- PowerShell scripts from open-source security tools used for internal testing or training might be flagged. Ensure these tools are documented and approved, then exclude them from the rule. -- Automated scripts for system administration that include code snippets from well-known authors could be mistakenly identified. Review and whitelist these scripts if they are part of routine operations. -- Security research and development activities using sample scripts from recognized authors may cause alerts. Maintain a list of such activities and exclude them from detection to avoid unnecessary alerts. -- Internal development teams using PowerShell scripts for legitimate purposes might inadvertently use code from popular authors. Conduct regular reviews and exclude these scripts if they are deemed non-threatening. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further execution of potentially malicious scripts and lateral movement. -- Terminate any suspicious PowerShell processes identified by the alert to halt ongoing malicious activity. -- Conduct a thorough review of the PowerShell script block text to confirm the presence of known offensive tool author names and assess the potential impact. -- Remove any unauthorized or malicious scripts from the affected system and ensure that all legitimate scripts are verified and restored from a clean backup. -- Update endpoint protection and antivirus signatures to detect and block the specific PowerShell scripts and associated indicators of compromise (IOCs) identified in the alert. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. -- Implement enhanced monitoring and logging for PowerShell activity across the network to detect similar threats in the future, leveraging the MITRE ATT&CK framework for guidance on relevant techniques and tactics.""" [[rule.threat]] diff --git a/rules/windows/execution_posh_hacktool_functions.toml b/rules/windows/execution_posh_hacktool_functions.toml index 92ffb5fd1..0d9b37772 100644 --- a/rules/windows/execution_posh_hacktool_functions.toml +++ b/rules/windows/execution_posh_hacktool_functions.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/03" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -109,7 +108,7 @@ Adversaries often exploit PowerShell's capabilities to execute malicious scripts """ references = [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", - "https://github.com/BC-SECURITY/Empire" + "https://github.com/BC-SECURITY/Empire", ] risk_score = 47 rule_id = "cde1bafa-9f01-4f43-a872-605b678968b0" @@ -132,7 +131,14 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -321,13 +327,14 @@ event.category:process and host.os.type:windows and not user.id : ("S-1-5-18" or "S-1-5-19") ''' + [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*" - +case_insensitive = true +value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml index dc7e6bc38..cb7be1a55 100644 --- a/rules/windows/execution_posh_portable_executable.toml +++ b/rules/windows/execution_posh_portable_executable.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/execution_posh_psreflect.toml b/rules/windows/execution_posh_psreflect.toml index 7e9192d29..3efcaabf1 100644 --- a/rules/windows/execution_posh_psreflect.toml +++ b/rules/windows/execution_posh_psreflect.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/03" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -136,7 +134,14 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" @@ -156,13 +161,14 @@ event.category:process and host.os.type:windows and not user.id : "S-1-5-18" ''' + [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\ProgramData\\\\MaaS360\\\\Cloud Extender\\\\AR\\\\Scripts\\\\ASModuleCommon.ps1" - +case_insensitive = true +value = "?:\\\\ProgramData\\\\MaaS360\\\\Cloud Extender\\\\AR\\\\Scripts\\\\ASModuleCommon.ps1" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/execution_powershell_susp_args_via_winscript.toml b/rules/windows/execution_powershell_susp_args_via_winscript.toml index f047239b7..dfc2a797f 100644 --- a/rules/windows/execution_powershell_susp_args_via_winscript.toml +++ b/rules/windows/execution_powershell_susp_args_via_winscript.toml @@ -2,15 +2,11 @@ creation_date = "2024/09/09" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] -description = """ -Identifies PowerShell.exe or Cmd.exe execution spawning from Windows Script Host processes Wscript.exe. -""" +description = "Identifies PowerShell.exe or Cmd.exe execution spawning from Windows Script Host processes Wscript.exe.\n" from = "now-9m" index = [ "logs-m365_defender.event-*", @@ -23,28 +19,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Command and Scripting Interpreter via Windows Scripts" -risk_score = 73 -rule_id = "2d62889e-e758-4c5e-b57e-c735914ee32a" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Windows Security Event Logs", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.action == "start" and - process.name : ("powershell.exe", "pwsh.exe", "cmd.exe") and - process.parent.name : ("wscript.exe", "mshta.exe") and ?process.parent.args : "?:\\Users\\*" -''' note = """## Triage and analysis > **Disclaimer**: @@ -79,6 +53,28 @@ PowerShell, a powerful scripting language in Windows, is often targeted by adver - Restore the system from a known good backup if any critical system files or configurations have been altered by the malicious activity. - Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" +risk_score = 73 +rule_id = "2d62889e-e758-4c5e-b57e-c735914ee32a" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Windows Security Event Logs", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.action == "start" and + process.name : ("powershell.exe", "pwsh.exe", "cmd.exe") and + process.parent.name : ("wscript.exe", "mshta.exe") and ?process.parent.args : "?:\\Users\\*" +''' [[rule.threat]] diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index 4b9ca9d11..d9c7138dc 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index fd36af956..d0f7e9bb2 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index 342cf86e9..11ecc5b29 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -23,30 +21,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Outbound Scheduled Task Activity via PowerShell" -references = [ - "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", - "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language", -] -risk_score = 47 -rule_id = "5cd55388-a19c-47c7-8ec4-f41656c2fded" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -sequence by host.id, process.entity_id with maxspan = 5s - [any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and - (?dll.name : "taskschd.dll" or file.name : "taskschd.dll") and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe")] - [network where host.os.type == "windows" and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and destination.port == 135 and not destination.address in ("127.0.0.1", "::1")] -''' note = """## Triage and analysis > **Disclaimer**: @@ -80,6 +54,30 @@ PowerShell, a powerful scripting language in Windows, can automate tasks via the - Reset credentials for any accounts that were used or potentially compromised during the incident to prevent unauthorized access. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the attack. - Implement enhanced monitoring for similar PowerShell and scheduled task activities across the network to detect and respond to future threats promptly.""" +references = [ + "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", + "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language", +] +risk_score = 47 +rule_id = "5cd55388-a19c-47c7-8ec4-f41656c2fded" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +sequence by host.id, process.entity_id with maxspan = 5s + [any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and + (?dll.name : "taskschd.dll" or file.name : "taskschd.dll") and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe")] + [network where host.os.type == "windows" and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and destination.port == 135 and not destination.address in ("127.0.0.1", "::1")] +''' [[rule.threat]] diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index f492ba75d..811b16189 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/28" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,7 +12,14 @@ shared modules to execute malicious payloads by instructing the Windows module l paths. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Execution via local SxS Shared Module" diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index 1e94cbd2b..39c42b1c4 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,35 +25,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Suspicious Cmd Execution via WMI" -references = [ - "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", - "https://www.elastic.co/security-labs/operation-bleeding-bear", -] -risk_score = 47 -rule_id = "12f07955-1674-44f7-86b5-c35da0a6f41a" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.parent.name : "WmiPrvSE.exe" and process.name : "cmd.exe" and - process.args : "\\\\127.0.0.1\\*" and process.args : ("2>&1", "1>") -''' note = """## Triage and analysis > **Disclaimer**: @@ -91,6 +60,35 @@ Windows Management Instrumentation (WMI) is a powerful framework for managing da - Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited. - Enhance monitoring and logging for WMI activities across the network to detect similar threats in the future, ensuring that logs are retained for an adequate period for forensic purposes. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been compromised.""" +references = [ + "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", + "https://www.elastic.co/security-labs/operation-bleeding-bear", +] +risk_score = 47 +rule_id = "12f07955-1674-44f7-86b5-c35da0a6f41a" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "WmiPrvSE.exe" and process.name : "cmd.exe" and + process.args : "\\\\127.0.0.1\\*" and process.args : ("2>&1", "1>") +''' [[rule.threat]] diff --git a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml index be4da0bf5..5307e44e4 100644 --- a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml +++ b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,39 +16,6 @@ index = ["winlogbeat-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_ language = "eql" license = "Elastic License v2" name = "Suspicious WMI Image Load from MS Office" -references = [ - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", -] -risk_score = 21 -rule_id = "891cb88e-441a-4c3e-be2d-120d99fe7b0d" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -any where host.os.type == "windows" and - (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and - process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and - (?dll.name : "wmiutils.dll" or file.name : "wmiutils.dll") -''' note = """## Triage and analysis > **Disclaimer**: @@ -85,6 +50,39 @@ Windows Management Instrumentation (WMI) is a powerful framework for managing da - Restore the system from a known good backup if malicious activity has compromised system integrity or data. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for WMI activity and Microsoft Office processes to detect similar threats in the future.""" +references = [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", +] +risk_score = 21 +rule_id = "891cb88e-441a-4c3e-be2d-120d99fe7b0d" +setup = """## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +any where host.os.type == "windows" and + (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and + process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and + (?dll.name : "wmiutils.dll" or file.name : "wmiutils.dll") +''' [[rule.threat]] diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index 20a79ff7b..c816d82ec 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index ba63a9829..92c0ecf70 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies suspicious psexec activity which is executing from the psexec service evade detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Suspicious Process Execution via Renamed PsExec Executable" diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index 7e4d4e631..15d381da7 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index 0ce73c893..df930dae4 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,7 +11,14 @@ Detects when the Console Window Host (conhost.exe) process is spawned by a suspi indicative of code injection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Conhost Spawned By Suspicious Parent Process" diff --git a/rules/windows/execution_via_mmc_console_file_unusual_path.toml b/rules/windows/execution_via_mmc_console_file_unusual_path.toml index 3dbd41d9e..4b7a69d31 100644 --- a/rules/windows/execution_via_mmc_console_file_unusual_path.toml +++ b/rules/windows/execution_via_mmc_console_file_unusual_path.toml @@ -2,15 +2,13 @@ creation_date = "2024/06/19" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -Identifies attempts to open a Microsoft Management Console File from untrusted paths. Adversaries may use -MSC files for initial access and execution. +Identifies attempts to open a Microsoft Management Console File from untrusted paths. Adversaries may use MSC files for +initial access and execution. """ from = "now-9m" index = [ @@ -27,6 +25,40 @@ index = [ language = "eql" license = "Elastic License v2" name = "Microsoft Management Console File from Unusual Path" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Microsoft Management Console File from Unusual Path + +Microsoft Management Console (MMC) is a Windows utility that provides a framework for system management. Adversaries may exploit MMC by executing .msc files from non-standard directories to bypass security controls. The detection rule identifies such anomalies by monitoring the execution of mmc.exe with .msc files from untrusted paths, flagging potential unauthorized access or execution attempts. + +### Possible investigation steps + +- Review the process execution details to confirm the path of the mmc.exe and the .msc file being executed. Check if the path is indeed non-standard or untrusted as per the query criteria. +- Investigate the origin of the .msc file by examining file creation and modification timestamps, and check for any recent changes or unusual activity in the directory where the file resides. +- Analyze the user account associated with the process execution to determine if the activity aligns with their typical behavior or if it appears suspicious. +- Check for any related alerts or logs around the same timeframe that might indicate lateral movement or other malicious activities, such as unusual network connections or file access patterns. +- Correlate the event with other data sources mentioned in the rule, such as Microsoft Defender for Endpoint or Crowdstrike, to gather additional context or corroborating evidence of potential malicious activity. +- Assess the risk and impact of the execution by determining if the .msc file has any known malicious signatures or if it attempts to perform unauthorized actions on the system. + +### False positive analysis + +- Legitimate administrative tasks may trigger this rule if system administrators execute .msc files from custom directories. To manage this, create exceptions for known administrative scripts or tools that are regularly used from non-standard paths. +- Software installations or updates might involve executing .msc files from temporary or installation directories. Monitor these activities and whitelist specific installation paths if they are verified as safe and part of routine operations. +- Automated scripts or third-party management tools could execute .msc files from non-standard locations as part of their normal operation. Identify these tools and add their execution paths to the exception list to prevent unnecessary alerts. +- Development or testing environments may involve running .msc files from various directories for testing purposes. Establish a separate monitoring policy for these environments or exclude known development paths to reduce false positives. + +### Response and remediation + +- Isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. +- Terminate any suspicious processes related to mmc.exe executing from untrusted paths to halt potential malicious activity. +- Conduct a thorough review of the system's recent activity logs to identify any additional indicators of compromise or related suspicious activities. +- Remove any unauthorized .msc files found in non-standard directories and ensure they are not reintroduced. +- Restore the system from a known good backup if any unauthorized changes or damage is detected. +- Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" references = ["https://www.elastic.co/security-labs/grimresource"] risk_score = 73 rule_id = "7e23dfef-da2c-4d64-b11d-5f285b638853" @@ -62,50 +94,14 @@ process where host.os.type == "windows" and event.type == "start" and "?:\\Program Files (x86)\\*.msc" ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Microsoft Management Console File from Unusual Path - -Microsoft Management Console (MMC) is a Windows utility that provides a framework for system management. Adversaries may exploit MMC by executing .msc files from non-standard directories to bypass security controls. The detection rule identifies such anomalies by monitoring the execution of mmc.exe with .msc files from untrusted paths, flagging potential unauthorized access or execution attempts. - -### Possible investigation steps - -- Review the process execution details to confirm the path of the mmc.exe and the .msc file being executed. Check if the path is indeed non-standard or untrusted as per the query criteria. -- Investigate the origin of the .msc file by examining file creation and modification timestamps, and check for any recent changes or unusual activity in the directory where the file resides. -- Analyze the user account associated with the process execution to determine if the activity aligns with their typical behavior or if it appears suspicious. -- Check for any related alerts or logs around the same timeframe that might indicate lateral movement or other malicious activities, such as unusual network connections or file access patterns. -- Correlate the event with other data sources mentioned in the rule, such as Microsoft Defender for Endpoint or Crowdstrike, to gather additional context or corroborating evidence of potential malicious activity. -- Assess the risk and impact of the execution by determining if the .msc file has any known malicious signatures or if it attempts to perform unauthorized actions on the system. - -### False positive analysis - -- Legitimate administrative tasks may trigger this rule if system administrators execute .msc files from custom directories. To manage this, create exceptions for known administrative scripts or tools that are regularly used from non-standard paths. -- Software installations or updates might involve executing .msc files from temporary or installation directories. Monitor these activities and whitelist specific installation paths if they are verified as safe and part of routine operations. -- Automated scripts or third-party management tools could execute .msc files from non-standard locations as part of their normal operation. Identify these tools and add their execution paths to the exception list to prevent unnecessary alerts. -- Development or testing environments may involve running .msc files from various directories for testing purposes. Establish a separate monitoring policy for these environments or exclude known development paths to reduce false positives. - -### Response and remediation - -- Isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. -- Terminate any suspicious processes related to mmc.exe executing from untrusted paths to halt potential malicious activity. -- Conduct a thorough review of the system's recent activity logs to identify any additional indicators of compromise or related suspicious activities. -- Remove any unauthorized .msc files found in non-standard directories and ensure they are not reintroduced. -- Restore the system from a known good backup if any unauthorized changes or damage is detected. -- Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" @@ -116,12 +112,12 @@ id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/execution_windows_cmd_shell_susp_args.toml b/rules/windows/execution_windows_cmd_shell_susp_args.toml index b3c492dad..6e99cf8ed 100644 --- a/rules/windows/execution_windows_cmd_shell_susp_args.toml +++ b/rules/windows/execution_windows_cmd_shell_susp_args.toml @@ -2,15 +2,13 @@ creation_date = "2024/09/06" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -Identifies the execution of the Windows Command Shell process (cmd.exe) with suspicious argument values. This behavior is -often observed during malware installation. +Identifies the execution of the Windows Command Shell process (cmd.exe) with suspicious argument values. This behavior +is often observed during malware installation. """ from = "now-9m" index = [ @@ -24,6 +22,41 @@ index = [ language = "eql" license = "Elastic License v2" name = "Suspicious Windows Command Shell Arguments" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious Windows Command Shell Arguments + +The Windows Command Shell (cmd.exe) is a critical component for executing commands and scripts. Adversaries exploit it to execute malicious scripts, download payloads, or manipulate system settings. The detection rule identifies unusual command-line arguments and patterns indicative of such abuse, filtering out known benign processes to minimize false positives. This helps in early detection of potential threats by monitoring for suspicious command executions. + +### Possible investigation steps + +- Review the command line arguments associated with the cmd.exe process to identify any suspicious patterns or keywords such as "curl", "regsvr32", "wscript", or "Invoke-WebRequest" that may indicate malicious activity. +- Check the parent process of the cmd.exe execution to determine if it is a known benign process or if it is associated with potentially malicious activity, especially if the parent process is explorer.exe or other unusual executables. +- Investigate the user account associated with the cmd.exe process to determine if the activity aligns with the user's typical behavior or if it appears anomalous. +- Examine the network activity of the host to identify any unusual outbound connections or data transfers that may correlate with the suspicious command execution. +- Cross-reference the alert with other security logs or alerts from tools like Sysmon, SentinelOne, or Microsoft Defender for Endpoint to gather additional context and corroborate findings. +- Assess the risk score and severity of the alert to prioritize the investigation and determine if immediate response actions are necessary. + +### False positive analysis + +- Processes related to Spiceworks and wmiprvse.exe can trigger false positives. Exclude these by adding exceptions for process arguments containing "%TEMP%\\\\Spiceworks\\\\*" when the parent process is wmiprvse.exe. +- Development tools like Perl, Node.js, and NetBeans may cause false alerts. Exclude these by specifying their executable paths in the exception list. +- Citrix Secure Access Client initiated by userinit.exe can be a false positive. Exclude this by adding an exception for process arguments containing "?:\\\\Program Files\\\\Citrix\\\\Secure Access Client\\\\nsauto.exe" with the parent process name as userinit.exe. +- Scheduled tasks or services like PCPitstopScheduleService.exe may trigger alerts. Exclude these by adding their paths to the exception list. +- Command-line operations involving npm or Maven commands can be benign. Exclude these by specifying command-line patterns like "\\"cmd\\" /c %NETBEANS_MAVEN_COMMAND_LINE%" in the exception list. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread of potential malware or unauthorized access. +- Terminate any suspicious cmd.exe processes identified by the detection rule to halt malicious activity. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious files or scripts. +- Review and restore any altered system settings or configurations to their original state to ensure system integrity. +- Analyze the command-line arguments and parent processes involved in the alert to understand the scope and origin of the threat, and identify any additional compromised systems. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional containment measures are necessary. +- Implement additional monitoring and detection rules to identify similar suspicious command-line activities in the future, enhancing the organization's ability to detect and respond to such threats promptly.""" risk_score = 73 rule_id = "d9ffc3d6-9de9-4b29-9395-5757d0695ecf" severity = "high" @@ -105,41 +138,6 @@ process where host.os.type == "windows" and event.type == "start" and not (process.name : "cmd.exe" and process.args : "%TEMP%\\Spiceworks\\*" and process.args : "http*/dataloader/persist_netstat_data") and not (process.args == "echo" and process.args == "GEQ" and process.args == "1073741824") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious Windows Command Shell Arguments - -The Windows Command Shell (cmd.exe) is a critical component for executing commands and scripts. Adversaries exploit it to execute malicious scripts, download payloads, or manipulate system settings. The detection rule identifies unusual command-line arguments and patterns indicative of such abuse, filtering out known benign processes to minimize false positives. This helps in early detection of potential threats by monitoring for suspicious command executions. - -### Possible investigation steps - -- Review the command line arguments associated with the cmd.exe process to identify any suspicious patterns or keywords such as "curl", "regsvr32", "wscript", or "Invoke-WebRequest" that may indicate malicious activity. -- Check the parent process of the cmd.exe execution to determine if it is a known benign process or if it is associated with potentially malicious activity, especially if the parent process is explorer.exe or other unusual executables. -- Investigate the user account associated with the cmd.exe process to determine if the activity aligns with the user's typical behavior or if it appears anomalous. -- Examine the network activity of the host to identify any unusual outbound connections or data transfers that may correlate with the suspicious command execution. -- Cross-reference the alert with other security logs or alerts from tools like Sysmon, SentinelOne, or Microsoft Defender for Endpoint to gather additional context and corroborate findings. -- Assess the risk score and severity of the alert to prioritize the investigation and determine if immediate response actions are necessary. - -### False positive analysis - -- Processes related to Spiceworks and wmiprvse.exe can trigger false positives. Exclude these by adding exceptions for process arguments containing "%TEMP%\\\\Spiceworks\\\\*" when the parent process is wmiprvse.exe. -- Development tools like Perl, Node.js, and NetBeans may cause false alerts. Exclude these by specifying their executable paths in the exception list. -- Citrix Secure Access Client initiated by userinit.exe can be a false positive. Exclude this by adding an exception for process arguments containing "?:\\\\Program Files\\\\Citrix\\\\Secure Access Client\\\\nsauto.exe" with the parent process name as userinit.exe. -- Scheduled tasks or services like PCPitstopScheduleService.exe may trigger alerts. Exclude these by adding their paths to the exception list. -- Command-line operations involving npm or Maven commands can be benign. Exclude these by specifying command-line patterns like "\\"cmd\\" /c %NETBEANS_MAVEN_COMMAND_LINE%" in the exception list. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread of potential malware or unauthorized access. -- Terminate any suspicious cmd.exe processes identified by the detection rule to halt malicious activity. -- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious files or scripts. -- Review and restore any altered system settings or configurations to their original state to ensure system integrity. -- Analyze the command-line arguments and parent processes involved in the alert to understand the scope and origin of the threat, and identify any additional compromised systems. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional containment measures are necessary. -- Implement additional monitoring and detection rules to identify similar suspicious command-line activities in the future, enhancing the organization's ability to detect and respond to such threats promptly.""" [[rule.threat]] @@ -159,3 +157,4 @@ reference = "https://attack.mitre.org/techniques/T1059/003/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_windows_powershell_susp_args.toml b/rules/windows/execution_windows_powershell_susp_args.toml index 243c923f9..0cefae3c3 100644 --- a/rules/windows/execution_windows_powershell_susp_args.toml +++ b/rules/windows/execution_windows_powershell_susp_args.toml @@ -2,9 +2,7 @@ creation_date = "2024/09/06" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -25,6 +23,41 @@ index = [ language = "eql" license = "Elastic License v2" name = "Suspicious Windows Powershell Arguments" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious Windows Powershell Arguments + +PowerShell is a powerful scripting language and command-line shell used for task automation and configuration management in Windows environments. Adversaries exploit PowerShell's capabilities to execute malicious scripts, download payloads, and obfuscate commands. The detection rule identifies unusual PowerShell arguments indicative of such abuse, focusing on patterns like encoded commands, suspicious downloads, and obfuscation techniques, thereby flagging potential threats for further investigation. + +### Possible investigation steps + +- Review the process command line and arguments to identify any encoded or obfuscated content, such as Base64 strings or unusual character sequences, which may indicate malicious intent. +- Check the parent process of the PowerShell execution, especially if it is explorer.exe or cmd.exe, to determine if the PowerShell instance was launched from a suspicious or unexpected source. +- Investigate any network activity associated with the PowerShell process, particularly looking for connections to known malicious domains or IP addresses, or the use of suspicious commands like DownloadFile or DownloadString. +- Examine the user account associated with the PowerShell execution to determine if it aligns with expected behavior or if it might be compromised. +- Correlate the event with other security alerts or logs from the same host or user to identify patterns or additional indicators of compromise. +- Assess the risk and impact of the detected activity by considering the context of the environment, such as the presence of sensitive data or critical systems that might be affected. + +### False positive analysis + +- Legitimate administrative scripts may use encoded commands for obfuscation to protect sensitive data. Review the script's source and purpose to determine if it is authorized. If confirmed, add the script's hash or specific command pattern to an allowlist. +- Automated software deployment tools might use PowerShell to download and execute scripts from trusted internal sources. Verify the source and destination of the download. If legitimate, exclude the specific tool or process from the detection rule. +- System maintenance tasks often involve PowerShell scripts that manipulate files or system settings. Identify routine maintenance scripts and exclude their specific command patterns or file paths from triggering the rule. +- Security software may use PowerShell for scanning or remediation tasks, which can mimic suspicious behavior. Confirm the software's legitimacy and add its processes to an exception list to prevent false alerts. +- Developers might use PowerShell for testing or development purposes, which can include obfuscation techniques. Validate the developer's activities and exclude their specific development environments or scripts from the rule. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further spread or communication with potential command and control servers. +- Terminate any suspicious PowerShell processes identified by the detection rule to halt ongoing malicious activities. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious payloads or scripts. +- Review and clean up any unauthorized changes to system configurations or scheduled tasks that may have been altered by the malicious PowerShell activity. +- Restore any affected files or system components from known good backups to ensure system integrity and functionality. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised. +- Implement additional monitoring and logging for PowerShell activities across the network to enhance detection of similar threats in the future.""" risk_score = 73 rule_id = "83bf249e-4348-47ba-9741-1202a09556ad" severity = "high" @@ -107,41 +140,6 @@ process where host.os.type == "windows" and event.type == "start" and process.command_line : ("*-encodedCommand*", "*Invoke-webrequest*", "*WebClient*", "*Reflection.Assembly*")) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious Windows Powershell Arguments - -PowerShell is a powerful scripting language and command-line shell used for task automation and configuration management in Windows environments. Adversaries exploit PowerShell's capabilities to execute malicious scripts, download payloads, and obfuscate commands. The detection rule identifies unusual PowerShell arguments indicative of such abuse, focusing on patterns like encoded commands, suspicious downloads, and obfuscation techniques, thereby flagging potential threats for further investigation. - -### Possible investigation steps - -- Review the process command line and arguments to identify any encoded or obfuscated content, such as Base64 strings or unusual character sequences, which may indicate malicious intent. -- Check the parent process of the PowerShell execution, especially if it is explorer.exe or cmd.exe, to determine if the PowerShell instance was launched from a suspicious or unexpected source. -- Investigate any network activity associated with the PowerShell process, particularly looking for connections to known malicious domains or IP addresses, or the use of suspicious commands like DownloadFile or DownloadString. -- Examine the user account associated with the PowerShell execution to determine if it aligns with expected behavior or if it might be compromised. -- Correlate the event with other security alerts or logs from the same host or user to identify patterns or additional indicators of compromise. -- Assess the risk and impact of the detected activity by considering the context of the environment, such as the presence of sensitive data or critical systems that might be affected. - -### False positive analysis - -- Legitimate administrative scripts may use encoded commands for obfuscation to protect sensitive data. Review the script's source and purpose to determine if it is authorized. If confirmed, add the script's hash or specific command pattern to an allowlist. -- Automated software deployment tools might use PowerShell to download and execute scripts from trusted internal sources. Verify the source and destination of the download. If legitimate, exclude the specific tool or process from the detection rule. -- System maintenance tasks often involve PowerShell scripts that manipulate files or system settings. Identify routine maintenance scripts and exclude their specific command patterns or file paths from triggering the rule. -- Security software may use PowerShell for scanning or remediation tasks, which can mimic suspicious behavior. Confirm the software's legitimacy and add its processes to an exception list to prevent false alerts. -- Developers might use PowerShell for testing or development purposes, which can include obfuscation techniques. Validate the developer's activities and exclude their specific development environments or scripts from the rule. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further spread or communication with potential command and control servers. -- Terminate any suspicious PowerShell processes identified by the detection rule to halt ongoing malicious activities. -- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious payloads or scripts. -- Review and clean up any unauthorized changes to system configurations or scheduled tasks that may have been altered by the malicious PowerShell activity. -- Restore any affected files or system components from known good backups to ensure system integrity and functionality. -- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised. -- Implement additional monitoring and logging for PowerShell activities across the network to enhance detection of similar threats in the future.""" [[rule.threat]] @@ -161,3 +159,4 @@ reference = "https://attack.mitre.org/techniques/T1059/001/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/exfiltration_smb_rare_destination.toml b/rules/windows/exfiltration_smb_rare_destination.toml index 68dd5e0a3..1e007cf4c 100644 --- a/rules/windows/exfiltration_smb_rare_destination.toml +++ b/rules/windows/exfiltration_smb_rare_destination.toml @@ -2,9 +2,7 @@ creation_date = "2023/12/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -24,6 +22,41 @@ index = [ language = "kuery" license = "Elastic License v2" name = "Rare SMB Connection to the Internet" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Rare SMB Connection to the Internet + +Server Message Block (SMB) is a protocol used for sharing files and printers within a network. Adversaries exploit SMB to exfiltrate data by injecting rogue paths to capture NTLM credentials. The detection rule identifies unusual SMB traffic from internal IPs to external networks, flagging potential exfiltration attempts by monitoring specific ports and excluding known safe IP ranges. + +### Possible investigation steps + +- Review the alert details to identify the internal source IP address involved in the SMB connection and verify if it belongs to a known or authorized device within the organization. +- Check the destination IP address to determine if it is associated with any known malicious activity or if it belongs to an external network that should not be receiving SMB traffic from internal systems. +- Investigate the process with PID 4 on the source host, which typically corresponds to the Windows System process, to identify any unusual activity or recent changes that could indicate compromise or misuse. +- Analyze network logs to trace the SMB traffic flow and identify any patterns or additional connections that may suggest data exfiltration attempts. +- Correlate the alert with other security events or logs from data sources like Microsoft Defender for Endpoint or Sysmon to gather additional context and determine if this is part of a larger attack campaign. +- Consult with the IT or network team to verify if there are any legitimate business reasons for the detected SMB traffic to the external network, and if not, consider blocking the connection and conducting a deeper investigation into the source host. + +### False positive analysis + +- Internal network scanning tools may trigger alerts if they simulate SMB traffic to external IPs. Exclude IPs associated with these tools from the rule to prevent false positives. +- Legitimate business applications that require SMB connections to external cloud services might be flagged. Identify and whitelist these specific external IPs or domains to avoid unnecessary alerts. +- Backup solutions that use SMB for data transfer to offsite locations can be mistaken for exfiltration attempts. Ensure these backup service IPs are added to the exception list. +- Misconfigured network devices that inadvertently route SMB traffic externally could cause false alerts. Regularly audit and correct device configurations to minimize these occurrences. +- Security testing or penetration testing activities might generate SMB traffic to external IPs. Coordinate with security teams to temporarily disable the rule or add exceptions during testing periods. + +### Response and remediation + +- Immediately isolate the affected host from the network to prevent further data exfiltration or lateral movement. +- Conduct a thorough review of the host's network connections and processes to identify any unauthorized SMB traffic or suspicious activities. +- Reset credentials for any accounts that may have been exposed or compromised, focusing on those with elevated privileges. +- Apply patches and updates to the affected system and any other vulnerable systems to mitigate known SMB vulnerabilities. +- Implement network segmentation to limit SMB traffic to only necessary internal communications, reducing the risk of external exposure. +- Enhance monitoring and logging for SMB traffic, particularly for connections to external IPs, to detect and respond to future anomalies more effectively. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" references = ["https://www.securify.nl/en/blog/living-off-the-land-stealing-netntlm-hashes/"] risk_score = 47 rule_id = "f580bf0a-2d23-43bb-b8e1-17548bb947ec" @@ -80,41 +113,6 @@ event.category:network and host.os.type:windows and process.pid:4 and "FF00::/8" ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Rare SMB Connection to the Internet - -Server Message Block (SMB) is a protocol used for sharing files and printers within a network. Adversaries exploit SMB to exfiltrate data by injecting rogue paths to capture NTLM credentials. The detection rule identifies unusual SMB traffic from internal IPs to external networks, flagging potential exfiltration attempts by monitoring specific ports and excluding known safe IP ranges. - -### Possible investigation steps - -- Review the alert details to identify the internal source IP address involved in the SMB connection and verify if it belongs to a known or authorized device within the organization. -- Check the destination IP address to determine if it is associated with any known malicious activity or if it belongs to an external network that should not be receiving SMB traffic from internal systems. -- Investigate the process with PID 4 on the source host, which typically corresponds to the Windows System process, to identify any unusual activity or recent changes that could indicate compromise or misuse. -- Analyze network logs to trace the SMB traffic flow and identify any patterns or additional connections that may suggest data exfiltration attempts. -- Correlate the alert with other security events or logs from data sources like Microsoft Defender for Endpoint or Sysmon to gather additional context and determine if this is part of a larger attack campaign. -- Consult with the IT or network team to verify if there are any legitimate business reasons for the detected SMB traffic to the external network, and if not, consider blocking the connection and conducting a deeper investigation into the source host. - -### False positive analysis - -- Internal network scanning tools may trigger alerts if they simulate SMB traffic to external IPs. Exclude IPs associated with these tools from the rule to prevent false positives. -- Legitimate business applications that require SMB connections to external cloud services might be flagged. Identify and whitelist these specific external IPs or domains to avoid unnecessary alerts. -- Backup solutions that use SMB for data transfer to offsite locations can be mistaken for exfiltration attempts. Ensure these backup service IPs are added to the exception list. -- Misconfigured network devices that inadvertently route SMB traffic externally could cause false alerts. Regularly audit and correct device configurations to minimize these occurrences. -- Security testing or penetration testing activities might generate SMB traffic to external IPs. Coordinate with security teams to temporarily disable the rule or add exceptions during testing periods. - -### Response and remediation - -- Immediately isolate the affected host from the network to prevent further data exfiltration or lateral movement. -- Conduct a thorough review of the host's network connections and processes to identify any unauthorized SMB traffic or suspicious activities. -- Reset credentials for any accounts that may have been exposed or compromised, focusing on those with elevated privileges. -- Apply patches and updates to the affected system and any other vulnerable systems to mitigate known SMB vulnerabilities. -- Implement network segmentation to limit SMB traffic to only necessary internal communications, reducing the risk of external exposure. -- Enhance monitoring and logging for SMB traffic, particularly for connections to external IPs, to detect and respond to future anomalies more effectively. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] diff --git a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml index ef7a9c714..a676aad05 100644 --- a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_high_freq_file_renames_by_kernel.toml b/rules/windows/impact_high_freq_file_renames_by_kernel.toml index f7f1fab03..78cbf5a0c 100644 --- a/rules/windows/impact_high_freq_file_renames_by_kernel.toml +++ b/rules/windows/impact_high_freq_file_renames_by_kernel.toml @@ -2,9 +2,7 @@ creation_date = "2024/05/03" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_modification_of_boot_config.toml b/rules/windows/impact_modification_of_boot_config.toml index ca19fcf0a..14850280d 100644 --- a/rules/windows/impact_modification_of_boot_config.toml +++ b/rules/windows/impact_modification_of_boot_config.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/16" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_stop_process_service_threshold.toml b/rules/windows/impact_stop_process_service_threshold.toml index e0b021c71..690a472b1 100644 --- a/rules/windows/impact_stop_process_service_threshold.toml +++ b/rules/windows/impact_stop_process_service_threshold.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2020/12/03" integration = ["endpoint", "windows", "system"] -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml index 9e46ab442..f6f73d438 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index 7128d3f97..073eef3b4 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml index 69440e7f1..3298b577c 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_execution_from_inetcache.toml b/rules/windows/initial_access_execution_from_inetcache.toml index c0d363686..32b832e93 100644 --- a/rules/windows/initial_access_execution_from_inetcache.toml +++ b/rules/windows/initial_access_execution_from_inetcache.toml @@ -2,9 +2,7 @@ creation_date = "2024/02/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,41 +25,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Suspicious Execution from INET Cache" -references = [ - "https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html", -] -risk_score = 73 -rule_id = "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Command and Control", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.parent.name : ("explorer.exe", "winrar.exe", "7zFM.exe", "Bandizip.exe") and - ( - process.args : "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*" or - process.executable : ( - "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*", - "\\Device\\HarddiskVolume?\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*" - ) - ) -''' note = """## Triage and analysis > **Disclaimer**: @@ -97,6 +60,41 @@ The INetCache folder stores temporary internet files, which can be exploited by - Review and analyze recent email logs and web browsing history to identify potential phishing attempts or malicious downloads that may have led to the initial compromise. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for the INetCache directory and related processes to detect similar threats in the future.""" +references = [ + "https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html", +] +risk_score = 73 +rule_id = "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Command and Control", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : ("explorer.exe", "winrar.exe", "7zFM.exe", "Bandizip.exe") and + ( + process.args : "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*" or + process.executable : ( + "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*", + "\\Device\\HarddiskVolume?\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*" + ) + ) +''' [[rule.threat]] diff --git a/rules/windows/initial_access_execution_via_office_addins.toml b/rules/windows/initial_access_execution_via_office_addins.toml index 153315f0b..ce76d88f6 100644 --- a/rules/windows/initial_access_execution_via_office_addins.toml +++ b/rules/windows/initial_access_execution_via_office_addins.toml @@ -2,9 +2,7 @@ creation_date = "2023/03/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,10 +11,51 @@ Identifies execution of common Microsoft Office applications to launch an Office an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Suspicious Execution via Microsoft Office Add-Ins" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious Execution via Microsoft Office Add-Ins + +Microsoft Office Add-Ins enhance productivity by integrating additional features into Office applications. However, adversaries can exploit this by embedding malicious code within add-ins, often delivered through phishing. The detection rule identifies unusual execution patterns, such as Office apps launching add-ins from suspicious paths or with atypical parent processes, signaling potential threats. It filters out known benign activities to minimize false positives, focusing on genuine anomalies indicative of malicious intent. + +### Possible investigation steps + +- Review the process name and arguments to confirm if the execution involves a Microsoft Office application launching an add-in from a suspicious path, as indicated by the process.name and process.args fields. +- Check the parent process name to determine if the Office application was launched by an unusual or potentially malicious parent process, such as cmd.exe or powershell.exe, using the process.parent.name field. +- Investigate the file path from which the add-in was executed to assess if it matches any of the suspicious paths listed in the query, such as the Temp or Downloads directories, using the process.args field. +- Examine the host's recent activity logs to identify any related events or patterns that might indicate a broader attack or compromise, focusing on the host.os.type and event.type fields. +- Correlate the alert with any recent phishing attempts or suspicious emails received by the user to determine if the execution is part of a phishing campaign, leveraging the MITRE ATT&CK tactic and technique information provided. +- Verify if the execution is a false positive by checking against the known benign activities excluded in the query, such as specific VSTOInstaller.exe paths or arguments, to rule out legitimate software installations or updates. + +### False positive analysis + +- Logitech software installations can trigger false positives when VSTO files are executed by Logitech's PlugInInstallerUtility. To mitigate this, exclude processes with paths related to Logitech installations from the detection rule. +- The VSTOInstaller.exe process may be flagged when uninstalling applications. Exclude processes with the /Uninstall argument to prevent these false positives. +- Rundll32.exe executing with specific arguments related to MSI temporary files can be benign. Exclude these specific rundll32.exe executions to avoid false alerts. +- Sidekick.vsto installations from the specified URL can be legitimate. Exclude this specific VSTOInstaller.exe process with the Sidekick.vsto argument to reduce false positives. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any ongoing malicious activity. +- Terminate any suspicious processes identified by the detection rule, such as those involving unusual parent processes or originating from suspicious paths. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious add-ins or related malware. +- Review and clean up any unauthorized or suspicious Office add-ins from the affected applications to ensure no malicious code remains. +- Restore the system from a known good backup if the integrity of the system is compromised and cannot be assured through cleaning alone. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +- Implement additional monitoring and alerting for similar suspicious activities to enhance detection and response capabilities for future incidents.""" references = [ "https://github.com/Octoberfest7/XLL_Phishing", "https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/", @@ -82,40 +121,6 @@ process where process.parent.args : "?:\\WINDOWS\\Installer\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc") and not (process.name : "VSTOInstaller.exe" and process.args : "https://dl.getsidekick.com/outlook/vsto/Sidekick.vsto") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious Execution via Microsoft Office Add-Ins - -Microsoft Office Add-Ins enhance productivity by integrating additional features into Office applications. However, adversaries can exploit this by embedding malicious code within add-ins, often delivered through phishing. The detection rule identifies unusual execution patterns, such as Office apps launching add-ins from suspicious paths or with atypical parent processes, signaling potential threats. It filters out known benign activities to minimize false positives, focusing on genuine anomalies indicative of malicious intent. - -### Possible investigation steps - -- Review the process name and arguments to confirm if the execution involves a Microsoft Office application launching an add-in from a suspicious path, as indicated by the process.name and process.args fields. -- Check the parent process name to determine if the Office application was launched by an unusual or potentially malicious parent process, such as cmd.exe or powershell.exe, using the process.parent.name field. -- Investigate the file path from which the add-in was executed to assess if it matches any of the suspicious paths listed in the query, such as the Temp or Downloads directories, using the process.args field. -- Examine the host's recent activity logs to identify any related events or patterns that might indicate a broader attack or compromise, focusing on the host.os.type and event.type fields. -- Correlate the alert with any recent phishing attempts or suspicious emails received by the user to determine if the execution is part of a phishing campaign, leveraging the MITRE ATT&CK tactic and technique information provided. -- Verify if the execution is a false positive by checking against the known benign activities excluded in the query, such as specific VSTOInstaller.exe paths or arguments, to rule out legitimate software installations or updates. - -### False positive analysis - -- Logitech software installations can trigger false positives when VSTO files are executed by Logitech's PlugInInstallerUtility. To mitigate this, exclude processes with paths related to Logitech installations from the detection rule. -- The VSTOInstaller.exe process may be flagged when uninstalling applications. Exclude processes with the /Uninstall argument to prevent these false positives. -- Rundll32.exe executing with specific arguments related to MSI temporary files can be benign. Exclude these specific rundll32.exe executions to avoid false alerts. -- Sidekick.vsto installations from the specified URL can be legitimate. Exclude this specific VSTOInstaller.exe process with the Sidekick.vsto argument to reduce false positives. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any ongoing malicious activity. -- Terminate any suspicious processes identified by the detection rule, such as those involving unusual parent processes or originating from suspicious paths. -- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious add-ins or related malware. -- Review and clean up any unauthorized or suspicious Office add-ins from the affected applications to ensure no malicious code remains. -- Restore the system from a known good backup if the integrity of the system is compromised and cannot be assured through cleaning alone. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. -- Implement additional monitoring and alerting for similar suspicious activities to enhance detection and response capabilities for future incidents.""" [[rule.threat]] diff --git a/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml b/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml index e1355901b..c85bc4e17 100644 --- a/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml +++ b/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2023/03/16" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -24,32 +22,6 @@ index = [ language = "kuery" license = "Elastic License v2" name = "First Time Seen Removable Device" -references = [ - "https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html", - "https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings", -] -risk_score = 21 -rule_id = "0859355c-0f08-4b43-8ff5-7d2a4789fc08" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Exfiltration", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "new_terms" - -query = ''' -event.category:"registry" and host.os.type:"windows" and registry.value:"FriendlyName" and registry.path:*USBSTOR* -''' note = """## Triage and analysis > **Disclaimer**: @@ -84,6 +56,32 @@ Removable devices, like USB drives, are common in Windows environments for data - Notify the security team and relevant stakeholders about the incident, providing details of the device and any identified threats. - Implement a temporary block on the use of removable devices across the network until the threat is fully contained and remediated. - Enhance monitoring and detection capabilities by updating security tools and rules to better identify similar threats in the future, focusing on registry changes and device connections.""" +references = [ + "https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html", + "https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings", +] +risk_score = 21 +rule_id = "0859355c-0f08-4b43-8ff5-7d2a4789fc08" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Exfiltration", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.category:"registry" and host.os.type:"windows" and registry.value:"FriendlyName" and registry.path:*USBSTOR* +''' [[rule.threat]] diff --git a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml index e5635dbfb..61e732cb4 100644 --- a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml +++ b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml @@ -2,9 +2,7 @@ creation_date = "2024/03/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -32,6 +30,41 @@ index = [ language = "eql" license = "Elastic License v2" name = "Suspicious JetBrains TeamCity Child Process" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious JetBrains TeamCity Child Process + +JetBrains TeamCity is a continuous integration and deployment server used to automate software development processes. Adversaries may exploit vulnerabilities in TeamCity to execute unauthorized code, potentially spawning malicious child processes. The detection rule identifies unusual child processes initiated by TeamCity's Java executable, flagging potential exploitation attempts by monitoring for known suspicious executables, while excluding legitimate operations. + +### Possible investigation steps + +- Review the process tree to identify the parent and child processes associated with the suspicious activity, focusing on the parent executable paths like "?:\\TeamCity\\jre\\bin\\java.exe". +- Examine the command-line arguments of the suspicious child processes, especially those involving "cmd.exe" or "powershell.exe", to understand the actions being executed. +- Check for any recent vulnerabilities or patches related to JetBrains TeamCity that might explain the suspicious behavior. +- Investigate the user account under which the suspicious processes were executed to determine if it aligns with expected usage patterns or if it indicates potential compromise. +- Correlate the alert with other security events or logs from data sources like Sysmon or Microsoft Defender for Endpoint to identify any related malicious activity or indicators of compromise. +- Assess network activity from the host to detect any unusual outbound connections that might suggest data exfiltration or communication with a command and control server. + +### False positive analysis + +- Legitimate build scripts may invoke command-line utilities like cmd.exe or powershell.exe. To handle these, create exceptions for specific scripts by matching known safe arguments or paths. +- Automated tasks or maintenance scripts might use network utilities such as ping.exe or netstat.exe. Exclude these by identifying and allowing specific scheduled tasks or maintenance windows. +- System monitoring tools could trigger processes like tasklist.exe or systeminfo.exe. Whitelist these tools by verifying their source and ensuring they are part of authorized monitoring solutions. +- Development or testing environments may frequently use utilities like explorer.exe or control.exe. Establish exceptions for these environments by defining specific hostnames or IP ranges where such activity is expected. +- Custom scripts or applications might use msiexec.exe for legitimate software installations. Allow these by confirming the source and purpose of the installations, and excluding them based on known safe paths or signatures. + +### Response and remediation + +- Immediately isolate the affected TeamCity server from the network to prevent further unauthorized access or lateral movement. +- Terminate any suspicious child processes identified by the detection rule, such as cmd.exe or powershell.exe, to halt potential malicious activities. +- Conduct a thorough review of recent changes and deployments in TeamCity to identify any unauthorized modifications or suspicious activities. +- Apply the latest security patches and updates to TeamCity and its underlying Java runtime environment to mitigate known vulnerabilities. +- Restore the affected system from a clean backup taken before the suspicious activity was detected, ensuring no remnants of the exploit remain. +- Monitor network traffic and system logs for any signs of continued or related suspicious activity, focusing on the indicators identified in the detection rule. +- Escalate the incident to the security operations center (SOC) or relevant IT security team for further investigation and to assess the need for additional security measures.""" references = [ "https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html", ] @@ -73,41 +106,6 @@ process where host.os.type == "windows" and event.type == "start" and not (process.name : "powershell.exe" and process.args : "-ExecutionPolicy" and process.args : "?:\\TeamCity\\buildAgent\\work\\*.ps1") and not (process.name : "cmd.exe" and process.args : "dir" and process.args : "/-c") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious JetBrains TeamCity Child Process - -JetBrains TeamCity is a continuous integration and deployment server used to automate software development processes. Adversaries may exploit vulnerabilities in TeamCity to execute unauthorized code, potentially spawning malicious child processes. The detection rule identifies unusual child processes initiated by TeamCity's Java executable, flagging potential exploitation attempts by monitoring for known suspicious executables, while excluding legitimate operations. - -### Possible investigation steps - -- Review the process tree to identify the parent and child processes associated with the suspicious activity, focusing on the parent executable paths like "?:\\TeamCity\\jre\\bin\\java.exe". -- Examine the command-line arguments of the suspicious child processes, especially those involving "cmd.exe" or "powershell.exe", to understand the actions being executed. -- Check for any recent vulnerabilities or patches related to JetBrains TeamCity that might explain the suspicious behavior. -- Investigate the user account under which the suspicious processes were executed to determine if it aligns with expected usage patterns or if it indicates potential compromise. -- Correlate the alert with other security events or logs from data sources like Sysmon or Microsoft Defender for Endpoint to identify any related malicious activity or indicators of compromise. -- Assess network activity from the host to detect any unusual outbound connections that might suggest data exfiltration or communication with a command and control server. - -### False positive analysis - -- Legitimate build scripts may invoke command-line utilities like cmd.exe or powershell.exe. To handle these, create exceptions for specific scripts by matching known safe arguments or paths. -- Automated tasks or maintenance scripts might use network utilities such as ping.exe or netstat.exe. Exclude these by identifying and allowing specific scheduled tasks or maintenance windows. -- System monitoring tools could trigger processes like tasklist.exe or systeminfo.exe. Whitelist these tools by verifying their source and ensuring they are part of authorized monitoring solutions. -- Development or testing environments may frequently use utilities like explorer.exe or control.exe. Establish exceptions for these environments by defining specific hostnames or IP ranges where such activity is expected. -- Custom scripts or applications might use msiexec.exe for legitimate software installations. Allow these by confirming the source and purpose of the installations, and excluding them based on known safe paths or signatures. - -### Response and remediation - -- Immediately isolate the affected TeamCity server from the network to prevent further unauthorized access or lateral movement. -- Terminate any suspicious child processes identified by the detection rule, such as cmd.exe or powershell.exe, to halt potential malicious activities. -- Conduct a thorough review of recent changes and deployments in TeamCity to identify any unauthorized modifications or suspicious activities. -- Apply the latest security patches and updates to TeamCity and its underlying Java runtime environment to mitigate known vulnerabilities. -- Restore the affected system from a clean backup taken before the suspicious activity was detected, ensuring no remnants of the exploit remain. -- Monitor network traffic and system logs for any signs of continued or related suspicious activity, focusing on the indicators identified in the detection rule. -- Escalate the incident to the security operations center (SOC) or relevant IT security team for further investigation and to assess the need for additional security measures.""" [[rule.threat]] diff --git a/rules/windows/initial_access_rdp_file_mail_attachment.toml b/rules/windows/initial_access_rdp_file_mail_attachment.toml index f0bf748de..a3c915825 100644 --- a/rules/windows/initial_access_rdp_file_mail_attachment.toml +++ b/rules/windows/initial_access_rdp_file_mail_attachment.toml @@ -2,14 +2,13 @@ creation_date = "2024/11/05" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -Identifies attempts to open a remote desktop file from suspicious paths. Adversaries may abuse RDP files for initial access. +Identifies attempts to open a remote desktop file from suspicious paths. Adversaries may abuse RDP files for initial +access. """ from = "now-9m" index = [ @@ -25,41 +24,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Remote Desktop File Opened from Suspicious Path" -references = [ - "https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/", - "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", - "https://shorsec.io/blog/malrdp-implementing-rouge-rdp-manually/", -] -risk_score = 47 -rule_id = "f401a0e3-5eeb-4591-969a-f435488e7d12" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Command and Control", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.name : "mstsc.exe" and - process.args : ("?:\\Users\\*\\Downloads\\*.rdp", - "?:\\Users\\*\\AppData\\Local\\Temp\\Temp?_*.rdp", - "?:\\Users\\*\\AppData\\Local\\Temp\\7z*.rdp", - "?:\\Users\\*\\AppData\\Local\\Temp\\Rar$*\\*.rdp", - "?:\\Users\\*\\AppData\\Local\\Temp\\BNZ.*.rdp", - "C:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\*.rdp") -''' note = """## Triage and analysis > **Disclaimer**: @@ -95,6 +59,41 @@ Remote Desktop Protocol (RDP) allows users to connect to and control a computer - Reset credentials for any accounts that were used to open the suspicious RDP files, ensuring that new passwords are strong and unique. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised. - Implement enhanced monitoring and logging for RDP activities across the network to detect and respond to similar threats more effectively in the future.""" +references = [ + "https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/", + "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", + "https://shorsec.io/blog/malrdp-implementing-rouge-rdp-manually/", +] +risk_score = 47 +rule_id = "f401a0e3-5eeb-4591-969a-f435488e7d12" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Command and Control", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.name : "mstsc.exe" and + process.args : ("?:\\Users\\*\\Downloads\\*.rdp", + "?:\\Users\\*\\AppData\\Local\\Temp\\Temp?_*.rdp", + "?:\\Users\\*\\AppData\\Local\\Temp\\7z*.rdp", + "?:\\Users\\*\\AppData\\Local\\Temp\\Rar$*\\*.rdp", + "?:\\Users\\*\\AppData\\Local\\Temp\\BNZ.*.rdp", + "C:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\*.rdp") +''' [[rule.threat]] @@ -114,3 +113,4 @@ reference = "https://attack.mitre.org/techniques/T1566/001/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index 58ba10b2d..7ec8d1330 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,7 +11,14 @@ Identifies a PowerShell process launched by either cscript.exe or wscript.exe. O executing a PowerShell script, may be indicative of malicious activity. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Windows Script Executing PowerShell" diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml index 9676c40e1..6846a4ea7 100644 --- a/rules/windows/initial_access_scripts_process_started_via_wmi.toml +++ b/rules/windows/initial_access_scripts_process_started_via_wmi.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/27" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -23,6 +21,40 @@ index = [ language = "eql" license = "Elastic License v2" name = "Windows Script Interpreter Executing Process via WMI" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Windows Script Interpreter Executing Process via WMI + +Windows Management Instrumentation (WMI) is a powerful Windows feature that allows for system management and automation. Adversaries exploit WMI to execute scripts or processes stealthily, often using script interpreters like cscript.exe or wscript.exe. The detection rule identifies suspicious activity by monitoring for these interpreters executing processes via WMI, especially when initiated by non-system accounts, indicating potential malicious intent. + +### Possible investigation steps + +- Review the alert details to identify the specific script interpreter (cscript.exe or wscript.exe) and the process it executed. Check the process name and executable path for any anomalies or known malicious indicators. +- Examine the user account associated with the process execution. Verify if the user domain is not "NT AUTHORITY" and assess whether the account is expected to perform such actions. Investigate any unusual or unauthorized account activity. +- Investigate the parent process wmiprvse.exe to determine how it was initiated. Look for any preceding suspicious activities or processes that might have triggered the WMI execution. +- Check the system for any additional indicators of compromise, such as unexpected network connections, changes in system configurations, or other alerts related to the same host or user. +- Correlate the event with other security logs and alerts to identify any patterns or related incidents that might indicate a broader attack campaign or persistent threat. + +### False positive analysis + +- Legitimate administrative scripts or automation tasks may trigger this rule if they use cscript.exe or wscript.exe via WMI. To handle this, identify and document these scripts, then create exceptions for their specific execution paths or user accounts. +- Software installations or updates that utilize script interpreters through WMI can be mistaken for malicious activity. Monitor and whitelist known installation processes or update mechanisms that are frequently used in your environment. +- Custom applications or internal tools that rely on WMI for process execution might be flagged. Review these applications and exclude their specific process names or executable paths from the rule. +- Scheduled tasks or system maintenance scripts executed by non-system accounts could generate alerts. Verify these tasks and exclude them by specifying the user accounts or domains that are authorized to perform such actions. +- Security tools or monitoring solutions that leverage WMI for legitimate purposes may also be detected. Identify these tools and add them to the exception list based on their process names or executable locations. + +### Response and remediation + +- Immediately isolate the affected host from the network to prevent further malicious activity and lateral movement. +- Terminate any suspicious processes identified in the alert, such as cscript.exe or wscript.exe, that are running under non-system accounts. +- Conduct a thorough review of the affected host's scheduled tasks, startup items, and services to identify and remove any persistence mechanisms. +- Analyze the parent process wmiprvse.exe and its command-line arguments to understand the scope of the attack and identify any additional compromised systems. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger campaign. +- Implement additional monitoring and alerting for similar activities across the network, focusing on WMI-based script execution and non-standard process launches. +- Review and update endpoint protection policies to block or alert on the execution of high-risk processes like those listed in the detection query, especially when initiated by non-system accounts.""" risk_score = 47 rule_id = "b64b183e-1a76-422d-9179-7b389513e74d" severity = "medium" @@ -70,40 +102,6 @@ sequence by host.id with maxspan = 5s ) ] ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Windows Script Interpreter Executing Process via WMI - -Windows Management Instrumentation (WMI) is a powerful Windows feature that allows for system management and automation. Adversaries exploit WMI to execute scripts or processes stealthily, often using script interpreters like cscript.exe or wscript.exe. The detection rule identifies suspicious activity by monitoring for these interpreters executing processes via WMI, especially when initiated by non-system accounts, indicating potential malicious intent. - -### Possible investigation steps - -- Review the alert details to identify the specific script interpreter (cscript.exe or wscript.exe) and the process it executed. Check the process name and executable path for any anomalies or known malicious indicators. -- Examine the user account associated with the process execution. Verify if the user domain is not "NT AUTHORITY" and assess whether the account is expected to perform such actions. Investigate any unusual or unauthorized account activity. -- Investigate the parent process wmiprvse.exe to determine how it was initiated. Look for any preceding suspicious activities or processes that might have triggered the WMI execution. -- Check the system for any additional indicators of compromise, such as unexpected network connections, changes in system configurations, or other alerts related to the same host or user. -- Correlate the event with other security logs and alerts to identify any patterns or related incidents that might indicate a broader attack campaign or persistent threat. - -### False positive analysis - -- Legitimate administrative scripts or automation tasks may trigger this rule if they use cscript.exe or wscript.exe via WMI. To handle this, identify and document these scripts, then create exceptions for their specific execution paths or user accounts. -- Software installations or updates that utilize script interpreters through WMI can be mistaken for malicious activity. Monitor and whitelist known installation processes or update mechanisms that are frequently used in your environment. -- Custom applications or internal tools that rely on WMI for process execution might be flagged. Review these applications and exclude their specific process names or executable paths from the rule. -- Scheduled tasks or system maintenance scripts executed by non-system accounts could generate alerts. Verify these tasks and exclude them by specifying the user accounts or domains that are authorized to perform such actions. -- Security tools or monitoring solutions that leverage WMI for legitimate purposes may also be detected. Identify these tools and add them to the exception list based on their process names or executable locations. - -### Response and remediation - -- Immediately isolate the affected host from the network to prevent further malicious activity and lateral movement. -- Terminate any suspicious processes identified in the alert, such as cscript.exe or wscript.exe, that are running under non-system accounts. -- Conduct a thorough review of the affected host's scheduled tasks, startup items, and services to identify and remove any persistence mechanisms. -- Analyze the parent process wmiprvse.exe and its command-line arguments to understand the scope of the attack and identify any additional compromised systems. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger campaign. -- Implement additional monitoring and alerting for similar activities across the network, focusing on WMI-based script execution and non-standard process launches. -- Review and update endpoint protection policies to block or alert on the execution of high-risk processes like those listed in the detection query, especially when initiated by non-system accounts.""" [[rule.threat]] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_files.toml b/rules/windows/initial_access_suspicious_ms_exchange_files.toml index 07be27f4b..519fd905a 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_files.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_files.toml @@ -2,9 +2,7 @@ creation_date = "2021/03/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic", "Austin Songer"] @@ -24,7 +22,14 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Microsoft Exchange Server UM Writing Suspicious Files" diff --git a/rules/windows/initial_access_suspicious_ms_exchange_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_process.toml index 2ab66ef37..170538686 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_process.toml @@ -2,9 +2,7 @@ creation_date = "2021/03/04" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic", "Austin Songer"] @@ -33,6 +31,41 @@ index = [ language = "eql" license = "Elastic License v2" name = "Microsoft Exchange Server UM Spawning Suspicious Processes" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Microsoft Exchange Server UM Spawning Suspicious Processes + +Microsoft Exchange Server's Unified Messaging (UM) integrates voice messaging with email, allowing users to access voicemails via their inbox. Adversaries exploit vulnerabilities like CVE-2021-26857 to execute unauthorized processes, potentially leading to system compromise. The detection rule identifies unusual processes initiated by UM services, excluding known legitimate executables, to flag potential exploitation attempts. + +### Possible investigation steps + +- Review the alert details to confirm the process parent name is either "UMService.exe" or "UMWorkerProcess.exe" and verify the process executable path is not among the known legitimate paths listed in the exclusion criteria. +- Gather additional context by checking the process command line arguments and the user account under which the suspicious process was executed to identify any anomalies or unauthorized access. +- Investigate the historical activity of the host by reviewing recent logs for any other unusual or unauthorized processes, especially those related to the Microsoft Exchange Server. +- Check for any recent patches or updates applied to the Microsoft Exchange Server to ensure that vulnerabilities like CVE-2021-26857 have been addressed. +- Correlate the alert with other security tools and data sources such as Microsoft Defender for Endpoint or Sysmon to identify any related suspicious activities or indicators of compromise. +- Assess the network activity from the host to detect any potential lateral movement or data exfiltration attempts that might be associated with the suspicious process. + +### False positive analysis + +- Legitimate UM service updates or patches may trigger the rule. Regularly update the list of known legitimate executables to include new or updated UM service files. +- Custom scripts or monitoring tools that interact with UM services might be flagged. Identify these scripts and add their executables to the exclusion list if they are verified as safe. +- Non-standard installation paths for Exchange Server can cause false positives. Ensure that all legitimate installation paths are included in the exclusion list to prevent unnecessary alerts. +- Administrative tasks performed by IT staff using command-line tools may be misidentified. Document these tasks and consider excluding the associated executables if they are part of routine maintenance. +- Third-party integrations with Exchange Server that spawn processes could be flagged. Verify these integrations and exclude their executables if they are deemed secure and necessary for business operations. + +### Response and remediation + +- Isolate the affected Microsoft Exchange Server from the network to prevent further unauthorized access or lateral movement by the adversary. +- Terminate any suspicious processes identified as being spawned by the UM service that are not part of the known legitimate executables list. +- Apply the latest security patches and updates to the Microsoft Exchange Server to address CVE-2021-26857 and any other known vulnerabilities. +- Conduct a thorough review of the server's security logs and network traffic to identify any additional indicators of compromise or unauthorized access attempts. +- Restore the server from a known good backup taken before the suspicious activity was detected, ensuring that the backup is free from compromise. +- Implement enhanced monitoring and alerting for any future suspicious processes spawned by the UM service, using the detection rule as a baseline. +- Escalate the incident to the organization's security operations center (SOC) or incident response team for further investigation and to determine if additional systems may be affected.""" references = [ "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities", @@ -83,41 +116,6 @@ process where host.os.type == "windows" and event.type == "start" and "\\Device\\HarddiskVolume?\\Exchange Server\\V15\\Bin\\UMWorkerProcess.exe" ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Microsoft Exchange Server UM Spawning Suspicious Processes - -Microsoft Exchange Server's Unified Messaging (UM) integrates voice messaging with email, allowing users to access voicemails via their inbox. Adversaries exploit vulnerabilities like CVE-2021-26857 to execute unauthorized processes, potentially leading to system compromise. The detection rule identifies unusual processes initiated by UM services, excluding known legitimate executables, to flag potential exploitation attempts. - -### Possible investigation steps - -- Review the alert details to confirm the process parent name is either "UMService.exe" or "UMWorkerProcess.exe" and verify the process executable path is not among the known legitimate paths listed in the exclusion criteria. -- Gather additional context by checking the process command line arguments and the user account under which the suspicious process was executed to identify any anomalies or unauthorized access. -- Investigate the historical activity of the host by reviewing recent logs for any other unusual or unauthorized processes, especially those related to the Microsoft Exchange Server. -- Check for any recent patches or updates applied to the Microsoft Exchange Server to ensure that vulnerabilities like CVE-2021-26857 have been addressed. -- Correlate the alert with other security tools and data sources such as Microsoft Defender for Endpoint or Sysmon to identify any related suspicious activities or indicators of compromise. -- Assess the network activity from the host to detect any potential lateral movement or data exfiltration attempts that might be associated with the suspicious process. - -### False positive analysis - -- Legitimate UM service updates or patches may trigger the rule. Regularly update the list of known legitimate executables to include new or updated UM service files. -- Custom scripts or monitoring tools that interact with UM services might be flagged. Identify these scripts and add their executables to the exclusion list if they are verified as safe. -- Non-standard installation paths for Exchange Server can cause false positives. Ensure that all legitimate installation paths are included in the exclusion list to prevent unnecessary alerts. -- Administrative tasks performed by IT staff using command-line tools may be misidentified. Document these tasks and consider excluding the associated executables if they are part of routine maintenance. -- Third-party integrations with Exchange Server that spawn processes could be flagged. Verify these integrations and exclude their executables if they are deemed secure and necessary for business operations. - -### Response and remediation - -- Isolate the affected Microsoft Exchange Server from the network to prevent further unauthorized access or lateral movement by the adversary. -- Terminate any suspicious processes identified as being spawned by the UM service that are not part of the known legitimate executables list. -- Apply the latest security patches and updates to the Microsoft Exchange Server to address CVE-2021-26857 and any other known vulnerabilities. -- Conduct a thorough review of the server's security logs and network traffic to identify any additional indicators of compromise or unauthorized access attempts. -- Restore the server from a known good backup taken before the suspicious activity was detected, ensuring that the backup is free from compromise. -- Implement enhanced monitoring and alerting for any future suspicious processes spawned by the UM service, using the detection rule as a baseline. -- Escalate the incident to the organization's security operations center (SOC) or incident response team for further investigation and to determine if additional systems may be affected.""" [[rule.threat]] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml index 8ed1234cc..e28f18a80 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml @@ -2,9 +2,7 @@ creation_date = "2021/03/08" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,40 +11,17 @@ Identifies suspicious processes being spawned by the Microsoft Exchange Server w indicate exploitation activity or access to an existing web shell backdoor. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Microsoft Exchange Worker Spawning Suspicious Processes" -references = [ - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities", - "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289", -] -risk_score = 73 -rule_id = "f81ee52c-297e-46d9-9205-07e66931df26" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.parent.name : "w3wp.exe" and process.parent.args : "MSExchange*AppPool" and - (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") or - ?process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe")) -''' note = """## Triage and analysis > **Disclaimer**: @@ -83,6 +58,36 @@ Microsoft Exchange Server uses the worker process (w3wp.exe) to handle web reque - Apply the latest security patches and updates to the Microsoft Exchange Server to mitigate known vulnerabilities and prevent exploitation. - Monitor network traffic and server logs for any signs of continued or attempted exploitation, focusing on unusual outbound connections or repeated access attempts. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been compromised.""" +references = [ + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities", + "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289", +] +risk_score = 73 +rule_id = "f81ee52c-297e-46d9-9205-07e66931df26" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "w3wp.exe" and process.parent.args : "MSExchange*AppPool" and + (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") or + ?process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe")) +''' [[rule.threat]] diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index 98c8386fb..74d8fad80 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index d55d70ce6..c0828b44e 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -127,7 +125,6 @@ reference = "https://attack.mitre.org/techniques/T1566/001/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -150,7 +147,6 @@ reference = "https://attack.mitre.org/techniques/T1059/003/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -159,7 +155,6 @@ name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml index c92b3bf25..7a7e8c675 100644 --- a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +++ b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/29" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,45 +11,17 @@ Identifies a suspicious Windows explorer child process. Explorer.exe can be abus executables from a trusted parent process. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Suspicious Explorer Child Process" -risk_score = 47 -rule_id = "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - ( - process.name : ("cscript.exe", "wscript.exe", "powershell.exe", "rundll32.exe", "cmd.exe", "mshta.exe", "regsvr32.exe") or - ?process.pe.original_file_name in ("cscript.exe", "wscript.exe", "PowerShell.EXE", "RUNDLL32.EXE", "Cmd.Exe", "MSHTA.EXE", "REGSVR32.EXE") - ) and - /* Explorer started via DCOM */ - process.parent.name : "explorer.exe" and process.parent.args : "-Embedding" and - not process.parent.args: - ( - /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs */ - "/factory,{5BD95610-9434-43C2-886C-57852CC8A120}", - "/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}" - ) -''' note = """## Triage and analysis > **Disclaimer**: @@ -87,6 +57,41 @@ Windows Explorer, a core component of the Windows OS, manages file and folder na - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger attack campaign. - Implement additional monitoring and alerting for similar suspicious activities involving explorer.exe to enhance detection capabilities and prevent recurrence. - Review and update endpoint security policies to restrict the execution of potentially malicious scripts or executables from explorer.exe, especially when initiated via DCOM.""" +risk_score = 47 +rule_id = "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + ( + process.name : ("cscript.exe", "wscript.exe", "powershell.exe", "rundll32.exe", "cmd.exe", "mshta.exe", "regsvr32.exe") or + ?process.pe.original_file_name in ("cscript.exe", "wscript.exe", "PowerShell.EXE", "RUNDLL32.EXE", "Cmd.Exe", "MSHTA.EXE", "REGSVR32.EXE") + ) and + /* Explorer started via DCOM */ + process.parent.name : "explorer.exe" and process.parent.args : "-Embedding" and + not process.parent.args: + ( + /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs */ + "/factory,{5BD95610-9434-43C2-886C-57852CC8A120}", + "/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}" + ) +''' [[rule.threat]] diff --git a/rules/windows/initial_access_webshell_screenconnect_server.toml b/rules/windows/initial_access_webshell_screenconnect_server.toml index c3bce1a87..0c6215758 100644 --- a/rules/windows/initial_access_webshell_screenconnect_server.toml +++ b/rules/windows/initial_access_webshell_screenconnect_server.toml @@ -2,9 +2,7 @@ creation_date = "2024/03/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,34 +25,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "ScreenConnect Server Spawning Suspicious Processes" -references = ["https://blackpointcyber.com/resources/blog/breaking-through-the-screen/"] -risk_score = 73 -rule_id = "3d00feab-e203-4acc-a463-c3e15b7e9a73" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.parent.name : "ScreenConnect.Service.exe" and - (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "csc.exe") or - ?process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe")) -''' note = """## Triage and analysis > **Disclaimer**: @@ -90,6 +60,34 @@ ScreenConnect, a remote support tool, allows administrators to control systems r - Apply security patches and updates to the ScreenConnect server and any other vulnerable applications to mitigate exploitation risks. - Restore the system from a known good backup if evidence of compromise is confirmed, ensuring that the backup is free from malicious artifacts. - Report the incident to the appropriate internal security team or external authorities if required, providing them with detailed findings and evidence for further investigation.""" +references = ["https://blackpointcyber.com/resources/blog/breaking-through-the-screen/"] +risk_score = 73 +rule_id = "3d00feab-e203-4acc-a463-c3e15b7e9a73" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "ScreenConnect.Service.exe" and + (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "csc.exe") or + ?process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe")) +''' [[rule.threat]] diff --git a/rules/windows/lateral_movement_alternate_creds_pth.toml b/rules/windows/lateral_movement_alternate_creds_pth.toml index 2416c2c89..1e5bd39b6 100644 --- a/rules/windows/lateral_movement_alternate_creds_pth.toml +++ b/rules/windows/lateral_movement_alternate_creds_pth.toml @@ -2,9 +2,7 @@ creation_date = "2023/03/29" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,20 +16,6 @@ index = ["winlogbeat-*", "logs-windows.forwarded*", "logs-system.security*"] language = "kuery" license = "Elastic License v2" name = "Potential Pass-the-Hash (PtH) Attempt" -references = ["https://attack.mitre.org/techniques/T1550/002/"] -risk_score = 47 -rule_id = "daafdf96-e7b1-4f14-b494-27e0d24b11f6" -severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "new_terms" - -query = ''' -host.os.type:"windows" and -event.category : "authentication" and event.action : "logged-in" and -winlog.logon.type : "NewCredentials" and event.outcome : "success" and -user.id : (S-1-5-21-* or S-1-12-1-*) and winlog.event_data.LogonProcessName : "seclogo" -''' note = """## Triage and analysis > **Disclaimer**: @@ -67,6 +51,27 @@ Pass-the-Hash (PtH) is a technique where attackers use stolen password hashes to - Deploy endpoint detection and response (EDR) tools to monitor for any further suspicious activity or attempts to use stolen hashes. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach. - Implement additional logging and monitoring for the "seclogo" logon process to enhance detection of future pass-the-hash attempts.""" +references = ["https://attack.mitre.org/techniques/T1550/002/"] +risk_score = 47 +rule_id = "daafdf96-e7b1-4f14-b494-27e0d24b11f6" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +host.os.type:"windows" and +event.category : "authentication" and event.action : "logged-in" and +winlog.logon.type : "NewCredentials" and event.outcome : "success" and +user.id : (S-1-5-21-* or S-1-12-1-*) and winlog.event_data.LogonProcessName : "seclogo" +''' [[rule.threat]] diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index 4ad06eacf..3e17c1558 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -22,28 +20,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Service Command Lateral Movement" -risk_score = 21 -rule_id = "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -sequence by process.entity_id with maxspan = 1m - [process where host.os.type == "windows" and event.type == "start" and - (process.name : "sc.exe" or process.pe.original_file_name : "sc.exe") and - process.args : "\\\\*" and process.args : ("binPath=*", "binpath=*") and - process.args : ("create", "config", "failure", "start")] - [network where host.os.type == "windows" and process.name : "sc.exe" and destination.ip != "127.0.0.1"] -''' note = """## Triage and analysis > **Disclaimer**: @@ -78,6 +54,28 @@ The Service Control Manager in Windows allows for the management of services, wh - Restore the affected system from a known good backup if any malicious modifications or persistent threats are detected. - Implement network segmentation to limit the ability of adversaries to move laterally across the network in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +risk_score = 21 +rule_id = "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +sequence by process.entity_id with maxspan = 1m + [process where host.os.type == "windows" and event.type == "start" and + (process.name : "sc.exe" or process.pe.original_file_name : "sc.exe") and + process.args : "\\\\*" and process.args : ("binPath=*", "binpath=*") and + process.args : ("create", "config", "failure", "start")] + [network where host.os.type == "windows" and process.name : "sc.exe" and destination.ip != "127.0.0.1"] +''' [[rule.threat]] diff --git a/rules/windows/lateral_movement_dcom_hta.toml b/rules/windows/lateral_movement_dcom_hta.toml index b9061b5cb..4f7be9daf 100644 --- a/rules/windows/lateral_movement_dcom_hta.toml +++ b/rules/windows/lateral_movement_dcom_hta.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -23,31 +21,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Incoming DCOM Lateral Movement via MSHTA" -references = ["https://codewhitesec.blogspot.com/2018/07/lethalhta.html"] -risk_score = 73 -rule_id = "622ecb68-fa81-4601-90b5-f8cd661e4520" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -sequence with maxspan=1m - [process where host.os.type == "windows" and event.type == "start" and - process.name : "mshta.exe" and process.args : "-Embedding" - ] by host.id, process.entity_id - [network where host.os.type == "windows" and event.type == "start" and process.name : "mshta.exe" and - network.direction : ("incoming", "ingress") and network.transport == "tcp" and - source.port > 49151 and destination.port > 49151 and source.ip != "127.0.0.1" and source.ip != "::1" - ] by host.id, process.entity_id -''' note = """## Triage and analysis > **Disclaimer**: @@ -83,6 +56,31 @@ DCOM allows software components to communicate over a network, enabling remote e - Review and restrict DCOM permissions and configurations on the affected host and other critical systems to limit the potential for similar attacks. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems have been compromised. - Update detection mechanisms and threat intelligence feeds to enhance monitoring for similar DCOM-based lateral movement attempts in the future.""" +references = ["https://codewhitesec.blogspot.com/2018/07/lethalhta.html"] +risk_score = 73 +rule_id = "622ecb68-fa81-4601-90b5-f8cd661e4520" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +sequence with maxspan=1m + [process where host.os.type == "windows" and event.type == "start" and + process.name : "mshta.exe" and process.args : "-Embedding" + ] by host.id, process.entity_id + [network where host.os.type == "windows" and event.type == "start" and process.name : "mshta.exe" and + network.direction : ("incoming", "ingress") and network.transport == "tcp" and + source.port > 49151 and destination.port > 49151 and source.ip != "127.0.0.1" and source.ip != "::1" + ] by host.id, process.entity_id +''' [[rule.threat]] diff --git a/rules/windows/lateral_movement_dcom_mmc20.toml b/rules/windows/lateral_movement_dcom_mmc20.toml index d52089db2..edec6ac25 100644 --- a/rules/windows/lateral_movement_dcom_mmc20.toml +++ b/rules/windows/lateral_movement_dcom_mmc20.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/06" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -23,31 +21,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Incoming DCOM Lateral Movement with MMC" -references = ["https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/"] -risk_score = 73 -rule_id = "51ce96fb-9e52-4dad-b0ba-99b54440fc9a" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -sequence by host.id with maxspan=1m - [network where host.os.type == "windows" and event.type == "start" and process.name : "mmc.exe" and source.port >= 49152 and - destination.port >= 49152 and source.ip != "127.0.0.1" and source.ip != "::1" and - network.direction : ("incoming", "ingress") and network.transport == "tcp" - ] by process.entity_id - [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "mmc.exe" - ] by process.parent.entity_id -''' note = """## Triage and analysis > **Disclaimer**: @@ -82,6 +55,31 @@ Distributed Component Object Model (DCOM) enables software components to communi - Apply patches and updates to the affected systems and any other vulnerable systems in the network to mitigate known vulnerabilities that could be exploited. - Implement network segmentation to limit the ability of threats to move laterally within the network in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional actions are necessary.""" +references = ["https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/"] +risk_score = 73 +rule_id = "51ce96fb-9e52-4dad-b0ba-99b54440fc9a" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +sequence by host.id with maxspan=1m + [network where host.os.type == "windows" and event.type == "start" and process.name : "mmc.exe" and source.port >= 49152 and + destination.port >= 49152 and source.ip != "127.0.0.1" and source.ip != "::1" and + network.direction : ("incoming", "ingress") and network.transport == "tcp" + ] by process.entity_id + [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "mmc.exe" + ] by process.parent.entity_id +''' [[rule.threat]] diff --git a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml index b810f2ddc..99d6bbb80 100644 --- a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml +++ b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/06" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -23,31 +21,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows" -references = ["https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/"] -risk_score = 47 -rule_id = "8f919d4b-a5af-47ca-a594-6be59cd924a4" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -sequence by host.id with maxspan=5s - [network where host.os.type == "windows" and event.type == "start" and process.name : "explorer.exe" and - network.direction : ("incoming", "ingress") and network.transport == "tcp" and - source.port > 49151 and destination.port > 49151 and source.ip != "127.0.0.1" and source.ip != "::1" - ] by process.entity_id - [process where host.os.type == "windows" and event.type == "start" and - process.parent.name : "explorer.exe" - ] by process.parent.entity_id -''' note = """## Triage and analysis > **Disclaimer**: @@ -83,6 +56,31 @@ DCOM enables software components to communicate over a network, often used in Wi - Apply patches and updates to the affected systems to address any vulnerabilities that may have been exploited during the attack. - Enhance monitoring and logging on the network to detect similar DCOM abuse attempts, ensuring that alerts are configured for high TCP port activity and unusual process spawning by explorer.exe. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional containment or remediation actions are necessary.""" +references = ["https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/"] +risk_score = 47 +rule_id = "8f919d4b-a5af-47ca-a594-6be59cd924a4" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +sequence by host.id with maxspan=5s + [network where host.os.type == "windows" and event.type == "start" and process.name : "explorer.exe" and + network.direction : ("incoming", "ingress") and network.transport == "tcp" and + source.port > 49151 and destination.port > 49151 and source.ip != "127.0.0.1" and source.ip != "::1" + ] by process.entity_id + [process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "explorer.exe" + ] by process.parent.entity_id +''' [[rule.threat]] diff --git a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml index 0b12322e3..815a43f51 100644 --- a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml +++ b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml @@ -2,9 +2,7 @@ creation_date = "2021/03/22" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,42 +11,17 @@ Identifies NullSessionPipe registry modifications that specify which pipes can b indicative of adversary lateral movement preparation by making the added pipe available to everyone. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "NullSessionPipe Registry Modification" -references = [ - "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares", -] -risk_score = 47 -rule_id = "ddab1f5f-7089-44f5-9fda-de5b11322e77" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and event.type == "change" and -registry.path : ( - "HKLM\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes", - "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes", - "MACHINE\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes" -) and length(registry.data.strings) > 0 and -not registry.data.strings : "(empty)" -''' note = """## Triage and analysis > **Disclaimer**: @@ -83,6 +56,38 @@ The NullSessionPipe registry setting in Windows defines which named pipes can be - Reset credentials for any accounts that may have been compromised or used in conjunction with the unauthorized access to ensure they cannot be reused by adversaries. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been affected. - Implement enhanced monitoring and alerting for changes to the NullSessionPipes registry key and similar registry paths to detect and respond to future unauthorized modifications promptly.""" +references = [ + "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares", +] +risk_score = 47 +rule_id = "ddab1f5f-7089-44f5-9fda-de5b11322e77" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.type == "change" and +registry.path : ( + "HKLM\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes", + "MACHINE\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes" +) and length(registry.data.strings) > 0 and +not registry.data.strings : "(empty)" +''' [[rule.threat]] diff --git a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml index 5fc5de9d8..652d28d1f 100644 --- a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml +++ b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml @@ -2,9 +2,7 @@ creation_date = "2021/04/12" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -26,6 +24,40 @@ index = [ language = "eql" license = "Elastic License v2" name = "Potential Remote Desktop Shadowing Activity" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Remote Desktop Shadowing Activity + +Remote Desktop Shadowing allows administrators to view or control active RDP sessions, aiding in support and troubleshooting. However, adversaries can exploit this feature to monitor or hijack user sessions without consent. The detection rule identifies suspicious modifications to RDP Shadow registry settings and the execution of specific processes linked to shadowing, signaling potential misuse. + +### Possible investigation steps + +- Review the registry event details to confirm if there was a modification to the RDP Shadow registry path, specifically checking for changes in "HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow". +- Investigate the process events to identify if "RdpSaUacHelper.exe" or "RdpSaProxy.exe" were started by "svchost.exe", which could indicate unauthorized shadowing activity. +- Check for any instances of "mstsc.exe" being executed with the "/shadow:*" argument, as this could signify an attempt to shadow an RDP session. +- Correlate the identified processes and registry changes with user activity logs to determine if the actions were authorized or expected as part of legitimate administrative tasks. +- Analyze network logs for any unusual remote connections or lateral movement patterns that coincide with the timing of the detected shadowing activity. +- Consult endpoint security solutions like Microsoft Defender for Endpoint or SentinelOne for additional context or alerts related to the same host or user account involved in the shadowing activity. + +### False positive analysis + +- Legitimate administrative activities may trigger alerts when IT staff use RDP Shadowing for support. To manage this, create exceptions for known IT administrator accounts or specific IP addresses. +- Scheduled maintenance or automated scripts that modify RDP Shadow registry settings can be mistaken for malicious activity. Identify and exclude these processes or scripts from the detection rule. +- Security software or monitoring tools that interact with RDP sessions might mimic shadowing behavior. Verify these tools and whitelist their processes to prevent false alerts. +- Training sessions or remote support tools that use RDP Shadowing features can generate alerts. Document and exclude these activities by identifying their unique process names or arguments. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement. +- Terminate any suspicious processes identified in the alert, such as RdpSaUacHelper.exe, RdpSaProxy.exe, or mstsc.exe with shadowing arguments, to stop potential session hijacking. +- Revert any unauthorized changes to the RDP Shadow registry settings to their default or secure state to prevent further exploitation. +- Conduct a thorough review of user accounts and permissions on the affected system to ensure no unauthorized changes have been made, and reset passwords for any compromised accounts. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +- Implement enhanced monitoring and logging for RDP activities across the network to detect and respond to similar threats more quickly in the future. +- Review and update RDP access policies and configurations to ensure they align with best practices, such as enforcing multi-factor authentication and limiting RDP access to only necessary users and systems.""" references = [ "https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing", "https://swarm.ptsecurity.com/remote-desktop-services-shadowing/", @@ -67,40 +99,6 @@ any where host.os.type == "windows" and ) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Remote Desktop Shadowing Activity - -Remote Desktop Shadowing allows administrators to view or control active RDP sessions, aiding in support and troubleshooting. However, adversaries can exploit this feature to monitor or hijack user sessions without consent. The detection rule identifies suspicious modifications to RDP Shadow registry settings and the execution of specific processes linked to shadowing, signaling potential misuse. - -### Possible investigation steps - -- Review the registry event details to confirm if there was a modification to the RDP Shadow registry path, specifically checking for changes in "HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow". -- Investigate the process events to identify if "RdpSaUacHelper.exe" or "RdpSaProxy.exe" were started by "svchost.exe", which could indicate unauthorized shadowing activity. -- Check for any instances of "mstsc.exe" being executed with the "/shadow:*" argument, as this could signify an attempt to shadow an RDP session. -- Correlate the identified processes and registry changes with user activity logs to determine if the actions were authorized or expected as part of legitimate administrative tasks. -- Analyze network logs for any unusual remote connections or lateral movement patterns that coincide with the timing of the detected shadowing activity. -- Consult endpoint security solutions like Microsoft Defender for Endpoint or SentinelOne for additional context or alerts related to the same host or user account involved in the shadowing activity. - -### False positive analysis - -- Legitimate administrative activities may trigger alerts when IT staff use RDP Shadowing for support. To manage this, create exceptions for known IT administrator accounts or specific IP addresses. -- Scheduled maintenance or automated scripts that modify RDP Shadow registry settings can be mistaken for malicious activity. Identify and exclude these processes or scripts from the detection rule. -- Security software or monitoring tools that interact with RDP sessions might mimic shadowing behavior. Verify these tools and whitelist their processes to prevent false alerts. -- Training sessions or remote support tools that use RDP Shadowing features can generate alerts. Document and exclude these activities by identifying their unique process names or arguments. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement. -- Terminate any suspicious processes identified in the alert, such as RdpSaUacHelper.exe, RdpSaProxy.exe, or mstsc.exe with shadowing arguments, to stop potential session hijacking. -- Revert any unauthorized changes to the RDP Shadow registry settings to their default or secure state to prevent further exploitation. -- Conduct a thorough review of user accounts and permissions on the affected system to ensure no unauthorized changes have been made, and reset passwords for any compromised accounts. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. -- Implement enhanced monitoring and logging for RDP activities across the network to detect and respond to similar threats more quickly in the future. -- Review and update RDP access policies and configurations to ensure they align with best practices, such as enforcing multi-factor authentication and limiting RDP access to only necessary users and systems.""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml index fefd0ad1a..a6329dc5a 100644 --- a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +++ b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/11" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,33 +25,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Execution via TSClient Mountpoint" -references = [ - "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3", - "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language", -] -risk_score = 73 -rule_id = "4fe9d835-40e1-452d-8230-17c147cafad8" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and process.executable : "\\Device\\Mup\\tsclient\\*.exe" -''' note = """## Triage and analysis > **Disclaimer**: @@ -89,6 +60,33 @@ The TSClient mountpoint is a feature of the Remote Desktop Protocol (RDP) that a - Reset credentials for any accounts that were accessed or potentially compromised during the incident to prevent unauthorized access. - Implement network segmentation to limit RDP access to only necessary systems and users, reducing the attack surface for similar threats. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts.""" +references = [ + "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3", + "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language", +] +risk_score = 73 +rule_id = "4fe9d835-40e1-452d-8230-17c147cafad8" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and process.executable : "\\Device\\Mup\\tsclient\\*.exe" +''' [[rule.threat]] diff --git a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml index 5997eaad1..441b22f62 100644 --- a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml +++ b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -28,27 +26,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Incoming Execution via WinRM Remote Shell" -risk_score = 47 -rule_id = "1cd01db9-be24-4bef-8e7c-e923f0ff78ab" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -sequence by host.id with maxspan=30s - [network where host.os.type == "windows" and process.pid == 4 and network.direction : ("incoming", "ingress") and - destination.port in (5985, 5986) and network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1"] - [process where host.os.type == "windows" and - event.type == "start" and process.parent.name : "winrshost.exe" and not process.executable : "?:\\Windows\\System32\\conhost.exe"] -''' note = """## Triage and analysis > **Disclaimer**: @@ -84,6 +61,27 @@ Windows Remote Management (WinRM) is a protocol that allows for remote managemen - Restore the affected system from a known good backup if any malicious activity or unauthorized changes are confirmed. - Implement network segmentation to limit the ability of threats to move laterally across the network, focusing on restricting access to critical systems. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +risk_score = 47 +rule_id = "1cd01db9-be24-4bef-8e7c-e923f0ff78ab" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +sequence by host.id with maxspan=30s + [network where host.os.type == "windows" and process.pid == 4 and network.direction : ("incoming", "ingress") and + destination.port in (5985, 5986) and network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1"] + [process where host.os.type == "windows" and + event.type == "start" and process.parent.name : "winrshost.exe" and not process.executable : "?:\\Windows\\System32\\conhost.exe"] +''' [[rule.threat]] diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index 8911fffc0..d46baf95e 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/22" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,10 +11,49 @@ Identifies processes executed via Windows Management Instrumentation (WMI) on a adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "WMI Incoming Lateral Movement" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating WMI Incoming Lateral Movement + +Windows Management Instrumentation (WMI) is a core Windows feature enabling remote management and data collection. Adversaries exploit WMI for lateral movement by executing processes on remote hosts, often bypassing traditional security measures. The detection rule identifies suspicious WMI activity by monitoring specific network connections and process executions, filtering out common false positives to highlight potential threats. + +### Possible investigation steps + +- Review the source IP address of the incoming RPC connection to determine if it is from a known or trusted network segment, excluding localhost addresses like 127.0.0.1 and ::1. +- Check the process name and parent process name, specifically looking for svchost.exe and WmiPrvSE.exe, to confirm the execution context and identify any unusual parent-child process relationships. +- Investigate the user ID associated with the process execution to ensure it is not a system account (S-1-5-18, S-1-5-19, S-1-5-20) and assess if the user has legitimate reasons for remote WMI activity. +- Examine the process executable path to verify it is not one of the excluded common false positives, such as those related to HPWBEM, SCCM, or other specified system utilities. +- Analyze the network connection details, including source and destination ports, to identify any patterns or anomalies that could indicate malicious lateral movement. +- Correlate the alert with other security events or logs from the same host or network segment to gather additional context and identify potential patterns of compromise. + +### False positive analysis + +- Administrative use of WMI for remote management can trigger alerts. To manage this, create exceptions for known administrative accounts or specific IP addresses used by IT staff. +- Security tools like Nessus and SCCM may cause false positives. Exclude processes associated with these tools by adding their executables to the exception list. +- System processes running with high integrity levels might be flagged. Exclude processes with integrity levels marked as "System" to reduce noise. +- Specific executables such as msiexec.exe and appcmd.exe with certain arguments can be safely excluded if they are part of routine administrative tasks. +- Regularly review and update the exception list to ensure it aligns with current network management practices and tools. + +### Response and remediation + +- Isolate the affected host immediately from the network to prevent further lateral movement by the adversary. This can be done by disabling network interfaces or using network segmentation tools. +- Terminate any suspicious processes identified as being executed via WMI on the affected host. Use task management tools or scripts to stop these processes. +- Conduct a thorough review of the affected host's WMI logs and process execution history to identify any unauthorized changes or additional malicious activity. +- Reset credentials for any accounts that were used in the suspicious WMI activity, especially if they have administrative privileges, to prevent further unauthorized access. +- Apply patches and updates to the affected host and any other systems that may be vulnerable to similar exploitation methods, ensuring that all security updates are current. +- Enhance monitoring and logging for WMI activity across the network to detect and respond to similar threats more quickly in the future. This includes setting up alerts for unusual WMI usage patterns. +- If the threat is confirmed to be part of a larger attack, escalate the incident to the appropriate security team or authority for further investigation and potential legal action.""" risk_score = 47 rule_id = "f3475224-b179-4f78-8877-c2bd64c26b88" severity = "medium" @@ -59,41 +96,6 @@ sequence by host.id with maxspan = 2s not (process.executable : "?:\\Windows\\System32\\inetsrv\\appcmd.exe" and process.args : "uninstall") ] ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating WMI Incoming Lateral Movement - -Windows Management Instrumentation (WMI) is a core Windows feature enabling remote management and data collection. Adversaries exploit WMI for lateral movement by executing processes on remote hosts, often bypassing traditional security measures. The detection rule identifies suspicious WMI activity by monitoring specific network connections and process executions, filtering out common false positives to highlight potential threats. - -### Possible investigation steps - -- Review the source IP address of the incoming RPC connection to determine if it is from a known or trusted network segment, excluding localhost addresses like 127.0.0.1 and ::1. -- Check the process name and parent process name, specifically looking for svchost.exe and WmiPrvSE.exe, to confirm the execution context and identify any unusual parent-child process relationships. -- Investigate the user ID associated with the process execution to ensure it is not a system account (S-1-5-18, S-1-5-19, S-1-5-20) and assess if the user has legitimate reasons for remote WMI activity. -- Examine the process executable path to verify it is not one of the excluded common false positives, such as those related to HPWBEM, SCCM, or other specified system utilities. -- Analyze the network connection details, including source and destination ports, to identify any patterns or anomalies that could indicate malicious lateral movement. -- Correlate the alert with other security events or logs from the same host or network segment to gather additional context and identify potential patterns of compromise. - -### False positive analysis - -- Administrative use of WMI for remote management can trigger alerts. To manage this, create exceptions for known administrative accounts or specific IP addresses used by IT staff. -- Security tools like Nessus and SCCM may cause false positives. Exclude processes associated with these tools by adding their executables to the exception list. -- System processes running with high integrity levels might be flagged. Exclude processes with integrity levels marked as "System" to reduce noise. -- Specific executables such as msiexec.exe and appcmd.exe with certain arguments can be safely excluded if they are part of routine administrative tasks. -- Regularly review and update the exception list to ensure it aligns with current network management practices and tools. - -### Response and remediation - -- Isolate the affected host immediately from the network to prevent further lateral movement by the adversary. This can be done by disabling network interfaces or using network segmentation tools. -- Terminate any suspicious processes identified as being executed via WMI on the affected host. Use task management tools or scripts to stop these processes. -- Conduct a thorough review of the affected host's WMI logs and process execution history to identify any unauthorized changes or additional malicious activity. -- Reset credentials for any accounts that were used in the suspicious WMI activity, especially if they have administrative privileges, to prevent further unauthorized access. -- Apply patches and updates to the affected host and any other systems that may be vulnerable to similar exploitation methods, ensuring that all security updates are current. -- Enhance monitoring and logging for WMI activity across the network to detect and respond to similar threats more quickly in the future. This includes setting up alerts for unusual WMI usage patterns. -- If the threat is confirmed to be part of a larger attack, escalate the incident to the appropriate security team or authority for further investigation and potential legal action.""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml index 3489b44f5..3352383eb 100644 --- a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml +++ b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/02" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,37 +25,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Mounting Hidden or WebDav Remote Shares" -risk_score = 47 -rule_id = "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - ((process.name : "net.exe" or ?process.pe.original_file_name == "net.exe") or ((process.name : "net1.exe" or ?process.pe.original_file_name == "net1.exe") and - not process.parent.name : "net.exe")) and - process.args : "use" and - /* including hidden and webdav based online shares such as onedrive */ - process.args : ("\\\\*\\*$*", "\\\\*@SSL\\*", "http*") and - /* excluding shares deletion operation */ - not process.args : "/d*" -''' note = """## Triage and analysis > **Disclaimer**: @@ -92,6 +59,37 @@ WebDav and hidden remote shares facilitate file sharing and collaboration across - Implement network segmentation to limit access to critical systems and sensitive data, reducing the risk of lateral movement. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised. - Enhance monitoring and alerting for similar activities by ensuring that all relevant security tools are configured to detect and alert on suspicious use of net.exe and net1.exe.""" +risk_score = 47 +rule_id = "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + ((process.name : "net.exe" or ?process.pe.original_file_name == "net.exe") or ((process.name : "net1.exe" or ?process.pe.original_file_name == "net1.exe") and + not process.parent.name : "net.exe")) and + process.args : "use" and + /* including hidden and webdav based online shares such as onedrive */ + process.args : ("\\\\*\\*$*", "\\\\*@SSL\\*", "http*") and + /* excluding shares deletion operation */ + not process.args : "/d*" +''' [[rule.threat]] diff --git a/rules/windows/lateral_movement_powershell_remoting_target.toml b/rules/windows/lateral_movement_powershell_remoting_target.toml index 86d159976..f6227044c 100644 --- a/rules/windows/lateral_movement_powershell_remoting_target.toml +++ b/rules/windows/lateral_movement_powershell_remoting_target.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -28,31 +26,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Incoming Execution via PowerShell Remoting" -references = [ - "https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1", -] -risk_score = 47 -rule_id = "2772264c-6fb9-4d9d-9014-b416eed21254" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -sequence by host.id with maxspan = 30s - [network where host.os.type == "windows" and network.direction : ("incoming", "ingress") and destination.port in (5985, 5986) and - network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1"] - [process where host.os.type == "windows" and - event.type == "start" and process.parent.name : "wsmprovhost.exe" and not process.executable : "?:\\Windows\\System32\\conhost.exe"] -''' note = """## Triage and analysis > **Disclaimer**: @@ -88,6 +61,31 @@ PowerShell Remoting enables administrators to execute commands on remote Windows - Apply patches and updates to the affected systems to address any vulnerabilities that may have been exploited. - Enhance monitoring on the network for unusual activity on ports 5985 and 5986 to detect any future attempts at unauthorized PowerShell Remoting. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.""" +references = [ + "https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1", +] +risk_score = 47 +rule_id = "2772264c-6fb9-4d9d-9014-b416eed21254" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +sequence by host.id with maxspan = 30s + [network where host.os.type == "windows" and network.direction : ("incoming", "ingress") and destination.port in (5985, 5986) and + network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1"] + [process where host.os.type == "windows" and + event.type == "start" and process.parent.name : "wsmprovhost.exe" and not process.executable : "?:\\Windows\\System32\\conhost.exe"] +''' [[rule.threat]] diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml index be8f3779d..d0b2102f5 100644 --- a/rules/windows/lateral_movement_rdp_enabled_registry.toml +++ b/rules/windows/lateral_movement_rdp_enabled_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,7 +11,14 @@ Identifies registry write modifications to enable Remote Desktop Protocol (RDP) adversary lateral movement preparation. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.registry-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "RDP Enabled via Registry" diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index 3e7c65552..be836c466 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/25" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,32 +25,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Remote File Copy to a Hidden Share" -references = ["https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language"] -risk_score = 47 -rule_id = "fa01341d-6662-426b-9d0c-6d81e33c8a9d" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.name : ("cmd.exe", "powershell.exe", "xcopy.exe", "pwsh.exe", "powershell_ise.exe") and - process.command_line : "*\\\\*\\*$*" and process.command_line : ("*copy*", "*move*", "* cp *", "* mv *") -''' note = """## Triage and analysis > **Disclaimer**: @@ -88,6 +60,32 @@ In Windows environments, hidden network shares are often used for legitimate adm - Review and restrict permissions on network shares, especially hidden shares, to ensure only authorized users have access. - Monitor network traffic for any further suspicious activity related to hidden shares and lateral movement attempts. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.""" +references = ["https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language"] +risk_score = 47 +rule_id = "fa01341d-6662-426b-9d0c-6d81e33c8a9d" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.name : ("cmd.exe", "powershell.exe", "xcopy.exe", "pwsh.exe", "powershell_ise.exe") and + process.command_line : "*\\\\*\\*$*" and process.command_line : ("*copy*", "*move*", "* cp *", "* mv *") +''' [[rule.threat]] diff --git a/rules/windows/lateral_movement_remote_service_installed_winlog.toml b/rules/windows/lateral_movement_remote_service_installed_winlog.toml index b06572fd2..5d8410e12 100644 --- a/rules/windows/lateral_movement_remote_service_installed_winlog.toml +++ b/rules/windows/lateral_movement_remote_service_installed_winlog.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,41 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Remote Windows Service Installed" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Remote Windows Service Installed + +Windows services are crucial for running background processes. Adversaries exploit this by installing services remotely to maintain persistence or move laterally within a network. The detection rule identifies suspicious service installations following a network logon, excluding known legitimate services, to flag potential unauthorized activities. This helps in identifying and mitigating threats early. + +### Possible investigation steps + +- Review the source IP address from the authentication event to determine if it is from a known or trusted network segment. Investigate any unfamiliar or suspicious IP addresses. +- Check the winlog.logon.id to correlate the logon session with the service installation event, ensuring they are part of the same session. +- Investigate the user account associated with the logon session to determine if the activity aligns with their typical behavior or role within the organization. +- Examine the service file path from the service-installed event to identify if it is a known or legitimate application. Pay special attention to any paths not excluded in the query. +- Look into the history of the computer where the service was installed (winlog.computer_name) for any previous suspicious activities or alerts. +- Assess the timing and frequency of similar events to determine if this is an isolated incident or part of a broader pattern of suspicious behavior. + +### False positive analysis + +- Administrative activities can trigger false positives when administrators frequently install or update services remotely. To manage this, create exceptions for known administrative accounts or specific IP addresses used by IT staff. +- Legitimate software installations or updates may appear as suspicious service installations. Maintain an updated list of authorized software paths and exclude these from the detection rule. +- Automated deployment tools like PDQ Deploy or Veeam Backup can cause false positives. Identify and exclude the service paths associated with these tools to reduce noise. +- Scheduled tasks that install or update services as part of routine maintenance can be mistaken for threats. Document and exclude these tasks from the rule to prevent unnecessary alerts. +- Internal security tools that perform regular checks or updates may also trigger alerts. Ensure these tools are recognized and their service paths are excluded from the detection criteria. + +### Response and remediation + +- Isolate the affected system from the network to prevent further lateral movement by the adversary. This can be done by disabling network interfaces or using network segmentation tools. +- Terminate any unauthorized services identified by the alert to stop any malicious processes from running. Use task management tools or command-line utilities to stop and disable these services. +- Conduct a thorough review of recent logon events and service installations on the affected system to identify any additional unauthorized activities or compromised accounts. +- Change passwords for any accounts that were used in the unauthorized service installation, especially if they have administrative privileges, to prevent further unauthorized access. +- Restore the affected system from a known good backup if any malicious changes or persistence mechanisms are detected that cannot be easily remediated. +- Implement network monitoring and alerting for similar suspicious activities, such as unexpected service installations or network logons, to enhance detection and response capabilities. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or accounts have been compromised.""" risk_score = 47 rule_id = "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1" severity = "medium" @@ -64,41 +97,6 @@ event.outcome=="success" and source.ip != null and source.ip != "127.0.0.1" and "?:\\Windows\\SysWOW64\\NwxExeSvc\\NwxExeSvc.exe", "?:\\Windows\\System32\\taskhostex.exe")] ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Remote Windows Service Installed - -Windows services are crucial for running background processes. Adversaries exploit this by installing services remotely to maintain persistence or move laterally within a network. The detection rule identifies suspicious service installations following a network logon, excluding known legitimate services, to flag potential unauthorized activities. This helps in identifying and mitigating threats early. - -### Possible investigation steps - -- Review the source IP address from the authentication event to determine if it is from a known or trusted network segment. Investigate any unfamiliar or suspicious IP addresses. -- Check the winlog.logon.id to correlate the logon session with the service installation event, ensuring they are part of the same session. -- Investigate the user account associated with the logon session to determine if the activity aligns with their typical behavior or role within the organization. -- Examine the service file path from the service-installed event to identify if it is a known or legitimate application. Pay special attention to any paths not excluded in the query. -- Look into the history of the computer where the service was installed (winlog.computer_name) for any previous suspicious activities or alerts. -- Assess the timing and frequency of similar events to determine if this is an isolated incident or part of a broader pattern of suspicious behavior. - -### False positive analysis - -- Administrative activities can trigger false positives when administrators frequently install or update services remotely. To manage this, create exceptions for known administrative accounts or specific IP addresses used by IT staff. -- Legitimate software installations or updates may appear as suspicious service installations. Maintain an updated list of authorized software paths and exclude these from the detection rule. -- Automated deployment tools like PDQ Deploy or Veeam Backup can cause false positives. Identify and exclude the service paths associated with these tools to reduce noise. -- Scheduled tasks that install or update services as part of routine maintenance can be mistaken for threats. Document and exclude these tasks from the rule to prevent unnecessary alerts. -- Internal security tools that perform regular checks or updates may also trigger alerts. Ensure these tools are recognized and their service paths are excluded from the detection criteria. - -### Response and remediation - -- Isolate the affected system from the network to prevent further lateral movement by the adversary. This can be done by disabling network interfaces or using network segmentation tools. -- Terminate any unauthorized services identified by the alert to stop any malicious processes from running. Use task management tools or command-line utilities to stop and disable these services. -- Conduct a thorough review of recent logon events and service installations on the affected system to identify any additional unauthorized activities or compromised accounts. -- Change passwords for any accounts that were used in the unauthorized service installation, especially if they have administrative privileges, to prevent further unauthorized access. -- Restore the affected system from a known good backup if any malicious changes or persistence mechanisms are detected that cannot be easily remediated. -- Implement network monitoring and alerting for similar suspicious activities, such as unexpected service installations or network logons, to enhance detection and response capabilities. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or accounts have been compromised.""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index bd46ed742..6409bf739 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/lateral_movement_remote_task_creation_winlog.toml b/rules/windows/lateral_movement_remote_task_creation_winlog.toml index cc727f02a..1370fa1ac 100644 --- a/rules/windows/lateral_movement_remote_task_creation_winlog.toml +++ b/rules/windows/lateral_movement_remote_task_creation_winlog.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml index 962d7dc4f..857d749b7 100644 --- a/rules/windows/lateral_movement_scheduled_task_target.toml +++ b/rules/windows/lateral_movement_scheduled_task_target.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/20" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml index 49b26a6d2..d9b248b58 100644 --- a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml +++ b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,40 @@ index = ["logs-endpoint.events.library-*", "winlogbeat-*", "logs-windows.sysmon_ language = "eql" license = "Elastic License v2" name = "Suspicious RDP ActiveX Client Loaded" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious RDP ActiveX Client Loaded + +The Remote Desktop Services ActiveX Client, mstscax.dll, facilitates remote desktop connections, enabling users to access and control other systems. Adversaries may exploit this by loading the DLL in unauthorized contexts to move laterally within a network. The detection rule identifies unusual loading of mstscax.dll outside typical system paths, flagging potential misuse indicative of lateral movement attempts. + +### Possible investigation steps + +- Review the process executable path to determine if mstscax.dll was loaded from an unusual or unauthorized location, as specified in the query. +- Check the associated process and user context to identify who initiated the process and whether it aligns with expected behavior or known user activity. +- Investigate the network connections associated with the process to identify any suspicious remote connections or lateral movement attempts. +- Examine recent login events and RDP session logs for the involved user account to detect any unauthorized access or anomalies. +- Correlate the alert with other security events or logs to identify potential patterns or related suspicious activities within the network. + +### False positive analysis + +- Legitimate administrative tools or scripts that load mstscax.dll from non-standard paths may trigger false positives. To mitigate this, identify and document these tools, then add their paths to the exclusion list in the detection rule. +- Software updates or installations that temporarily load mstscax.dll from unusual locations can cause false alerts. Monitor and log these activities, and consider excluding these paths if they are consistently flagged during known update periods. +- Virtualization software or sandbox environments that use mstscax.dll for legitimate purposes might be flagged. Verify the use of such software and exclude their executable paths from the rule to prevent unnecessary alerts. +- Custom user scripts or automation tasks that involve remote desktop functionalities may load mstscax.dll in unexpected ways. Review these scripts and, if deemed safe, add their execution paths to the exclusion list to reduce noise. +- Network drive mappings or shared folders that involve remote desktop components could lead to false positives. Ensure these are part of regular operations and exclude their paths if they are frequently flagged without malicious intent. + +### Response and remediation + +- Isolate the affected system from the network immediately to prevent further lateral movement by the adversary. +- Terminate any suspicious processes associated with the unauthorized loading of mstscax.dll to halt potential malicious activities. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malware or unauthorized software. +- Review and analyze the system and network logs to identify any other systems that may have been accessed or compromised by the adversary. +- Reset credentials for any accounts that were accessed or potentially compromised during the incident to prevent unauthorized access. +- Implement network segmentation to limit the ability of adversaries to move laterally within the network in the future. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or data have been affected.""" references = [ "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3", "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language", @@ -69,40 +101,6 @@ any where host.os.type == "windows" and "?:\\Windows\\System32\\hvsirdpclient.exe" ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious RDP ActiveX Client Loaded - -The Remote Desktop Services ActiveX Client, mstscax.dll, facilitates remote desktop connections, enabling users to access and control other systems. Adversaries may exploit this by loading the DLL in unauthorized contexts to move laterally within a network. The detection rule identifies unusual loading of mstscax.dll outside typical system paths, flagging potential misuse indicative of lateral movement attempts. - -### Possible investigation steps - -- Review the process executable path to determine if mstscax.dll was loaded from an unusual or unauthorized location, as specified in the query. -- Check the associated process and user context to identify who initiated the process and whether it aligns with expected behavior or known user activity. -- Investigate the network connections associated with the process to identify any suspicious remote connections or lateral movement attempts. -- Examine recent login events and RDP session logs for the involved user account to detect any unauthorized access or anomalies. -- Correlate the alert with other security events or logs to identify potential patterns or related suspicious activities within the network. - -### False positive analysis - -- Legitimate administrative tools or scripts that load mstscax.dll from non-standard paths may trigger false positives. To mitigate this, identify and document these tools, then add their paths to the exclusion list in the detection rule. -- Software updates or installations that temporarily load mstscax.dll from unusual locations can cause false alerts. Monitor and log these activities, and consider excluding these paths if they are consistently flagged during known update periods. -- Virtualization software or sandbox environments that use mstscax.dll for legitimate purposes might be flagged. Verify the use of such software and exclude their executable paths from the rule to prevent unnecessary alerts. -- Custom user scripts or automation tasks that involve remote desktop functionalities may load mstscax.dll in unexpected ways. Review these scripts and, if deemed safe, add their execution paths to the exclusion list to reduce noise. -- Network drive mappings or shared folders that involve remote desktop components could lead to false positives. Ensure these are part of regular operations and exclude their paths if they are frequently flagged without malicious intent. - -### Response and remediation - -- Isolate the affected system from the network immediately to prevent further lateral movement by the adversary. -- Terminate any suspicious processes associated with the unauthorized loading of mstscax.dll to halt potential malicious activities. -- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malware or unauthorized software. -- Review and analyze the system and network logs to identify any other systems that may have been accessed or compromised by the adversary. -- Reset credentials for any accounts that were accessed or potentially compromised during the incident to prevent unauthorized access. -- Implement network segmentation to limit the ability of adversaries to move laterally within the network in the future. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or data have been affected.""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_unusual_dns_service_children.toml b/rules/windows/lateral_movement_unusual_dns_service_children.toml index 805ca9ee9..a85445567 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_children.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_children.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/16" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml index 6518800cb..d6fab3b87 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/17" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index 51f0b83aa..a74ff41d1 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,41 +11,17 @@ Identifies suspicious file creations in the startup folder of a remote system. A laterally by dropping a malicious script or executable that will be executed after a reboot or user logon. """ from = "now-9m" -index = ["logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.file-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Lateral Movement via Startup Folder" -references = [ - "https://www.mdsec.co.uk/2017/06/rdpinception/", - "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language", -] -risk_score = 73 -rule_id = "25224a80-5a4a-4b8a-991e-6ab390465c4f" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -file where host.os.type == "windows" and event.type in ("creation", "change") and - - /* via RDP TSClient mounted share or SMB */ - (process.name : "mstsc.exe" or process.pid == 4) and - - file.path : ("?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", - "?:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*") -''' note = """## Triage and analysis > **Disclaimer**: @@ -82,6 +56,37 @@ The Windows Startup folder is a mechanism that allows programs to run automatica - Review and reset credentials for any accounts that were accessed or potentially compromised during the incident to prevent unauthorized access. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for RDP and SMB activities, focusing on unusual file creation events in Startup folders, to improve detection of similar threats in the future.""" +references = [ + "https://www.mdsec.co.uk/2017/06/rdpinception/", + "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language", +] +risk_score = 73 +rule_id = "25224a80-5a4a-4b8a-991e-6ab390465c4f" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where host.os.type == "windows" and event.type in ("creation", "change") and + + /* via RDP TSClient mounted share or SMB */ + (process.name : "mstsc.exe" or process.pid == 4) and + + file.path : ("?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", + "?:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*") +''' [[rule.threat]] diff --git a/rules/windows/lateral_movement_via_wsus_update.toml b/rules/windows/lateral_movement_via_wsus_update.toml index 0b3bbc358..22ecd3dc5 100644 --- a/rules/windows/lateral_movement_via_wsus_update.toml +++ b/rules/windows/lateral_movement_via_wsus_update.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2024/07/19" -integration = ["endpoint", "windows", "system","sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] +integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,35 +25,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Potential WSUS Abuse for Lateral Movement" -references = ["https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wsus-spoofing"] -risk_score = 47 -rule_id = "8e2485b6-a74f-411b-bf7f-38b819f3a846" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Windows Security Event Logs", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and process.parent.name : "wuauclt.exe" and -process.executable : ( - "?:\\Windows\\SoftwareDistribution\\Download\\Install\\*", - "\\Device\\HarddiskVolume?\\Windows\\SoftwareDistribution\\Download\\Install\\*" -) and -(process.name : "psexec64.exe" or ?process.pe.original_file_name : "psexec.c") -''' note = """## Triage and analysis > **Disclaimer**: @@ -90,6 +59,35 @@ Windows Server Update Services (WSUS) is a system that manages updates for Micro - Reset credentials for any accounts that may have been compromised or used in the lateral movement attempt, especially those with administrative privileges. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been affected. - Implement enhanced monitoring and logging for WSUS activities and PsExec executions to detect and respond to similar threats more effectively in the future.""" +references = ["https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wsus-spoofing"] +risk_score = 47 +rule_id = "8e2485b6-a74f-411b-bf7f-38b819f3a846" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Windows Security Event Logs", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and process.parent.name : "wuauclt.exe" and +process.executable : ( + "?:\\Windows\\SoftwareDistribution\\Download\\Install\\*", + "\\Device\\HarddiskVolume?\\Windows\\SoftwareDistribution\\Download\\Install\\*" +) and +(process.name : "psexec64.exe" or ?process.pe.original_file_name : "psexec.c") +''' [[rule.threat]] diff --git a/rules/windows/persistence_ad_adminsdholder.toml b/rules/windows/persistence_ad_adminsdholder.toml index dd5de2c05..d7302c194 100644 --- a/rules/windows/persistence_ad_adminsdholder.toml +++ b/rules/windows/persistence_ad_adminsdholder.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/31" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -20,29 +18,6 @@ index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"] language = "kuery" license = "Elastic License v2" name = "AdminSDHolder Backdoor" -references = [ - "https://adsecurity.org/?p=1906", - "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory#adminsdholder", -] -risk_score = 73 -rule_id = "6e9130a5-9be6-48e5-943a-9628bfc74b18" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "query" - -query = ''' -event.code:5136 and winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System* -''' note = """## Triage and analysis > **Disclaimer**: @@ -78,6 +53,29 @@ The AdminSDHolder object in Active Directory is crucial for maintaining consiste - Implement additional monitoring on the AdminSDHolder object and other critical Active Directory objects to detect any future unauthorized modifications promptly. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach, including identifying any other compromised systems or accounts. - Review and update access control policies and security configurations to prevent similar attacks, ensuring that only authorized personnel have the ability to modify critical Active Directory objects.""" +references = [ + "https://adsecurity.org/?p=1906", + "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory#adminsdholder", +] +risk_score = 73 +rule_id = "6e9130a5-9be6-48e5-943a-9628bfc74b18" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.code:5136 and winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System* +''' [[rule.threat]] diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index 9861af7bf..119541284 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/03" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -36,7 +34,14 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu author = ["Elastic"] description = "Detects writing executable files that will be automatically launched by Adobe on launch." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Adobe Hijack Persistence" @@ -101,7 +106,18 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", +] timestamp_override = "event.ingested" type = "eql" @@ -115,6 +131,11 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1554" +name = "Compromise Host Software Binary" +reference = "https://attack.mitre.org/techniques/T1554/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" @@ -124,11 +145,6 @@ id = "T1574.010" name = "Services File Permissions Weakness" reference = "https://attack.mitre.org/techniques/T1574/010/" -[[rule.threat.technique]] -id = "T1554" -name = "Compromise Host Software Binary" -reference = "https://attack.mitre.org/techniques/T1554/" - [rule.threat.tactic] diff --git a/rules/windows/persistence_app_compat_shim.toml b/rules/windows/persistence_app_compat_shim.toml index caae92210..67b2e1804 100644 --- a/rules/windows/persistence_app_compat_shim.toml +++ b/rules/windows/persistence_app_compat_shim.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,42 +11,17 @@ Identifies the installation of custom Application Compatibility Shim databases. abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] +index = [ + "logs-endpoint.events.registry-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "endgame-*", +] language = "eql" license = "Elastic License v2" name = "Installation of Custom Shim Databases" -risk_score = 47 -rule_id = "c5ce48a6-7f57-4ee8-9313-3d0024caee10" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and event.type == "change" and - registry.path : ( - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb", - "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb", - "MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb" - ) and - not process.executable : - ("?:\\Program Files (x86)\\DesktopCentral_Agent\\swrepository\\1\\swuploads\\SAP-SLC\\SAPSetupSLC02_14-80001954\\Setup\\NwSapSetup.exe", - "?:\\$WINDOWS.~BT\\Sources\\SetupPlatform.exe", - "?:\\Program Files (x86)\\SAP\\SAPsetup\\setup\\NwSapSetup.exe", - "?:\\Program Files (x86)\\SAP\\SapSetup\\OnRebootSvc\\NWSAPSetupOnRebootInstSvc.exe", - "?:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Security for Windows Server\\kavfs.exe") -''' note = """## Triage and analysis > **Disclaimer**: @@ -84,6 +57,38 @@ Application Compatibility Shim databases are used in Windows to ensure older app - Review and restore any altered system configurations or files to their original state to ensure system integrity. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. - Implement enhanced monitoring and logging for the specified registry paths and associated processes to detect and respond to similar threats in the future.""" +risk_score = 47 +rule_id = "c5ce48a6-7f57-4ee8-9313-3d0024caee10" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.type == "change" and + registry.path : ( + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb", + "MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb" + ) and + not process.executable : + ("?:\\Program Files (x86)\\DesktopCentral_Agent\\swrepository\\1\\swuploads\\SAP-SLC\\SAPSetupSLC02_14-80001954\\Setup\\NwSapSetup.exe", + "?:\\$WINDOWS.~BT\\Sources\\SetupPlatform.exe", + "?:\\Program Files (x86)\\SAP\\SAPsetup\\setup\\NwSapSetup.exe", + "?:\\Program Files (x86)\\SAP\\SapSetup\\OnRebootSvc\\NWSAPSetupOnRebootInstSvc.exe", + "?:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Security for Windows Server\\kavfs.exe") +''' [[rule.threat]] diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index 6a6a98051..aedea1b29 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,33 +11,17 @@ Detects attempts to maintain persistence by creating registry keys using AppCert process using the common API functions to create processes. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Registry Persistence via AppCert DLL" -risk_score = 47 -rule_id = "513f0ffd-b317-4b9c-9494-92ce861f22c7" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" -severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and event.type == "change" and - registry.path : ( - "HKLM\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*", - "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*", - "MACHINE\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*" - ) -''' note = """## Triage and analysis > **Disclaimer**: @@ -75,6 +57,41 @@ AppCert DLLs are dynamic link libraries that can be configured to load with ever - Review and restore any system files or configurations that may have been altered by the malicious DLLs to ensure system integrity. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. - Implement enhanced monitoring and logging for the specific registry paths and related process creation activities to detect any future unauthorized changes promptly.""" +risk_score = 47 +rule_id = "513f0ffd-b317-4b9c-9494-92ce861f22c7" +setup = """## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.type == "change" and + registry.path : ( + "HKLM\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*", + "MACHINE\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*" + ) +''' [[rule.threat]] @@ -94,7 +111,6 @@ reference = "https://attack.mitre.org/techniques/T1546/009/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml index b0ae3c893..40d0f0740 100644 --- a/rules/windows/persistence_appinitdlls_registry.toml +++ b/rules/windows/persistence_appinitdlls_registry.toml @@ -2,16 +2,14 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] label = "Osquery - Retrieve AppInit Registry Value" query = """ -SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows' or -r.key == 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows') and r.name == +SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows' +or r.key == 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows') and r.name == 'AppInit_DLLs' """ @@ -50,7 +48,14 @@ Attackers who add those DLLs to the registry locations can execute code with ele injection, and provide a solid and constant persistence on the machine. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Registry Persistence via AppInit DLL" @@ -110,7 +115,19 @@ This rule identifies modifications on the AppInit registry keys. risk_score = 47 rule_id = "d0e159cf-73e9-40d1-a9ed-077e3158a855" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", +] timestamp_override = "event.ingested" type = "eql" @@ -154,9 +171,6 @@ reference = "https://attack.mitre.org/techniques/T1546/010/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -164,6 +178,7 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_browser_extension_install.toml b/rules/windows/persistence_browser_extension_install.toml index b48764334..6a2a027a9 100644 --- a/rules/windows/persistence_browser_extension_install.toml +++ b/rules/windows/persistence_browser_extension_install.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/22" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -19,11 +17,45 @@ index = [ "logs-sentinel_one_cloud_funnel.*", "logs-windows.sysmon_operational-*", "winlogbeat-*", - "endgame-*" + "endgame-*", ] language = "eql" license = "Elastic License v2" name = "Browser Extension Install" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Browser Extension Install +Browser extensions enhance functionality in web browsers but can be exploited by adversaries to gain persistence or execute malicious activities. Attackers may disguise harmful extensions as legitimate or use compromised systems to install them. The detection rule identifies suspicious extension installations by monitoring file creation events in typical extension directories, filtering out known safe processes, and focusing on Windows environments. + +### Possible investigation steps + +- Review the file creation event details to identify the specific browser extension file (e.g., .xpi or .crx) and its path to determine if it aligns with known malicious patterns or locations. +- Check the process that initiated the file creation event, especially if it is not a known safe process like firefox.exe, to assess if it is a legitimate application or potentially malicious. +- Investigate the user account associated with the file creation event to determine if the activity is expected or if the account may have been compromised. +- Examine recent system activity and logs for any signs of social engineering attempts or unauthorized access that could have led to the installation of the extension. +- Cross-reference the extension file name and path with threat intelligence sources to identify if it is associated with known malicious browser extensions. +- If applicable, review the browser's extension management interface to verify the presence and legitimacy of the installed extension. + +### False positive analysis + +- Language pack installations for Firefox can trigger false positives. Exclude files named "langpack-*@firefox.mozilla.org.xpi" from detection to prevent unnecessary alerts. +- Dictionary add-ons for Firefox may also be flagged. Add exceptions for files named "*@dictionaries.addons.mozilla.org.xpi" to reduce false positives. +- Regular updates or installations of legitimate browser extensions from trusted sources can be mistaken for malicious activity. Maintain a list of trusted processes and paths to exclude from monitoring. +- User-initiated installations from official browser stores might be flagged. Educate users on safe installation practices and consider excluding known safe processes like "firefox.exe" when associated with legitimate extension paths. +- Frequent installations in enterprise environments due to software deployment tools can cause alerts. Coordinate with IT to identify and exclude these routine activities from detection. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread or communication with potential command and control servers. +- Terminate any suspicious processes associated with the unauthorized browser extension installation, such as unknown or unexpected instances of browser processes. +- Remove the malicious browser extension by deleting the associated files from the extension directories identified in the alert. +- Conduct a full antivirus and anti-malware scan on the affected system to identify and remove any additional threats or remnants of the malicious extension. +- Review and reset browser settings to default to ensure no residual configurations or settings are left by the malicious extension. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. +- Implement application whitelisting to prevent unauthorized browser extensions from being installed in the future, focusing on the directories and file types identified in the detection query.""" risk_score = 21 rule_id = "f97504ac-1053-498f-aeaa-c6d01e76b379" severity = "low" @@ -62,40 +94,6 @@ file where host.os.type == "windows" and event.type : "creation" and ) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Browser Extension Install -Browser extensions enhance functionality in web browsers but can be exploited by adversaries to gain persistence or execute malicious activities. Attackers may disguise harmful extensions as legitimate or use compromised systems to install them. The detection rule identifies suspicious extension installations by monitoring file creation events in typical extension directories, filtering out known safe processes, and focusing on Windows environments. - -### Possible investigation steps - -- Review the file creation event details to identify the specific browser extension file (e.g., .xpi or .crx) and its path to determine if it aligns with known malicious patterns or locations. -- Check the process that initiated the file creation event, especially if it is not a known safe process like firefox.exe, to assess if it is a legitimate application or potentially malicious. -- Investigate the user account associated with the file creation event to determine if the activity is expected or if the account may have been compromised. -- Examine recent system activity and logs for any signs of social engineering attempts or unauthorized access that could have led to the installation of the extension. -- Cross-reference the extension file name and path with threat intelligence sources to identify if it is associated with known malicious browser extensions. -- If applicable, review the browser's extension management interface to verify the presence and legitimacy of the installed extension. - -### False positive analysis - -- Language pack installations for Firefox can trigger false positives. Exclude files named "langpack-*@firefox.mozilla.org.xpi" from detection to prevent unnecessary alerts. -- Dictionary add-ons for Firefox may also be flagged. Add exceptions for files named "*@dictionaries.addons.mozilla.org.xpi" to reduce false positives. -- Regular updates or installations of legitimate browser extensions from trusted sources can be mistaken for malicious activity. Maintain a list of trusted processes and paths to exclude from monitoring. -- User-initiated installations from official browser stores might be flagged. Educate users on safe installation practices and consider excluding known safe processes like "firefox.exe" when associated with legitimate extension paths. -- Frequent installations in enterprise environments due to software deployment tools can cause alerts. Coordinate with IT to identify and exclude these routine activities from detection. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread or communication with potential command and control servers. -- Terminate any suspicious processes associated with the unauthorized browser extension installation, such as unknown or unexpected instances of browser processes. -- Remove the malicious browser extension by deleting the associated files from the extension directories identified in the alert. -- Conduct a full antivirus and anti-malware scan on the affected system to identify and remove any additional threats or remnants of the malicious extension. -- Review and reset browser settings to default to ensure no residual configurations or settings are left by the malicious extension. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. -- Implement application whitelisting to prevent unauthorized browser extensions from being installed in the future, focusing on the directories and file types identified in the detection query.""" [[rule.threat]] diff --git a/rules/windows/persistence_dontexpirepasswd_account.toml b/rules/windows/persistence_dontexpirepasswd_account.toml index e5bbdceaf..b3b801c29 100644 --- a/rules/windows/persistence_dontexpirepasswd_account.toml +++ b/rules/windows/persistence_dontexpirepasswd_account.toml @@ -2,9 +2,7 @@ creation_date = "2022/02/22" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index 715040646..37d50c275 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,7 +12,14 @@ sometimes done by attackers to increase access to a system and avoid appearing i the net users command. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Creation of a Hidden Local User Account" diff --git a/rules/windows/persistence_evasion_registry_ifeo_injection.toml b/rules/windows/persistence_evasion_registry_ifeo_injection.toml index 94f25c785..915e9d780 100644 --- a/rules/windows/persistence_evasion_registry_ifeo_injection.toml +++ b/rules/windows/persistence_evasion_registry_ifeo_injection.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,10 +11,51 @@ The Debugger and SilentProcessExit registry keys can allow an adversary to inter different process to be executed. This functionality can be abused by an adversary to establish persistence. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Image File Execution Options Injection" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Image File Execution Options Injection + +Image File Execution Options (IFEO) is a Windows feature allowing developers to debug applications by specifying an alternative executable to run. Adversaries exploit this by setting a debugger to execute malicious code instead, achieving persistence or evasion. The detection rule identifies changes to specific registry keys associated with IFEO, flagging potential misuse by monitoring for unexpected executables being set as debuggers. + +### Possible investigation steps + +- Review the registry path and value that triggered the alert to identify the specific executable or process being targeted for debugging or monitoring. +- Check the registry.data.strings field to determine the unexpected executable set as a debugger or monitor process, and assess its legitimacy. +- Investigate the origin and purpose of the executable found in the registry.data.strings by checking its file properties, digital signature, and any associated metadata. +- Correlate the alert with recent system or user activity to identify any suspicious behavior or changes that coincide with the registry modification. +- Examine the system for additional indicators of compromise, such as unusual network connections, file modifications, or other registry changes, to assess the scope of potential malicious activity. +- Consult threat intelligence sources to determine if the identified executable or behavior is associated with known malware or threat actors. + +### False positive analysis + +- ThinKiosk and PSAppDeployToolkit are known to trigger false positives due to their legitimate use of the Debugger registry key. Users can mitigate this by adding exceptions for these applications in the detection rule. +- Regularly review and update the list of exceptions to include any new legitimate applications that may use the Debugger or MonitorProcess registry keys for valid purposes. +- Monitor the environment for any new software installations or updates that might interact with the IFEO registry keys and adjust the rule exceptions accordingly to prevent unnecessary alerts. +- Collaborate with IT and security teams to identify any internal tools or scripts that might be using these registry keys for legitimate reasons and ensure they are accounted for in the rule exceptions. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further spread or communication with potential command and control servers. +- Terminate any suspicious processes identified as being executed through the IFEO mechanism to halt any ongoing malicious activity. +- Revert any unauthorized changes to the registry keys associated with Image File Execution Options and SilentProcessExit to their default or intended state. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malware or persistence mechanisms. +- Review and restore any altered or deleted system files from a known good backup to ensure system integrity. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. +- Implement enhanced monitoring and logging for registry changes related to IFEO to detect and respond to similar threats in the future.""" references = [ "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", ] @@ -59,40 +98,6 @@ registry where host.os.type == "windows" and event.type == "change" and /* add FPs here */ not registry.data.strings regex~ ("""C:\\Program Files( \(x86\))?\\ThinKiosk\\thinkiosk\.exe""", """.*\\PSAppDeployToolkit\\.*""") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Image File Execution Options Injection - -Image File Execution Options (IFEO) is a Windows feature allowing developers to debug applications by specifying an alternative executable to run. Adversaries exploit this by setting a debugger to execute malicious code instead, achieving persistence or evasion. The detection rule identifies changes to specific registry keys associated with IFEO, flagging potential misuse by monitoring for unexpected executables being set as debuggers. - -### Possible investigation steps - -- Review the registry path and value that triggered the alert to identify the specific executable or process being targeted for debugging or monitoring. -- Check the registry.data.strings field to determine the unexpected executable set as a debugger or monitor process, and assess its legitimacy. -- Investigate the origin and purpose of the executable found in the registry.data.strings by checking its file properties, digital signature, and any associated metadata. -- Correlate the alert with recent system or user activity to identify any suspicious behavior or changes that coincide with the registry modification. -- Examine the system for additional indicators of compromise, such as unusual network connections, file modifications, or other registry changes, to assess the scope of potential malicious activity. -- Consult threat intelligence sources to determine if the identified executable or behavior is associated with known malware or threat actors. - -### False positive analysis - -- ThinKiosk and PSAppDeployToolkit are known to trigger false positives due to their legitimate use of the Debugger registry key. Users can mitigate this by adding exceptions for these applications in the detection rule. -- Regularly review and update the list of exceptions to include any new legitimate applications that may use the Debugger or MonitorProcess registry keys for valid purposes. -- Monitor the environment for any new software installations or updates that might interact with the IFEO registry keys and adjust the rule exceptions accordingly to prevent unnecessary alerts. -- Collaborate with IT and security teams to identify any internal tools or scripts that might be using these registry keys for legitimate reasons and ensure they are accounted for in the rule exceptions. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further spread or communication with potential command and control servers. -- Terminate any suspicious processes identified as being executed through the IFEO mechanism to halt any ongoing malicious activity. -- Revert any unauthorized changes to the registry keys associated with Image File Execution Options and SilentProcessExit to their default or intended state. -- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malware or persistence mechanisms. -- Review and restore any altered or deleted system files from a known good backup to ensure system integrity. -- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. -- Implement enhanced monitoring and logging for registry changes related to IFEO to detect and respond to similar threats in the future.""" [[rule.threat]] diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index 56a73df37..2ee3ecadf 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -2,9 +2,7 @@ creation_date = "2021/03/15" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -39,7 +37,14 @@ Identifies suspicious startup shell folder modifications to change the default S detections monitoring file creation in the Windows Startup folder. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Suspicious Startup Shell Folder Modification" diff --git a/rules/windows/persistence_group_modification_by_system.toml b/rules/windows/persistence_group_modification_by_system.toml index af54846d0..2898f609e 100644 --- a/rules/windows/persistence_group_modification_by_system.toml +++ b/rules/windows/persistence_group_modification_by_system.toml @@ -2,45 +2,21 @@ creation_date = "2024/06/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ Identifies a user being added to an active directory group by the SYSTEM (S-1-5-18) user. This behavior can indicate that the attacker has achieved SYSTEM privileges in a domain controller, which attackers can obtain by exploiting -vulnerabilities or abusing default group privileges (e.g., Server Operators), and is attempting to pivot to a domain account. +vulnerabilities or abusing default group privileges (e.g., Server Operators), and is attempting to pivot to a domain +account. """ from = "now-9m" index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Active Directory Group Modification by SYSTEM" -risk_score = 47 -rule_id = "6f024bde-7085-489b-8250-5957efdf1caf" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -iam where winlog.api == "wineventlog" and event.code == "4728" and -winlog.event_data.SubjectUserSid : "S-1-5-18" and - -/* DOMAIN_USERS and local groups */ -not group.id : "S-1-5-21-*-513" -''' note = """## Triage and analysis > **Disclaimer**: @@ -76,6 +52,29 @@ Active Directory (AD) is a critical component in Windows environments, managing - Apply security patches and updates to the domain controller to address any vulnerabilities that may have been exploited to gain SYSTEM privileges. - Monitor for any further suspicious activities or attempts to modify Active Directory groups, using enhanced logging and alerting mechanisms. - Escalate the incident to the security operations center (SOC) or incident response team for a comprehensive investigation and to determine the full scope of the breach.""" +risk_score = 47 +rule_id = "6f024bde-7085-489b-8250-5957efdf1caf" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +iam where winlog.api == "wineventlog" and event.code == "4728" and +winlog.event_data.SubjectUserSid : "S-1-5-18" and + +/* DOMAIN_USERS and local groups */ +not group.id : "S-1-5-21-*-513" +''' [[rule.threat]] @@ -90,7 +89,6 @@ reference = "https://attack.mitre.org/techniques/T1098/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/persistence_local_scheduled_job_creation.toml b/rules/windows/persistence_local_scheduled_job_creation.toml index d6ffe953c..e06210688 100644 --- a/rules/windows/persistence_local_scheduled_job_creation.toml +++ b/rules/windows/persistence_local_scheduled_job_creation.toml @@ -2,9 +2,7 @@ creation_date = "2021/03/15" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,34 +12,17 @@ task scheduling functionality to facilitate initial or recurring execution of ma """ false_positives = ["Legitimate scheduled jobs may be created during installation of new software."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Persistence via Scheduled Job Creation" -risk_score = 47 -rule_id = "1327384f-00f3-44d5-9a8c-2373ba071e92" -severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -file where host.os.type == "windows" and event.type != "deletion" and - file.path : "?:\\Windows\\Tasks\\*" and file.extension : "job" and - not ( - ( - process.executable : "?:\\Program Files\\CCleaner\\CCleaner64.exe" and - file.path : "?:\\Windows\\Tasks\\CCleanerCrashReporting.job" - ) or - ( - process.executable : ( - "?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\bin\\dcagentregister.exe", - "?:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\dcagentregister.exe" - ) and - file.path : "?:\\Windows\\Tasks\\DCAgentUpdater.job" - ) - ) -''' note = """## Triage and analysis > **Disclaimer**: @@ -76,6 +57,41 @@ Scheduled jobs in Windows environments allow tasks to be automated by executing - Review and audit other scheduled tasks on the system to ensure no additional unauthorized or suspicious jobs are present. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems are affected. - Implement enhanced monitoring and alerting for scheduled job creation activities across the network to detect similar threats in the future, leveraging the specific query fields used in the detection rule.""" +risk_score = 47 +rule_id = "1327384f-00f3-44d5-9a8c-2373ba071e92" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where host.os.type == "windows" and event.type != "deletion" and + file.path : "?:\\Windows\\Tasks\\*" and file.extension : "job" and + not ( + ( + process.executable : "?:\\Program Files\\CCleaner\\CCleaner64.exe" and + file.path : "?:\\Windows\\Tasks\\CCleanerCrashReporting.job" + ) or + ( + process.executable : ( + "?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\bin\\dcagentregister.exe", + "?:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\dcagentregister.exe" + ) and + file.path : "?:\\Windows\\Tasks\\DCAgentUpdater.job" + ) + ) +''' [[rule.threat]] diff --git a/rules/windows/persistence_local_scheduled_task_creation.toml b/rules/windows/persistence_local_scheduled_task_creation.toml index d8d21c6d8..e0bda7e66 100644 --- a/rules/windows/persistence_local_scheduled_task_creation.toml +++ b/rules/windows/persistence_local_scheduled_task_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/04" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,6 +16,41 @@ index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_ language = "eql" license = "Elastic License v2" name = "Local Scheduled Task Creation" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Local Scheduled Task Creation + +Scheduled tasks in Windows automate routine tasks, but adversaries exploit them for persistence, lateral movement, or privilege escalation. They may use command-line tools like `schtasks.exe` to create tasks under non-system accounts. The detection rule identifies suspicious task creation by monitoring specific processes and command-line arguments, excluding those initiated by system-level users, to flag potential misuse. + +### Possible investigation steps + +- Review the process entity ID to identify the parent process that initiated the scheduled task creation. This can provide context on whether the task was created by a legitimate application or a potentially malicious one. +- Examine the command-line arguments used with schtasks.exe, specifically looking for unusual or suspicious parameters that might indicate malicious intent, such as unexpected task names or execution paths. +- Check the user account associated with the task creation to determine if it is a non-system account and assess whether this account should have the capability to create scheduled tasks. +- Investigate the integrity level of the process to confirm it is not running with elevated privileges, which could indicate an attempt to bypass security controls. +- Correlate the event with other recent activities on the host, such as file modifications or network connections, to identify any patterns or additional indicators of compromise. +- Review the code signature of the initiating process to determine if it is trusted or untrusted, which can help assess the legitimacy of the process creating the task. + +### False positive analysis + +- Scheduled tasks created by legitimate administrative tools or scripts may trigger false positives. Users should identify and whitelist these known benign processes to prevent unnecessary alerts. +- Routine maintenance tasks initiated by IT departments, such as software updates or system checks, can be mistaken for suspicious activity. Exclude these tasks by specifying their unique process names or command-line arguments. +- Tasks created by trusted third-party applications for legitimate purposes might be flagged. Review and exclude these applications by verifying their code signatures and adding them to an exception list. +- Automated tasks set up by non-system accounts for regular operations, like backups or monitoring, can be misinterpreted. Document these tasks and exclude them based on their specific parameters or user accounts involved. +- Consider excluding tasks with a consistent and verified schedule that aligns with organizational policies, as these are less likely to be malicious. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent potential lateral movement by the adversary. +- Terminate any suspicious scheduled tasks identified by the alert using Task Scheduler or command-line tools like schtasks.exe to stop further execution. +- Review and remove any unauthorized scheduled tasks created by non-system accounts to eliminate persistence mechanisms. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious artifacts. +- Analyze the user account involved in the task creation for signs of compromise, and reset credentials if necessary to prevent further unauthorized access. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +- Implement enhanced monitoring and logging for scheduled task creation events to detect similar threats in the future, ensuring alerts are configured to notify the appropriate teams promptly.""" references = [ "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1", "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-2", @@ -54,41 +87,6 @@ sequence with maxspan=1m not (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") ] by process.parent.entity_id ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Local Scheduled Task Creation - -Scheduled tasks in Windows automate routine tasks, but adversaries exploit them for persistence, lateral movement, or privilege escalation. They may use command-line tools like `schtasks.exe` to create tasks under non-system accounts. The detection rule identifies suspicious task creation by monitoring specific processes and command-line arguments, excluding those initiated by system-level users, to flag potential misuse. - -### Possible investigation steps - -- Review the process entity ID to identify the parent process that initiated the scheduled task creation. This can provide context on whether the task was created by a legitimate application or a potentially malicious one. -- Examine the command-line arguments used with schtasks.exe, specifically looking for unusual or suspicious parameters that might indicate malicious intent, such as unexpected task names or execution paths. -- Check the user account associated with the task creation to determine if it is a non-system account and assess whether this account should have the capability to create scheduled tasks. -- Investigate the integrity level of the process to confirm it is not running with elevated privileges, which could indicate an attempt to bypass security controls. -- Correlate the event with other recent activities on the host, such as file modifications or network connections, to identify any patterns or additional indicators of compromise. -- Review the code signature of the initiating process to determine if it is trusted or untrusted, which can help assess the legitimacy of the process creating the task. - -### False positive analysis - -- Scheduled tasks created by legitimate administrative tools or scripts may trigger false positives. Users should identify and whitelist these known benign processes to prevent unnecessary alerts. -- Routine maintenance tasks initiated by IT departments, such as software updates or system checks, can be mistaken for suspicious activity. Exclude these tasks by specifying their unique process names or command-line arguments. -- Tasks created by trusted third-party applications for legitimate purposes might be flagged. Review and exclude these applications by verifying their code signatures and adding them to an exception list. -- Automated tasks set up by non-system accounts for regular operations, like backups or monitoring, can be misinterpreted. Document these tasks and exclude them based on their specific parameters or user accounts involved. -- Consider excluding tasks with a consistent and verified schedule that aligns with organizational policies, as these are less likely to be malicious. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent potential lateral movement by the adversary. -- Terminate any suspicious scheduled tasks identified by the alert using Task Scheduler or command-line tools like schtasks.exe to stop further execution. -- Review and remove any unauthorized scheduled tasks created by non-system accounts to eliminate persistence mechanisms. -- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious artifacts. -- Analyze the user account involved in the task creation for signs of compromise, and reset credentials if necessary to prevent further unauthorized access. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. -- Implement enhanced monitoring and logging for scheduled task creation events to detect similar threats in the future, ensuring alerts are configured to notify the appropriate teams promptly.""" [[rule.threat]] diff --git a/rules/windows/persistence_local_scheduled_task_scripting.toml b/rules/windows/persistence_local_scheduled_task_scripting.toml index caa7c4dfb..f8f93d544 100644 --- a/rules/windows/persistence_local_scheduled_task_scripting.toml +++ b/rules/windows/persistence_local_scheduled_task_scripting.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_ms_office_addins_file.toml b/rules/windows/persistence_ms_office_addins_file.toml index b85c80182..9dcb2d159 100644 --- a/rules/windows/persistence_ms_office_addins_file.toml +++ b/rules/windows/persistence_ms_office_addins_file.toml @@ -2,47 +2,23 @@ creation_date = "2020/10/16" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = "Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins." from = "now-9m" -index = ["logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.file-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Persistence via Microsoft Office AddIns" -references = ["https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence"] -risk_score = 73 -rule_id = "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -file where host.os.type == "windows" and event.type != "deletion" and - file.extension : ("wll","xll","ppa","ppam","xla","xlam") and - file.path : - ( - "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*", - "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*", - "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*" - ) -''' note = """## Triage and analysis > **Disclaimer**: @@ -78,6 +54,35 @@ Microsoft Office AddIns enhance productivity by allowing custom functionalities - Review and restore any altered system configurations or settings to their default state to ensure system integrity. - Monitor the affected system and network for any signs of re-infection or related suspicious activity, using enhanced logging and alerting mechanisms. - Escalate the incident to the security operations center (SOC) or relevant IT security team for further analysis and to determine if additional systems are affected.""" +references = ["https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence"] +risk_score = 73 +rule_id = "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where host.os.type == "windows" and event.type != "deletion" and + file.extension : ("wll","xll","ppa","ppam","xla","xlam") and + file.path : + ( + "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*", + "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*", + "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*" + ) +''' [[rule.threat]] diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml index 5ce927e6f..52490e894 100644 --- a/rules/windows/persistence_ms_outlook_vba_template.toml +++ b/rules/windows/persistence_ms_outlook_vba_template.toml @@ -2,45 +2,24 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = "Detects attempts to establish persistence on an endpoint by installing a rogue Microsoft Outlook VBA Template." false_positives = ["A legitimate VBA for Outlook is usually configured interactively via OUTLOOK.EXE."] from = "now-9m" -index = ["logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.file-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Persistence via Microsoft Outlook VBA" -references = [ - "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", - "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", -] -risk_score = 47 -rule_id = "397945f3-d39a-4e6f-8bcb-9656c2031438" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -file where host.os.type == "windows" and event.type != "deletion" and - file.path : "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM" -''' note = """## Triage and analysis > **Disclaimer**: @@ -77,6 +56,32 @@ Microsoft Outlook supports VBA scripting to automate tasks, which can be exploit - Conduct a full antivirus and antimalware scan on the affected endpoint using tools like Microsoft Defender for Endpoint to identify and remove any additional threats. - Review and update endpoint security policies to restrict unauthorized modifications to Outlook VBA files, leveraging application whitelisting or similar controls. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.""" +references = [ + "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", + "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", +] +risk_score = 47 +rule_id = "397945f3-d39a-4e6f-8bcb-9656c2031438" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where host.os.type == "windows" and event.type != "deletion" and + file.path : "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM" +''' [[rule.threat]] diff --git a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml index fb537f2b6..d7332d146 100644 --- a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml +++ b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/27" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,40 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "KRBTGT Delegation Backdoor" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating KRBTGT Delegation Backdoor + +In Active Directory, the KRBTGT account is crucial for Kerberos ticket granting. Adversaries may exploit this by altering the msDS-AllowedToDelegateTo attribute, enabling unauthorized ticket requests and persistent domain access. The detection rule identifies such modifications by monitoring specific event actions and codes, flagging high-risk changes to the KRBTGT delegation settings. + +### Possible investigation steps + +- Review the event logs for the specific event code 4738 to identify the user account that was modified and verify if the msDS-AllowedToDelegateTo attribute includes the KRBTGT service. +- Investigate the user account that performed the modification by checking their recent activities and login history to determine if the action was authorized or suspicious. +- Examine the timeline of the modification event to correlate it with any other unusual activities or alerts in the network around the same time. +- Check for any other modifications to sensitive attributes or accounts in Active Directory that might indicate a broader compromise. +- Assess the potential impact on the domain by evaluating the access level and permissions of the modified account and any associated systems or services. +- Consult with the IT security team to determine if there are any known maintenance activities or changes that could explain the modification, ensuring it was not a legitimate administrative action. + +### False positive analysis + +- Routine administrative tasks involving legitimate changes to the msDS-AllowedToDelegateTo attribute for service accounts may trigger alerts. Review the context of the change and verify with the IT team if it aligns with scheduled maintenance or updates. +- Automated scripts or tools used for Active Directory management might modify delegation settings as part of their operations. Identify these scripts and exclude their activity from triggering alerts by creating exceptions based on the script's signature or the account used. +- Changes made by trusted third-party applications that require delegation for functionality can be mistaken for malicious activity. Document these applications and adjust the detection rule to exclude their known and expected behavior. +- Regular audits or compliance checks that involve modifications to delegation settings should be accounted for. Coordinate with audit teams to schedule these activities and temporarily adjust monitoring rules to prevent false positives during these periods. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or ticket requests using the KRBTGT account. +- Revert any unauthorized changes to the msDS-AllowedToDelegateTo attribute for the KRBTGT account by restoring it to its previous state using a known good backup or manually resetting the attribute. +- Reset the KRBTGT account password twice to invalidate any existing Kerberos tickets that may have been issued using the compromised delegation settings. +- Conduct a thorough review of recent changes to user accounts and delegation settings in Active Directory to identify any other potential unauthorized modifications. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the compromise. +- Implement enhanced monitoring for changes to critical accounts and attributes in Active Directory, focusing on the KRBTGT account and similar high-value targets. +- Review and update access controls and delegation permissions to ensure that only authorized personnel have the ability to modify sensitive attributes like msDS-AllowedToDelegateTo.""" references = [ "https://skyblue.team/posts/delegate-krbtgt", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md", @@ -56,40 +88,6 @@ type = "eql" query = ''' iam where event.code == "4738" and winlog.event_data.AllowedToDelegateTo : "*krbtgt*" ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating KRBTGT Delegation Backdoor - -In Active Directory, the KRBTGT account is crucial for Kerberos ticket granting. Adversaries may exploit this by altering the msDS-AllowedToDelegateTo attribute, enabling unauthorized ticket requests and persistent domain access. The detection rule identifies such modifications by monitoring specific event actions and codes, flagging high-risk changes to the KRBTGT delegation settings. - -### Possible investigation steps - -- Review the event logs for the specific event code 4738 to identify the user account that was modified and verify if the msDS-AllowedToDelegateTo attribute includes the KRBTGT service. -- Investigate the user account that performed the modification by checking their recent activities and login history to determine if the action was authorized or suspicious. -- Examine the timeline of the modification event to correlate it with any other unusual activities or alerts in the network around the same time. -- Check for any other modifications to sensitive attributes or accounts in Active Directory that might indicate a broader compromise. -- Assess the potential impact on the domain by evaluating the access level and permissions of the modified account and any associated systems or services. -- Consult with the IT security team to determine if there are any known maintenance activities or changes that could explain the modification, ensuring it was not a legitimate administrative action. - -### False positive analysis - -- Routine administrative tasks involving legitimate changes to the msDS-AllowedToDelegateTo attribute for service accounts may trigger alerts. Review the context of the change and verify with the IT team if it aligns with scheduled maintenance or updates. -- Automated scripts or tools used for Active Directory management might modify delegation settings as part of their operations. Identify these scripts and exclude their activity from triggering alerts by creating exceptions based on the script's signature or the account used. -- Changes made by trusted third-party applications that require delegation for functionality can be mistaken for malicious activity. Document these applications and adjust the detection rule to exclude their known and expected behavior. -- Regular audits or compliance checks that involve modifications to delegation settings should be accounted for. Coordinate with audit teams to schedule these activities and temporarily adjust monitoring rules to prevent false positives during these periods. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or ticket requests using the KRBTGT account. -- Revert any unauthorized changes to the msDS-AllowedToDelegateTo attribute for the KRBTGT account by restoring it to its previous state using a known good backup or manually resetting the attribute. -- Reset the KRBTGT account password twice to invalidate any existing Kerberos tickets that may have been issued using the compromised delegation settings. -- Conduct a thorough review of recent changes to user accounts and delegation settings in Active Directory to identify any other potential unauthorized modifications. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the compromise. -- Implement enhanced monitoring for changes to critical accounts and attributes in Active Directory, focusing on the KRBTGT account and similar high-value targets. -- Review and update access controls and delegation permissions to ensure that only authorized personnel have the ability to modify sensitive attributes like msDS-AllowedToDelegateTo.""" [[rule.threat]] diff --git a/rules/windows/persistence_netsh_helper_dll.toml b/rules/windows/persistence_netsh_helper_dll.toml index 508ccf74a..66781d5c4 100644 --- a/rules/windows/persistence_netsh_helper_dll.toml +++ b/rules/windows/persistence_netsh_helper_dll.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,36 +12,16 @@ functionality. Attackers may abuse this mechanism to execute malicious payloads which can be done by administrators or a scheduled task. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "logs-windows.sysmon_operational-*"] +index = [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Netsh Helper DLL" -risk_score = 21 -rule_id = "b0638186-4f12-48ac-83d2-47e686d08e82" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and event.type == "change" and - registry.path : ( - "HKLM\\Software\\Microsoft\\netsh\\*", - "\\REGISTRY\\MACHINE\\Software\\Microsoft\\netsh\\*", - "MACHINE\\Software\\Microsoft\\netsh\\*" - ) -''' note = """## Triage and analysis > **Disclaimer**: @@ -77,6 +55,32 @@ Netsh, a command-line utility in Windows, allows for network configuration and d - Review and restore any altered system configurations to their original state to ensure system integrity. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for registry changes related to Netsh Helper DLLs to detect similar threats in the future.""" +risk_score = 21 +rule_id = "b0638186-4f12-48ac-83d2-47e686d08e82" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.type == "change" and + registry.path : ( + "HKLM\\Software\\Microsoft\\netsh\\*", + "\\REGISTRY\\MACHINE\\Software\\Microsoft\\netsh\\*", + "MACHINE\\Software\\Microsoft\\netsh\\*" + ) +''' [[rule.threat]] diff --git a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml index d43d6d668..70d8729bf 100644 --- a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -28,35 +26,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "New ActiveSyncAllowedDeviceID Added via PowerShell" -references = [ - "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", - "https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps", -] -risk_score = 47 -rule_id = "ce64d965-6cb0-466d-b74f-8d2c76f47f05" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and process.args : "Set-CASMailbox*ActiveSyncAllowedDeviceIDs*" -''' note = """## Triage and analysis > **Disclaimer**: @@ -92,6 +61,35 @@ ActiveSync is a protocol enabling mobile devices to synchronize with Exchange ma - Notify the security team and relevant stakeholders about the incident for further investigation and potential escalation. - Implement additional monitoring on the affected account and similar accounts for any unusual activity or further attempts to add unauthorized devices. - Review and update the organization's security policies and procedures related to mobile device access and PowerShell usage to prevent recurrence.""" +references = [ + "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", + "https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps", +] +risk_score = 47 +rule_id = "ce64d965-6cb0-466d-b74f-8d2c76f47f05" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and process.args : "Set-CASMailbox*ActiveSyncAllowedDeviceIDs*" +''' [[rule.threat]] diff --git a/rules/windows/persistence_powershell_profiles.toml b/rules/windows/persistence_powershell_profiles.toml index 429be36cb..a38642dfe 100644 --- a/rules/windows/persistence_powershell_profiles.toml +++ b/rules/windows/persistence_powershell_profiles.toml @@ -2,9 +2,7 @@ creation_date = "2022/10/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -40,7 +38,14 @@ PowerShell starts to customize the user environment, which can be abused by atta PowerShell is common. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Persistence via PowerShell profile" diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index 6e23f13d3..8e79187f8 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -40,7 +38,13 @@ adversary can modify the way these programs are launched to get a command prompt system. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Potential Modification of Accessibility Binaries" diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index bdfb1d871..477f80782 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,9 +15,44 @@ index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", language = "eql" license = "Elastic License v2" name = "Uncommon Registry Persistence Change" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Uncommon Registry Persistence Change + +Windows Registry is a critical system database storing configuration settings. Adversaries exploit registry keys for persistence, ensuring malicious code executes on startup or during specific events. The detection rule identifies unusual modifications to less commonly altered registry keys, which may indicate stealthy persistence attempts. It filters out benign changes by excluding known legitimate processes and paths, focusing on suspicious alterations. + +### Possible investigation steps + +- Review the specific registry path and value that triggered the alert to understand the context of the change and its potential impact on system behavior. +- Identify the process responsible for the registry modification by examining the process.name and process.executable fields, and determine if it is a known legitimate process or potentially malicious. +- Check the registry.data.strings field to see the new data or command being set in the registry key, and assess whether it aligns with known legitimate software or suspicious activity. +- Investigate the user account associated with the registry change by reviewing the HKEY_USERS path, if applicable, to determine if the change was made by an authorized user or an unexpected account. +- Correlate the alert with other recent events on the host, such as file modifications or network connections, to identify any additional indicators of compromise or related suspicious activity. +- Consult threat intelligence sources or databases to see if the registry path or process involved is associated with known malware or adversary techniques. + +### False positive analysis + +- Legitimate software installations or updates may modify registry keys for setup or configuration purposes. Users can create exceptions for known software paths like C:\\Program Files\\*.exe to reduce noise. +- System maintenance processes such as Windows Update might trigger changes in registry keys like SetupExecute. Exclude processes like TiWorker.exe and poqexec.exe when they match known update patterns. +- Administrative scripts or tools that automate system configurations can alter registry keys. Identify and exclude these scripts by their executable paths or process names to prevent false alerts. +- Security software, including antivirus or endpoint protection, may interact with registry keys for monitoring purposes. Exclude paths related to these tools, such as C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe, to avoid false positives. +- User-initiated changes through control panel settings or personalization options can affect registry keys like SCRNSAVE.EXE. Exclude common system paths like %windir%\\system32\\rundll32.exe user32.dll,LockWorkStation to minimize false detections. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread of potential malicious activity. +- Terminate any suspicious processes identified in the alert, particularly those not matching known legitimate executables or paths. +- Restore any altered registry keys to their original state using a known good backup or by manually resetting them to default values. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or processes. +- Review and update endpoint protection policies to ensure that similar registry changes are monitored and alerted on in the future. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +- Document the incident, including all actions taken, to improve future response efforts and update threat intelligence databases.""" references = [ -"https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2", -"https://github.com/rad9800/BootExecuteEDR" + "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2", + "https://github.com/rad9800/BootExecuteEDR", ] risk_score = 47 rule_id = "54902e45-3467-49a4-8abc-529f2c8cfb80" @@ -116,41 +149,6 @@ registry where host.os.type == "windows" and event.type == "change" and ) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Uncommon Registry Persistence Change - -Windows Registry is a critical system database storing configuration settings. Adversaries exploit registry keys for persistence, ensuring malicious code executes on startup or during specific events. The detection rule identifies unusual modifications to less commonly altered registry keys, which may indicate stealthy persistence attempts. It filters out benign changes by excluding known legitimate processes and paths, focusing on suspicious alterations. - -### Possible investigation steps - -- Review the specific registry path and value that triggered the alert to understand the context of the change and its potential impact on system behavior. -- Identify the process responsible for the registry modification by examining the process.name and process.executable fields, and determine if it is a known legitimate process or potentially malicious. -- Check the registry.data.strings field to see the new data or command being set in the registry key, and assess whether it aligns with known legitimate software or suspicious activity. -- Investigate the user account associated with the registry change by reviewing the HKEY_USERS path, if applicable, to determine if the change was made by an authorized user or an unexpected account. -- Correlate the alert with other recent events on the host, such as file modifications or network connections, to identify any additional indicators of compromise or related suspicious activity. -- Consult threat intelligence sources or databases to see if the registry path or process involved is associated with known malware or adversary techniques. - -### False positive analysis - -- Legitimate software installations or updates may modify registry keys for setup or configuration purposes. Users can create exceptions for known software paths like C:\\Program Files\\*.exe to reduce noise. -- System maintenance processes such as Windows Update might trigger changes in registry keys like SetupExecute. Exclude processes like TiWorker.exe and poqexec.exe when they match known update patterns. -- Administrative scripts or tools that automate system configurations can alter registry keys. Identify and exclude these scripts by their executable paths or process names to prevent false alerts. -- Security software, including antivirus or endpoint protection, may interact with registry keys for monitoring purposes. Exclude paths related to these tools, such as C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe, to avoid false positives. -- User-initiated changes through control panel settings or personalization options can affect registry keys like SCRNSAVE.EXE. Exclude common system paths like %windir%\\system32\\rundll32.exe user32.dll,LockWorkStation to minimize false detections. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread of potential malicious activity. -- Terminate any suspicious processes identified in the alert, particularly those not matching known legitimate executables or paths. -- Restore any altered registry keys to their original state using a known good backup or by manually resetting them to default values. -- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or processes. -- Review and update endpoint protection policies to ensure that similar registry changes are monitored and alerted on in the future. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. -- Document the incident, including all actions taken, to improve future response efforts and update threat intelligence databases.""" [[rule.threat]] diff --git a/rules/windows/persistence_remote_password_reset.toml b/rules/windows/persistence_remote_password_reset.toml index a60cd2a8e..e3968f798 100644 --- a/rules/windows/persistence_remote_password_reset.toml +++ b/rules/windows/persistence_remote_password_reset.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/18" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml index 9c3d573ec..5152e42de 100644 --- a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml +++ b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,41 +15,6 @@ index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_ language = "eql" license = "Elastic License v2" name = "Execution of Persistent Suspicious Program" -risk_score = 47 -rule_id = "e7125cea-9fe1-42a5-9a05-b0792cf86f5a" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -/* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */ -sequence by host.id, user.name with maxspan=1m - [process where host.os.type == "windows" and event.type == "start" and process.name : "userinit.exe" and process.parent.name : "winlogon.exe"] - [process where host.os.type == "windows" and event.type == "start" and process.name : "explorer.exe"] - [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "explorer.exe" and - /* add suspicious programs here */ - process.pe.original_file_name in ("cscript.exe", - "wscript.exe", - "PowerShell.EXE", - "MSHTA.EXE", - "RUNDLL32.EXE", - "REGSVR32.EXE", - "RegAsm.exe", - "MSBuild.exe", - "InstallUtil.exe") and - /* add potential suspicious paths here */ - process.args : ("C:\\Users\\*", "C:\\ProgramData\\*", "C:\\Windows\\Temp\\*", "C:\\Windows\\Tasks\\*", "C:\\PerfLogs\\*", "C:\\Intel\\*") - ] -''' note = """## Triage and analysis > **Disclaimer**: @@ -87,6 +50,41 @@ Persistent programs, like scripts or rundll32, are often used by adversaries to - Review and restore any modified system configurations or registry settings to their default or secure state. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. - Implement enhanced monitoring and logging for the affected host and similar systems to detect any recurrence or related suspicious activities.""" +risk_score = 47 +rule_id = "e7125cea-9fe1-42a5-9a05-b0792cf86f5a" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +/* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */ +sequence by host.id, user.name with maxspan=1m + [process where host.os.type == "windows" and event.type == "start" and process.name : "userinit.exe" and process.parent.name : "winlogon.exe"] + [process where host.os.type == "windows" and event.type == "start" and process.name : "explorer.exe"] + [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "explorer.exe" and + /* add suspicious programs here */ + process.pe.original_file_name in ("cscript.exe", + "wscript.exe", + "PowerShell.EXE", + "MSHTA.EXE", + "RUNDLL32.EXE", + "REGSVR32.EXE", + "RegAsm.exe", + "MSBuild.exe", + "InstallUtil.exe") and + /* add potential suspicious paths here */ + process.args : ("C:\\Users\\*", "C:\\ProgramData\\*", "C:\\Windows\\Temp\\*", "C:\\Windows\\Tasks\\*", "C:\\PerfLogs\\*", "C:\\Intel\\*") + ] +''' [[rule.threat]] diff --git a/rules/windows/persistence_scheduled_task_creation_winlog.toml b/rules/windows/persistence_scheduled_task_creation_winlog.toml index 8c9afca38..fe8ba2e6a 100644 --- a/rules/windows/persistence_scheduled_task_creation_winlog.toml +++ b/rules/windows/persistence_scheduled_task_creation_winlog.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,39 +16,6 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "A scheduled task was created" -references = ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"] -risk_score = 21 -rule_id = "92a6faf5-78ec-4e25-bea1-73bacc9b59d9" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -iam where event.action == "scheduled-task-created" and - - /* excluding tasks created by the computer account */ - not user.name : "*$" and - - /* TaskContent is not parsed, exclude by full taskname noisy ones */ - not winlog.event_data.TaskName : ( - "\\CreateExplorerShellUnelevatedTask", - "\\Hewlett-Packard\\HPDeviceCheck", - "\\Hewlett-Packard\\HP Support Assistant\\WarrantyChecker", - "\\Hewlett-Packard\\HP Support Assistant\\WarrantyChecker_backup", - "\\Hewlett-Packard\\HP Web Products Detection", - "\\Microsoft\\VisualStudio\\Updates\\BackgroundDownload", - "\\OneDrive Standalone Update Task-S-1-5-21*", - "\\OneDrive Standalone Update Task-S-1-12-1-*" - ) -''' note = """## Triage and analysis > **Disclaimer**: @@ -84,6 +49,39 @@ Scheduled tasks in Windows automate routine tasks, enhancing efficiency. However - Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. - Monitor the system and network for any signs of re-infection or further unauthorized scheduled task creation. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +references = ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"] +risk_score = 21 +rule_id = "92a6faf5-78ec-4e25-bea1-73bacc9b59d9" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +iam where event.action == "scheduled-task-created" and + + /* excluding tasks created by the computer account */ + not user.name : "*$" and + + /* TaskContent is not parsed, exclude by full taskname noisy ones */ + not winlog.event_data.TaskName : ( + "\\CreateExplorerShellUnelevatedTask", + "\\Hewlett-Packard\\HPDeviceCheck", + "\\Hewlett-Packard\\HP Support Assistant\\WarrantyChecker", + "\\Hewlett-Packard\\HP Support Assistant\\WarrantyChecker_backup", + "\\Hewlett-Packard\\HP Web Products Detection", + "\\Microsoft\\VisualStudio\\Updates\\BackgroundDownload", + "\\OneDrive Standalone Update Task-S-1-5-21*", + "\\OneDrive Standalone Update Task-S-1-12-1-*" + ) +''' [[rule.threat]] diff --git a/rules/windows/persistence_scheduled_task_updated.toml b/rules/windows/persistence_scheduled_task_updated.toml index 5efd12e48..e563b6a34 100644 --- a/rules/windows/persistence_scheduled_task_updated.toml +++ b/rules/windows/persistence_scheduled_task_updated.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -19,6 +17,39 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "A scheduled task was updated" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating A scheduled task was updated + +Scheduled tasks in Windows automate routine tasks, enhancing efficiency. However, adversaries exploit this by modifying tasks to maintain persistence, often altering legitimate tasks to evade detection. The detection rule identifies suspicious updates by filtering out benign changes, such as those by system accounts or known safe tasks, focusing on anomalies that suggest malicious intent. + +### Possible investigation steps + +- Review the event logs to identify the specific scheduled task that was updated, focusing on the winlog.event_data.TaskName field to determine if it matches any known malicious patterns. +- Investigate the user account associated with the update by examining the user.name field to ensure it is not a compromised account or an unauthorized user. +- Check the winlog.event_data.SubjectUserSid field to verify if the update was made by a system account or a potentially malicious user, as system accounts like S-1-5-18, S-1-5-19, and S-1-5-20 are typically benign. +- Analyze the history of changes to the scheduled task to identify any unusual or unauthorized modifications that could indicate persistence mechanisms. +- Correlate the scheduled task update with other security events or alerts to determine if it is part of a broader attack pattern or campaign. + +### False positive analysis + +- Scheduled tasks updated by system accounts can be false positives. Exclude updates made by system accounts by filtering out user names ending with a dollar sign. +- Legitimate Microsoft tasks often update automatically. Exclude tasks with names containing "Microsoft" to reduce noise from these updates. +- Commonly updated tasks like User Feed Synchronization and OneDrive Reporting are typically benign. Exclude these specific task names to avoid unnecessary alerts. +- Tasks updated by well-known service SIDs such as S-1-5-18, S-1-5-19, and S-1-5-20 are generally safe. Exclude these SIDs to prevent false positives from routine system operations. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement. +- Review the specific scheduled task that was updated to determine if it was altered by an unauthorized user or process. Revert any unauthorized changes to their original state. +- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious software that may have been introduced. +- Analyze the user account that made the changes to the scheduled task. If the account is compromised, reset the password and review recent activities for further signs of compromise. +- Implement additional monitoring on the affected system and similar systems to detect any further unauthorized scheduled task updates or related suspicious activities. +- Escalate the incident to the security operations team for further investigation and to determine if the threat is part of a larger attack campaign. +- Review and update access controls and permissions related to scheduled tasks to ensure only authorized personnel can make changes, reducing the risk of future unauthorized modifications.""" references = ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"] risk_score = 47 rule_id = "a02cb68e-7c93-48d1-93b2-2c39023308eb" @@ -55,39 +86,6 @@ iam where event.action == "scheduled-task-updated" and "\\Microsoft\\VisualStudio\\Updates\\BackgroundDownload") and not winlog.event_data.SubjectUserSid : ("S-1-5-18", "S-1-5-19", "S-1-5-20") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating A scheduled task was updated - -Scheduled tasks in Windows automate routine tasks, enhancing efficiency. However, adversaries exploit this by modifying tasks to maintain persistence, often altering legitimate tasks to evade detection. The detection rule identifies suspicious updates by filtering out benign changes, such as those by system accounts or known safe tasks, focusing on anomalies that suggest malicious intent. - -### Possible investigation steps - -- Review the event logs to identify the specific scheduled task that was updated, focusing on the winlog.event_data.TaskName field to determine if it matches any known malicious patterns. -- Investigate the user account associated with the update by examining the user.name field to ensure it is not a compromised account or an unauthorized user. -- Check the winlog.event_data.SubjectUserSid field to verify if the update was made by a system account or a potentially malicious user, as system accounts like S-1-5-18, S-1-5-19, and S-1-5-20 are typically benign. -- Analyze the history of changes to the scheduled task to identify any unusual or unauthorized modifications that could indicate persistence mechanisms. -- Correlate the scheduled task update with other security events or alerts to determine if it is part of a broader attack pattern or campaign. - -### False positive analysis - -- Scheduled tasks updated by system accounts can be false positives. Exclude updates made by system accounts by filtering out user names ending with a dollar sign. -- Legitimate Microsoft tasks often update automatically. Exclude tasks with names containing "Microsoft" to reduce noise from these updates. -- Commonly updated tasks like User Feed Synchronization and OneDrive Reporting are typically benign. Exclude these specific task names to avoid unnecessary alerts. -- Tasks updated by well-known service SIDs such as S-1-5-18, S-1-5-19, and S-1-5-20 are generally safe. Exclude these SIDs to prevent false positives from routine system operations. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement. -- Review the specific scheduled task that was updated to determine if it was altered by an unauthorized user or process. Revert any unauthorized changes to their original state. -- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious software that may have been introduced. -- Analyze the user account that made the changes to the scheduled task. If the account is compromised, reset the password and review recent activities for further signs of compromise. -- Implement additional monitoring on the affected system and similar systems to detect any further unauthorized scheduled task updates or related suspicious activities. -- Escalate the incident to the security operations team for further investigation and to determine if the threat is part of a larger attack campaign. -- Review and update access controls and permissions related to scheduled tasks to ensure only authorized personnel can make changes, reducing the risk of future unauthorized modifications.""" [[rule.threat]] diff --git a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml index b250f6fd2..49f8e1171 100644 --- a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml +++ b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml @@ -2,9 +2,7 @@ creation_date = "2022/02/24" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_service_windows_service_winlog.toml b/rules/windows/persistence_service_windows_service_winlog.toml index dde825ba0..951e473b9 100644 --- a/rules/windows/persistence_service_windows_service_winlog.toml +++ b/rules/windows/persistence_service_windows_service_winlog.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index 45a0fd20e..6543ddd85 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,10 +12,52 @@ could be an indication of an adversary attempting to stealthily persist through modification of an existing service. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Unusual Persistence via Services Registry" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Persistence via Services Registry + +Windows services are crucial for running background processes. Adversaries may exploit this by directly altering service registry keys to maintain persistence, bypassing standard APIs. The detection rule identifies such anomalies by monitoring changes to specific registry paths and filtering out legitimate processes, thus highlighting potential unauthorized service modifications indicative of malicious activity. + +### Possible investigation steps + +- Review the specific registry paths and values that triggered the alert, focusing on "ServiceDLL" and "ImagePath" within the specified registry paths to identify any unauthorized or suspicious modifications. +- Examine the process responsible for the registry change, paying attention to the process name and executable path, to determine if it is a known legitimate process or potentially malicious. +- Cross-reference the process executable path against the list of known legitimate paths excluded in the query to ensure it is not a false positive. +- Investigate the historical behavior of the process and any associated files or network activity to identify patterns indicative of malicious intent or persistence mechanisms. +- Check for any recent changes or anomalies in the system's service configurations that could correlate with the registry modifications, indicating potential unauthorized service creation or alteration. +- Consult threat intelligence sources or databases to determine if the process or registry changes are associated with known malware or adversary techniques. + +### False positive analysis + +- Legitimate software installations or updates may modify service registry keys directly. Users can create exceptions for known software update processes by excluding their executables from the detection rule. +- System maintenance tools like Process Explorer may trigger false positives when they interact with service registry keys. Exclude these tools by adding their process names and paths to the exception list. +- Drivers installed by trusted hardware peripherals might alter service registry keys. Users should identify and exclude these driver paths if they are known to be safe and frequently updated. +- Custom enterprise applications that require direct registry modifications for service management can be excluded by specifying their executable paths in the rule exceptions. +- Regular system processes such as svchost.exe or services.exe are already excluded, but ensure any custom scripts or automation tools that mimic these processes are also accounted for in the exceptions. + +### Response and remediation + +- Isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. +- Terminate any suspicious processes identified in the alert that are not part of legitimate applications or services. +- Restore the modified registry keys to their original state using a known good backup or by manually correcting the entries to ensure the integrity of the service configurations. +- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any additional malicious software or artifacts. +- Review and update endpoint protection policies to ensure that similar unauthorized registry modifications are detected and blocked in the future. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. +- Document the incident details, including the steps taken for containment and remediation, to enhance future response efforts and update threat intelligence databases.""" risk_score = 21 rule_id = "403ef0d3-8259-40c9-a5b6-d48354712e49" severity = "low" @@ -66,41 +106,6 @@ registry where host.os.type == "windows" and event.type == "change" and "?:\\Windows\\System32\\WaaSMedicAgent.exe" ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Unusual Persistence via Services Registry - -Windows services are crucial for running background processes. Adversaries may exploit this by directly altering service registry keys to maintain persistence, bypassing standard APIs. The detection rule identifies such anomalies by monitoring changes to specific registry paths and filtering out legitimate processes, thus highlighting potential unauthorized service modifications indicative of malicious activity. - -### Possible investigation steps - -- Review the specific registry paths and values that triggered the alert, focusing on "ServiceDLL" and "ImagePath" within the specified registry paths to identify any unauthorized or suspicious modifications. -- Examine the process responsible for the registry change, paying attention to the process name and executable path, to determine if it is a known legitimate process or potentially malicious. -- Cross-reference the process executable path against the list of known legitimate paths excluded in the query to ensure it is not a false positive. -- Investigate the historical behavior of the process and any associated files or network activity to identify patterns indicative of malicious intent or persistence mechanisms. -- Check for any recent changes or anomalies in the system's service configurations that could correlate with the registry modifications, indicating potential unauthorized service creation or alteration. -- Consult threat intelligence sources or databases to determine if the process or registry changes are associated with known malware or adversary techniques. - -### False positive analysis - -- Legitimate software installations or updates may modify service registry keys directly. Users can create exceptions for known software update processes by excluding their executables from the detection rule. -- System maintenance tools like Process Explorer may trigger false positives when they interact with service registry keys. Exclude these tools by adding their process names and paths to the exception list. -- Drivers installed by trusted hardware peripherals might alter service registry keys. Users should identify and exclude these driver paths if they are known to be safe and frequently updated. -- Custom enterprise applications that require direct registry modifications for service management can be excluded by specifying their executable paths in the rule exceptions. -- Regular system processes such as svchost.exe or services.exe are already excluded, but ensure any custom scripts or automation tools that mimic these processes are also accounted for in the exceptions. - -### Response and remediation - -- Isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. -- Terminate any suspicious processes identified in the alert that are not part of legitimate applications or services. -- Restore the modified registry keys to their original state using a known good backup or by manually correcting the entries to ensure the integrity of the service configurations. -- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any additional malicious software or artifacts. -- Review and update endpoint protection policies to ensure that similar unauthorized registry modifications are detected and blocked in the future. -- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. -- Document the incident details, including the steps taken for containment and remediation, to enhance future response efforts and update threat intelligence databases.""" [[rule.threat]] diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index 8a9b9603c..603f51367 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -39,7 +37,14 @@ Identifies files written to or modified in the startup folder by commonly abused technique to maintain persistence. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Startup Persistence by a Suspicious Process" diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index 84bfe1d5a..2c10b53bf 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -39,7 +37,14 @@ Identifies script engines creating files in the Startup folder, or the creation Adversaries may abuse this technique to maintain persistence in an environment. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Persistent Scripts in the Startup Directory" diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index 380f74446..fcea266ea 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml index ddea5aed9..4744d64ba 100644 --- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/19" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -15,6 +13,41 @@ index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Execution via Scheduled Task" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious Execution via Scheduled Task + +Scheduled tasks in Windows automate routine tasks, but adversaries exploit them for persistence and execution of malicious programs. By examining process lineage and command line usage, the detection rule identifies suspicious executions initiated by scheduled tasks. It flags known malicious executables and unusual file paths, while excluding benign processes, to pinpoint potential threats effectively. + +### Possible investigation steps + +- Review the process lineage to confirm the parent process is "svchost.exe" with arguments containing "Schedule" to verify the execution was initiated by a scheduled task. +- Examine the command line arguments and file paths of the suspicious process to identify any unusual or unauthorized file locations, such as those listed in the query (e.g., "C:\\Users\\*", "C:\\ProgramData\\*"). +- Check the original file name of the process against the list of known suspicious executables (e.g., "PowerShell.EXE", "Cmd.Exe") to determine if it matches any commonly abused binaries. +- Investigate the user context under which the process was executed, especially if it deviates from expected system accounts or known service accounts. +- Correlate the event with other security logs or alerts to identify any related suspicious activities or patterns that might indicate a broader attack campaign. +- Assess the risk and impact of the detected activity by considering the severity and risk score provided, and determine if immediate containment or remediation actions are necessary. + +### False positive analysis + +- Scheduled tasks running legitimate scripts or executables like cmd.exe or cscript.exe in system directories may trigger false positives. To manage this, create exceptions for these processes when they are executed from known safe directories such as C:\\Windows\\System32. +- PowerShell scripts executed by the system account (S-1-5-18) for administrative tasks can be mistakenly flagged. Exclude these by specifying exceptions for PowerShell executions with arguments like -File or -PSConsoleFile when run by the system account. +- Legitimate software installations or updates using msiexec.exe by the system account may be incorrectly identified as threats. Mitigate this by excluding msiexec.exe processes initiated by the system account. +- Regular maintenance tasks or scripts stored in common directories like C:\\ProgramData or C:\\Windows\\Temp might be flagged. Review these tasks and exclude known benign scripts or executables from these paths. +- Custom scripts or administrative tools that mimic suspicious executables (e.g., PowerShell.EXE, RUNDLL32.EXE) but are part of routine operations should be reviewed and excluded if verified as safe. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further spread of any potential malicious activity. +- Terminate any suspicious processes identified by the detection rule, especially those matching the flagged executables and paths. +- Conduct a thorough review of scheduled tasks on the affected system to identify and disable any unauthorized or suspicious tasks. +- Remove any malicious files or executables found in the suspicious paths listed in the detection rule. +- Restore the system from a known good backup if malicious activity is confirmed and system integrity is compromised. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. +- Implement enhanced monitoring and logging for scheduled tasks and the flagged executables to detect similar threats in the future.""" references = [ "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", ] @@ -73,41 +106,6 @@ process where host.os.type == "windows" and event.type == "start" and not (process.name : "powershell.exe" and process.args : ("-File", "-PSConsoleFile") and user.id : "S-1-5-18") and not (process.name : "msiexec.exe" and user.id : "S-1-5-18") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious Execution via Scheduled Task - -Scheduled tasks in Windows automate routine tasks, but adversaries exploit them for persistence and execution of malicious programs. By examining process lineage and command line usage, the detection rule identifies suspicious executions initiated by scheduled tasks. It flags known malicious executables and unusual file paths, while excluding benign processes, to pinpoint potential threats effectively. - -### Possible investigation steps - -- Review the process lineage to confirm the parent process is "svchost.exe" with arguments containing "Schedule" to verify the execution was initiated by a scheduled task. -- Examine the command line arguments and file paths of the suspicious process to identify any unusual or unauthorized file locations, such as those listed in the query (e.g., "C:\\Users\\*", "C:\\ProgramData\\*"). -- Check the original file name of the process against the list of known suspicious executables (e.g., "PowerShell.EXE", "Cmd.Exe") to determine if it matches any commonly abused binaries. -- Investigate the user context under which the process was executed, especially if it deviates from expected system accounts or known service accounts. -- Correlate the event with other security logs or alerts to identify any related suspicious activities or patterns that might indicate a broader attack campaign. -- Assess the risk and impact of the detected activity by considering the severity and risk score provided, and determine if immediate containment or remediation actions are necessary. - -### False positive analysis - -- Scheduled tasks running legitimate scripts or executables like cmd.exe or cscript.exe in system directories may trigger false positives. To manage this, create exceptions for these processes when they are executed from known safe directories such as C:\\Windows\\System32. -- PowerShell scripts executed by the system account (S-1-5-18) for administrative tasks can be mistakenly flagged. Exclude these by specifying exceptions for PowerShell executions with arguments like -File or -PSConsoleFile when run by the system account. -- Legitimate software installations or updates using msiexec.exe by the system account may be incorrectly identified as threats. Mitigate this by excluding msiexec.exe processes initiated by the system account. -- Regular maintenance tasks or scripts stored in common directories like C:\\ProgramData or C:\\Windows\\Temp might be flagged. Review these tasks and exclude known benign scripts or executables from these paths. -- Custom scripts or administrative tools that mimic suspicious executables (e.g., PowerShell.EXE, RUNDLL32.EXE) but are part of routine operations should be reviewed and excluded if verified as safe. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further spread of any potential malicious activity. -- Terminate any suspicious processes identified by the detection rule, especially those matching the flagged executables and paths. -- Conduct a thorough review of scheduled tasks on the affected system to identify and disable any unauthorized or suspicious tasks. -- Remove any malicious files or executables found in the suspicious paths listed in the detection rule. -- Restore the system from a known good backup if malicious activity is confirmed and system integrity is compromised. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. -- Implement enhanced monitoring and logging for scheduled tasks and the flagged executables to detect similar threats in the future.""" [[rule.threat]] diff --git a/rules/windows/persistence_suspicious_service_created_registry.toml b/rules/windows/persistence_suspicious_service_created_registry.toml index ff5705b38..2454a6a87 100644 --- a/rules/windows/persistence_suspicious_service_created_registry.toml +++ b/rules/windows/persistence_suspicious_service_created_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,39 +11,17 @@ Identifies the creation of a suspicious ImagePath value. This could be an indica stealthily persist or escalate privileges through abnormal service creation. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Suspicious ImagePath Service Creation" -risk_score = 73 -rule_id = "36a8e048-d888-4f61-a8b9-0f9e2e40f317" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and event.type == "change" and - registry.value : "ImagePath" and - registry.path : ( - "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath", - "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath" - ) and - /* add suspicious registry ImagePath values here */ - registry.data.strings : ("%COMSPEC%*", "*\\.\\pipe\\*") -''' note = """## Triage and analysis > **Disclaimer**: @@ -81,6 +57,35 @@ Windows services are crucial for running background processes. Adversaries explo - Review and restore any modified system files or configurations to their original state to ensure system integrity. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for similar registry changes and suspicious service creations to detect and respond to future threats promptly.""" +risk_score = 73 +rule_id = "36a8e048-d888-4f61-a8b9-0f9e2e40f317" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.type == "change" and + registry.value : "ImagePath" and + registry.path : ( + "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath", + "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath" + ) and + /* add suspicious registry ImagePath values here */ + registry.data.strings : ("%COMSPEC%*", "*\\.\\pipe\\*") +''' [[rule.threat]] diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index 2e166e46f..2a0d907bc 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -27,6 +25,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -136,7 +135,6 @@ reference = "https://attack.mitre.org/techniques/T1543/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -147,6 +145,7 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" diff --git a/rules/windows/persistence_temp_scheduled_task.toml b/rules/windows/persistence_temp_scheduled_task.toml index 968148866..5c5808caf 100644 --- a/rules/windows/persistence_temp_scheduled_task.toml +++ b/rules/windows/persistence_temp_scheduled_task.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,26 +16,6 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Temporarily Scheduled Task Creation" -references = ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"] -risk_score = 47 -rule_id = "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m - [iam where event.action == "scheduled-task-created" and not user.name : "*$"] - [iam where event.action == "scheduled-task-deleted" and not user.name : "*$"] -''' note = """## Triage and analysis > **Disclaimer**: @@ -72,6 +50,26 @@ Scheduled tasks in Windows environments automate routine tasks, but adversaries - Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malware. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems are affected. - Implement additional monitoring and alerting for similar scheduled task activities to enhance detection and prevent recurrence of this threat.""" +references = ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"] +risk_score = 47 +rule_id = "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m + [iam where event.action == "scheduled-task-created" and not user.name : "*$"] + [iam where event.action == "scheduled-task-deleted" and not user.name : "*$"] +''' [[rule.threat]] diff --git a/rules/windows/persistence_time_provider_mod.toml b/rules/windows/persistence_time_provider_mod.toml index 015261644..9b04b88b1 100644 --- a/rules/windows/persistence_time_provider_mod.toml +++ b/rules/windows/persistence_time_provider_mod.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -41,7 +39,14 @@ network devices or clients in the network. Time providers are implemented in the System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Potential Persistence via Time Provider Modification" diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index 7b45616a7..edcaee982 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic", "Skoetting"] diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index dc9761a25..2bab46a9d 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index 96d9b8692..1bfaa32f6 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -28,32 +26,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Potential Application Shimming via Sdbinst" -risk_score = 21 -rule_id = "fd4a992d-6130-4802-9ff8-829b89ae801f" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and - process.args : "?*" and - not (process.args : "-m" and process.args : "-bg") and - not process.args : "-mm" -''' note = """## Triage and analysis > **Disclaimer**: @@ -89,6 +61,32 @@ Application shimming is a Windows feature designed to ensure software compatibil - Review and restore any altered system configurations or registry settings to their default or secure state. - Escalate the incident to the security operations team for further analysis and to determine if additional systems are affected. - Implement enhanced monitoring and logging for `sdbinst.exe` executions across the network to detect and respond to future attempts at application shimming.""" +risk_score = 21 +rule_id = "fd4a992d-6130-4802-9ff8-829b89ae801f" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and + process.args : "?*" and + not (process.args : "-m" and process.args : "-bg") and + not process.args : "-mm" +''' [[rule.threat]] diff --git a/rules/windows/persistence_via_bits_job_notify_command.toml b/rules/windows/persistence_via_bits_job_notify_command.toml index 426b95c70..d5ed04b00 100644 --- a/rules/windows/persistence_via_bits_job_notify_command.toml +++ b/rules/windows/persistence_via_bits_job_notify_command.toml @@ -2,9 +2,7 @@ creation_date = "2021/12/04" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,32 +12,17 @@ that runs after a job finishes transferring data or after a job enters a specifi system. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Persistence via BITS Job Notify Cmdline" -references = [ - "https://pentestlab.blog/2019/10/30/persistence-bits-jobs/", - "https://docs.microsoft.com/en-us/windows/win32/api/bits1_5/nf-bits1_5-ibackgroundcopyjob2-setnotifycmdline", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-setnotifycmdline", - "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2", -] -risk_score = 47 -rule_id = "c3b915e0-22f3-4bf7-991d-b643513c722f" -severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.parent.name : "svchost.exe" and process.parent.args : "BITS" and - not process.executable : - ("?:\\Windows\\System32\\WerFaultSecure.exe", - "?:\\Windows\\System32\\WerFault.exe", - "?:\\Windows\\System32\\wermgr.exe", - "?:\\WINDOWS\\system32\\directxdatabaseupdater.exe") -''' note = """## Triage and analysis > **Disclaimer**: @@ -76,6 +59,39 @@ Background Intelligent Transfer Service (BITS) is a Windows service that facilit - Update and run a full antivirus and anti-malware scan on the affected system to ensure no additional threats are present. - Review and enhance endpoint protection policies to prevent unauthorized use of BITS for persistence, ensuring that only trusted applications can create or modify BITS jobs. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +references = [ + "https://pentestlab.blog/2019/10/30/persistence-bits-jobs/", + "https://docs.microsoft.com/en-us/windows/win32/api/bits1_5/nf-bits1_5-ibackgroundcopyjob2-setnotifycmdline", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-setnotifycmdline", + "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2", +] +risk_score = 47 +rule_id = "c3b915e0-22f3-4bf7-991d-b643513c722f" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "svchost.exe" and process.parent.args : "BITS" and + not process.executable : + ("?:\\Windows\\System32\\WerFaultSecure.exe", + "?:\\Windows\\System32\\WerFault.exe", + "?:\\Windows\\System32\\wermgr.exe", + "?:\\WINDOWS\\system32\\directxdatabaseupdater.exe") +''' [[rule.threat]] diff --git a/rules/windows/persistence_via_hidden_run_key_valuename.toml b/rules/windows/persistence_via_hidden_run_key_valuename.toml index 293ceeb1f..7efbfada4 100644 --- a/rules/windows/persistence_via_hidden_run_key_valuename.toml +++ b/rules/windows/persistence_via_hidden_run_key_valuename.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,41 @@ index = ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon language = "eql" license = "Elastic License v2" name = "Persistence via Hidden Run Key Detected" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Persistence via Hidden Run Key Detected + +The Windows Registry is a critical system database that stores configuration settings. Adversaries exploit it for persistence by creating hidden registry keys using native APIs, making them invisible to standard tools like regedit. The detection rule identifies changes in specific registry paths associated with startup programs, flagging null-terminated keys that suggest stealthy persistence tactics. + +### Possible investigation steps + +- Review the specific registry path where the change was detected to determine if it matches any of the paths listed in the query, such as "HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\" or "HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\". +- Check the timestamp of the registry change event to correlate it with other system activities or user actions that occurred around the same time. +- Investigate the process that made the registry change by examining process creation logs or using tools like Sysmon to identify the responsible process and its parent process. +- Analyze the content of the registry key value that was modified or created to determine if it points to a legitimate application or a potentially malicious executable. +- Cross-reference the detected registry change with known threat intelligence sources to identify if the key or value is associated with known malware or adversary techniques. +- Assess the affected system for additional indicators of compromise, such as unusual network connections, file modifications, or other persistence mechanisms. + +### False positive analysis + +- Legitimate software installations or updates may create registry keys in the specified paths, leading to false positives. Users can monitor the installation process and temporarily disable the rule during known software updates to prevent unnecessary alerts. +- System administrators may intentionally configure startup programs for maintenance or monitoring purposes. Document these configurations and create exceptions in the detection rule to avoid flagging them as threats. +- Some security software may use similar techniques to ensure their components start with the system. Verify the legitimacy of such software and whitelist their registry changes to prevent false alarms. +- Custom scripts or automation tools used within an organization might modify registry keys for operational reasons. Identify these scripts and exclude their activities from the detection rule to reduce false positives. +- Regularly review and update the list of known safe applications and processes that interact with the registry paths in question, ensuring that the detection rule remains relevant and accurate. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. +- Use a trusted tool to manually inspect and remove the hidden registry keys identified in the alert from the specified registry paths to eliminate the persistence mechanism. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or processes associated with the threat. +- Review recent user activity and system logs to identify any unauthorized access or changes made by the adversary, and reset credentials for any compromised accounts. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. +- Implement enhanced monitoring on the affected system and similar endpoints to detect any recurrence of the threat, focusing on registry changes and process execution. +- Update and reinforce endpoint security configurations to prevent similar persistence techniques, such as enabling registry auditing and restricting access to critical registry paths.""" references = [ "https://github.com/outflanknl/SharpHide", "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf", @@ -63,41 +96,6 @@ registry where host.os.type == "windows" and event.type == "change" and length(r "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Persistence via Hidden Run Key Detected - -The Windows Registry is a critical system database that stores configuration settings. Adversaries exploit it for persistence by creating hidden registry keys using native APIs, making them invisible to standard tools like regedit. The detection rule identifies changes in specific registry paths associated with startup programs, flagging null-terminated keys that suggest stealthy persistence tactics. - -### Possible investigation steps - -- Review the specific registry path where the change was detected to determine if it matches any of the paths listed in the query, such as "HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\" or "HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\". -- Check the timestamp of the registry change event to correlate it with other system activities or user actions that occurred around the same time. -- Investigate the process that made the registry change by examining process creation logs or using tools like Sysmon to identify the responsible process and its parent process. -- Analyze the content of the registry key value that was modified or created to determine if it points to a legitimate application or a potentially malicious executable. -- Cross-reference the detected registry change with known threat intelligence sources to identify if the key or value is associated with known malware or adversary techniques. -- Assess the affected system for additional indicators of compromise, such as unusual network connections, file modifications, or other persistence mechanisms. - -### False positive analysis - -- Legitimate software installations or updates may create registry keys in the specified paths, leading to false positives. Users can monitor the installation process and temporarily disable the rule during known software updates to prevent unnecessary alerts. -- System administrators may intentionally configure startup programs for maintenance or monitoring purposes. Document these configurations and create exceptions in the detection rule to avoid flagging them as threats. -- Some security software may use similar techniques to ensure their components start with the system. Verify the legitimacy of such software and whitelist their registry changes to prevent false alarms. -- Custom scripts or automation tools used within an organization might modify registry keys for operational reasons. Identify these scripts and exclude their activities from the detection rule to reduce false positives. -- Regularly review and update the list of known safe applications and processes that interact with the registry paths in question, ensuring that the detection rule remains relevant and accurate. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. -- Use a trusted tool to manually inspect and remove the hidden registry keys identified in the alert from the specified registry paths to eliminate the persistence mechanism. -- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or processes associated with the threat. -- Review recent user activity and system logs to identify any unauthorized access or changes made by the adversary, and reset credentials for any compromised accounts. -- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. -- Implement enhanced monitoring on the affected system and similar endpoints to detect any recurrence of the threat, focusing on registry changes and process execution. -- Update and reinforce endpoint security configurations to prevent similar persistence techniques, such as enabling registry auditing and restricting access to critical registry paths.""" [[rule.threat]] diff --git a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml index 3c6f26520..7e7855db2 100644 --- a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml +++ b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,41 +11,17 @@ Identifies registry modifications related to the Windows Security Support Provid abuse this to establish persistence in an environment. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Installation of Security Support Provider" -risk_score = 47 -rule_id = "e86da94d-e54b-4fb5-b96c-cecff87e8787" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and event.type == "change" and - registry.path : ( - "HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Security Packages*", - "HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages*", - "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Security Packages*", - "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages*", - "MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Security Packages*", - "MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages*" - ) and - not process.executable : ("C:\\Windows\\System32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe") -''' note = """## Triage and analysis > **Disclaimer**: @@ -83,6 +57,37 @@ Security Support Providers (SSPs) in Windows environments facilitate authenticat - Review and update access controls and permissions to ensure that only authorized personnel can modify critical registry paths related to Security Support Providers. - Monitor the affected system and network for any signs of re-infection or further suspicious activity, focusing on registry changes and process executions. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.""" +risk_score = 47 +rule_id = "e86da94d-e54b-4fb5-b96c-cecff87e8787" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.type == "change" and + registry.path : ( + "HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Security Packages*", + "HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages*", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Security Packages*", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages*", + "MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Security Packages*", + "MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages*" + ) and + not process.executable : ("C:\\Windows\\System32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe") +''' [[rule.threat]] diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index 842735327..5ce887dd0 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,38 +25,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Persistence via TelemetryController Scheduled Task Hijack" -references = ["https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence"] -risk_score = 73 -rule_id = "68921d85-d0dc-48b3-865f-43291ca2c4f2" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.parent.name : "CompatTelRunner.exe" and process.args : "-cv*" and - not process.name : ("conhost.exe", - "DeviceCensus.exe", - "CompatTelRunner.exe", - "DismHost.exe", - "rundll32.exe", - "powershell.exe") -''' note = """## Triage and analysis > **Disclaimer**: @@ -94,6 +60,38 @@ The Microsoft Compatibility Appraiser, part of Windows telemetry, uses scheduled - Analyze the system for any unauthorized changes to user accounts or privileges, and revert any modifications to ensure that only legitimate users have access. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for the affected system and similar scheduled tasks across the network to detect any future attempts at hijacking or unauthorized modifications.""" +references = ["https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence"] +risk_score = 73 +rule_id = "68921d85-d0dc-48b3-865f-43291ca2c4f2" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "CompatTelRunner.exe" and process.args : "-cv*" and + not process.name : ("conhost.exe", + "DeviceCensus.exe", + "CompatTelRunner.exe", + "DismHost.exe", + "rundll32.exe", + "powershell.exe") +''' [[rule.threat]] diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index d13d6375a..4c77031fe 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml index 43ae1cc41..a064ad7db 100644 --- a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +++ b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -28,34 +26,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Persistence via WMI Event Subscription" -references = ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"] -risk_score = 21 -rule_id = "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - (process.name : "wmic.exe" or ?process.pe.original_file_name == "wmic.exe") and - process.args : "create" and - process.args : ("ActiveScriptEventConsumer", "CommandLineEventConsumer") -''' note = """## Triage and analysis > **Disclaimer**: @@ -89,6 +59,34 @@ Windows Management Instrumentation (WMI) is a powerful framework for managing da - Restore the system from a known good backup if the integrity of the system is compromised and cannot be assured through manual remediation. - Update and patch the system to the latest security standards to mitigate any vulnerabilities that may have been exploited. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" +references = ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"] +risk_score = 21 +rule_id = "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + (process.name : "wmic.exe" or ?process.pe.original_file_name == "wmic.exe") and + process.args : "create" and + process.args : ("ActiveScriptEventConsumer", "CommandLineEventConsumer") +''' [[rule.threat]] diff --git a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml index dd9983e07..9eadb3b12 100644 --- a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index 4178b2f64..90a360e35 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -2,9 +2,7 @@ creation_date = "2021/08/24" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -145,9 +143,13 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -156,22 +158,18 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" -[[rule.threat.technique]] -id = "T1047" -name = "Windows Management Instrumentation" -reference = "https://attack.mitre.org/techniques/T1047/" - - [rule.threat.tactic] id = "TA0002" diff --git a/rules/windows/persistence_werfault_reflectdebugger.toml b/rules/windows/persistence_werfault_reflectdebugger.toml index 799049a57..1f028060f 100644 --- a/rules/windows/persistence_werfault_reflectdebugger.toml +++ b/rules/windows/persistence_werfault_reflectdebugger.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,37 +11,16 @@ Identifies the registration of a Werfault Debugger. Attackers may abuse this mec every time the utility is executed with the "-pr" parameter. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "logs-windows.sysmon_operational-*"] +index = [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Werfault ReflectDebugger Persistence" -references = ["https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html"] -risk_score = 21 -rule_id = "205b52c4-9c28-4af4-8979-935f3278d61a" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and event.type == "change" and - registry.path : ( - "HKLM\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger", - "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger", - "MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger" - ) -''' note = """## Triage and analysis > **Disclaimer**: @@ -78,6 +55,33 @@ Werfault, the Windows Error Reporting service, can be manipulated by attackers t - Review and restore any system or application configurations that may have been altered by the attacker to their original state. - Escalate the incident to the security operations team for further analysis and to determine if additional systems are affected. - Implement enhanced monitoring and alerting for registry changes in the specified paths to detect and respond to similar threats in the future.""" +references = ["https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html"] +risk_score = 21 +rule_id = "205b52c4-9c28-4af4-8979-935f3278d61a" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.type == "change" and + registry.path : ( + "HKLM\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger", + "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger", + "MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger" + ) +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_create_process_as_different_user.toml b/rules/windows/privilege_escalation_create_process_as_different_user.toml index 319ad4396..cb2b70032 100644 --- a/rules/windows/privilege_escalation_create_process_as_different_user.toml +++ b/rules/windows/privilege_escalation_create_process_as_different_user.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,36 +15,6 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Process Creation via Secondary Logon" -references = ["https://attack.mitre.org/techniques/T1134/002/"] -risk_score = 47 -rule_id = "42eeee3d-947f-46d3-a14d-7036b962c266" -setup = """## Setup - -Audit events 4624 and 4688 are needed to trigger this rule. -""" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] -type = "eql" - -query = ''' -sequence by winlog.computer_name with maxspan=1m - -[authentication where event.action:"logged-in" and - event.outcome == "success" and user.id : ("S-1-5-21-*", "S-1-12-1-*") and - - /* seclogon service */ - process.name == "svchost.exe" and - winlog.event_data.LogonProcessName : "seclogo*" and source.ip == "::1" ] by winlog.event_data.TargetLogonId - -[process where event.type == "start"] by winlog.event_data.TargetLogonId -''' note = """## Triage and analysis > **Disclaimer**: @@ -81,6 +49,36 @@ The Secondary Logon service in Windows allows users to run processes with differ - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the full scope of the breach. - Implement stricter access controls and monitoring on the Secondary Logon service to detect and prevent similar privilege escalation attempts in the future. - Update and reinforce endpoint detection and response (EDR) solutions to enhance monitoring of process creation events and logon activities, ensuring they are aligned with the latest threat intelligence.""" +references = ["https://attack.mitre.org/techniques/T1134/002/"] +risk_score = 47 +rule_id = "42eeee3d-947f-46d3-a14d-7036b962c266" +setup = """## Setup + +Audit events 4624 and 4688 are needed to trigger this rule. +""" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +sequence by winlog.computer_name with maxspan=1m + +[authentication where event.action:"logged-in" and + event.outcome == "success" and user.id : ("S-1-5-21-*", "S-1-12-1-*") and + + /* seclogon service */ + process.name == "svchost.exe" and + winlog.event_data.LogonProcessName : "seclogo*" and source.ip == "::1" ] by winlog.event_data.TargetLogonId + +[process where event.type == "start"] by winlog.event_data.TargetLogonId +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_credroaming_ldap.toml b/rules/windows/privilege_escalation_credroaming_ldap.toml index 077e04609..26301237a 100644 --- a/rules/windows/privilege_escalation_credroaming_ldap.toml +++ b/rules/windows/privilege_escalation_credroaming_ldap.toml @@ -2,9 +2,7 @@ creation_date = "2022/11/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -19,6 +17,41 @@ index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"] language = "kuery" license = "Elastic License v2" name = "Modification of the msPKIAccountCredentials" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Modification of the msPKIAccountCredentials + +The msPKIAccountCredentials attribute in Active Directory stores encrypted credential data, including private keys and certificates. Adversaries may exploit this by altering the attribute to escalate privileges, potentially overwriting files. The detection rule identifies such modifications by monitoring specific directory service events, focusing on changes to this attribute, excluding actions by the system account, thus highlighting unauthorized access attempts. + +### Possible investigation steps + +- Review the event logs for the specific event code 5136 to gather details about the modification event, including the timestamp and the user account involved. +- Examine the winlog.event_data.SubjectUserSid field to identify the user who attempted the modification, ensuring it is not the system account (S-1-5-18). +- Investigate the history and behavior of the identified user account to determine if there are any previous suspicious activities or anomalies. +- Check for any recent changes or anomalies in the affected Active Directory User Object, focusing on the msPKIAccountCredentials attribute. +- Assess the potential impact of the modification by identifying any files or systems that may have been affected by the altered credentials. +- Correlate this event with other security alerts or logs to identify any patterns or coordinated activities that might indicate a broader attack. + +### False positive analysis + +- Routine administrative tasks by IT personnel may trigger the rule. To manage this, create exceptions for specific user accounts or groups known to perform these tasks regularly. +- Scheduled maintenance scripts or automated processes that modify Active Directory attributes could be mistaken for unauthorized changes. Identify these processes and exclude their associated user accounts or service accounts from the rule. +- Software updates or installations that require changes to user credentials might cause false positives. Document these events and adjust the rule to ignore modifications during known update windows. +- Legitimate changes made by third-party applications integrated with Active Directory can be flagged. Review and whitelist these applications by excluding their associated user accounts or service accounts. +- Temporary changes during incident response or security audits may appear suspicious. Coordinate with security teams to ensure these activities are recognized and excluded from triggering alerts. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. +- Revoke any potentially compromised certificates and private keys associated with the affected msPKIAccountCredentials attribute to prevent misuse. +- Conduct a thorough review of recent changes in Active Directory, focusing on the msPKIAccountCredentials attribute, to identify any unauthorized modifications or access patterns. +- Reset passwords and regenerate keys for any accounts or services that may have been affected to ensure that compromised credentials are no longer valid. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the full scope of the breach. +- Implement additional monitoring on the affected systems and accounts to detect any further suspicious activity or attempts to exploit similar vulnerabilities. +- Review and update access controls and permissions in Active Directory to ensure that only authorized personnel have the ability to modify sensitive attributes like msPKIAccountCredentials.""" references = [ "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", @@ -61,41 +94,6 @@ event.code:"5136" and winlog.event_data.AttributeLDAPDisplayName:"msPKIAccountCr winlog.event_data.OperationType:"%%14674" and not winlog.event_data.SubjectUserSid : "S-1-5-18" ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Modification of the msPKIAccountCredentials - -The msPKIAccountCredentials attribute in Active Directory stores encrypted credential data, including private keys and certificates. Adversaries may exploit this by altering the attribute to escalate privileges, potentially overwriting files. The detection rule identifies such modifications by monitoring specific directory service events, focusing on changes to this attribute, excluding actions by the system account, thus highlighting unauthorized access attempts. - -### Possible investigation steps - -- Review the event logs for the specific event code 5136 to gather details about the modification event, including the timestamp and the user account involved. -- Examine the winlog.event_data.SubjectUserSid field to identify the user who attempted the modification, ensuring it is not the system account (S-1-5-18). -- Investigate the history and behavior of the identified user account to determine if there are any previous suspicious activities or anomalies. -- Check for any recent changes or anomalies in the affected Active Directory User Object, focusing on the msPKIAccountCredentials attribute. -- Assess the potential impact of the modification by identifying any files or systems that may have been affected by the altered credentials. -- Correlate this event with other security alerts or logs to identify any patterns or coordinated activities that might indicate a broader attack. - -### False positive analysis - -- Routine administrative tasks by IT personnel may trigger the rule. To manage this, create exceptions for specific user accounts or groups known to perform these tasks regularly. -- Scheduled maintenance scripts or automated processes that modify Active Directory attributes could be mistaken for unauthorized changes. Identify these processes and exclude their associated user accounts or service accounts from the rule. -- Software updates or installations that require changes to user credentials might cause false positives. Document these events and adjust the rule to ignore modifications during known update windows. -- Legitimate changes made by third-party applications integrated with Active Directory can be flagged. Review and whitelist these applications by excluding their associated user accounts or service accounts. -- Temporary changes during incident response or security audits may appear suspicious. Coordinate with security teams to ensure these activities are recognized and excluded from triggering alerts. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. -- Revoke any potentially compromised certificates and private keys associated with the affected msPKIAccountCredentials attribute to prevent misuse. -- Conduct a thorough review of recent changes in Active Directory, focusing on the msPKIAccountCredentials attribute, to identify any unauthorized modifications or access patterns. -- Reset passwords and regenerate keys for any accounts or services that may have been affected to ensure that compromised credentials are no longer valid. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the full scope of the breach. -- Implement additional monitoring on the affected systems and accounts to detect any further suspicious activity or attempts to exploit similar vulnerabilities. -- Review and update access controls and permissions in Active Directory to ensure that only authorized personnel have the ability to modify sensitive attributes like msPKIAccountCredentials.""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index 430416e26..5050cd20f 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -15,7 +13,14 @@ administrator-level access to the system. This rule identifies registry value ch (UAC) protection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Disabling User Account Control via Registry Modification" diff --git a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml index 00b8597b8..45a02549d 100644 --- a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml +++ b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml @@ -2,9 +2,7 @@ creation_date = "2024/05/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,33 +15,6 @@ index = ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", language = "eql" license = "Elastic License v2" name = "Unsigned DLL loaded by DNS Service" -references = [ - "https://cube0x0.github.io/Pocing-Beyond-DA/", - "https://adsecurity.org/?p=4064", - "https://github.com/gtworek/PSBits/tree/master/ServerLevelPluginDll" -] -risk_score = 47 -rule_id = "5d676480-9655-4507-adc6-4eec311efff8" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Resources: Investigation Guide" -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -any where host.os.type == "windows" and event.category : ("library", "process") and - event.type : ("start", "change") and event.action : ("load", "Image loaded*") and - process.executable : "?:\\windows\\system32\\dns.exe" and - not ?dll.code_signature.trusted == true and - not file.code_signature.status == "Valid" -''' note = """## Triage and analysis > **Disclaimer**: @@ -80,6 +51,33 @@ The DNS service in Windows environments is crucial for resolving domain names to - Review and update the system's security patches and configurations to address any vulnerabilities that may have been exploited, particularly those related to privilege escalation. - Monitor the system and network for any signs of continued or repeated unauthorized activity, focusing on similar indicators of compromise. - Report the incident to the appropriate internal security team or external authorities if required, providing details of the threat and actions taken for further investigation and response.""" +references = [ + "https://cube0x0.github.io/Pocing-Beyond-DA/", + "https://adsecurity.org/?p=4064", + "https://github.com/gtworek/PSBits/tree/master/ServerLevelPluginDll", +] +risk_score = 47 +rule_id = "5d676480-9655-4507-adc6-4eec311efff8" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +any where host.os.type == "windows" and event.category : ("library", "process") and + event.type : ("start", "change") and event.action : ("load", "Image loaded*") and + process.executable : "?:\\windows\\system32\\dns.exe" and + not ?dll.code_signature.trusted == true and + not file.code_signature.status == "Valid" +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_exploit_cve_202238028.toml b/rules/windows/privilege_escalation_exploit_cve_202238028.toml index 760a2e136..0a3ae8c0d 100644 --- a/rules/windows/privilege_escalation_exploit_cve_202238028.toml +++ b/rules/windows/privilege_escalation_exploit_cve_202238028.toml @@ -2,48 +2,23 @@ creation_date = "2024/04/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = "Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.\n" from = "now-9m" -index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "winlogbeat-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Potential privilege escalation via CVE-2022-38028" -references = [ - "https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/", -] -risk_score = 73 -rule_id = "dffbd37c-d4c5-46f8-9181-5afdd9172b4c" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -file where host.os.type == "windows" and event.type != "deletion" and - file.name : "MPDW-constraints.js" and - file.path : ( - "?:\\*\\Windows\\system32\\DriVerStoRe\\FiLeRePoSiToRy\\*\\MPDW-constraints.js", - "?:\\*\\Windows\\WinSxS\\amd64_microsoft-windows-printing-printtopdf_*\\MPDW-constraints.js" - ) -''' note = """## Triage and analysis > **Disclaimer**: @@ -79,6 +54,36 @@ CVE-2022-38028 targets the Windows Print Spooler service, a core component manag - Conduct a thorough review of user accounts and privileges on the affected system to identify and revoke any unauthorized privilege escalations. - Monitor the network and system logs for any signs of further exploitation attempts or related suspicious activities, using enhanced detection rules. - Report the incident to the appropriate internal security team or external authorities if required, providing detailed information about the exploitation attempt and actions taken.""" +references = [ + "https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/", +] +risk_score = 73 +rule_id = "dffbd37c-d4c5-46f8-9181-5afdd9172b4c" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where host.os.type == "windows" and event.type != "deletion" and + file.name : "MPDW-constraints.js" and + file.path : ( + "?:\\*\\Windows\\system32\\DriVerStoRe\\FiLeRePoSiToRy\\*\\MPDW-constraints.js", + "?:\\*\\Windows\\WinSxS\\amd64_microsoft-windows-printing-printtopdf_*\\MPDW-constraints.js" + ) +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml index 422f24a07..83c8fad1a 100644 --- a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml +++ b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,38 +12,17 @@ legitimate system administration, but can also be abused by an attacker with dom malicious payload remotely on all or a subset of the domain joined machines. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Creation or Modification of a new GPO Scheduled Task or Service" -risk_score = 21 -rule_id = "c0429aa8-9974-42da-bfb6-53a0a515a145" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -file where host.os.type == "windows" and event.type != "deletion" and event.action != "open" and - file.name : ("ScheduledTasks.xml", "Services.xml") and - file.path : ( - "?:\\Windows\\SYSVOL\\domain\\Policies\\*\\MACHINE\\Preferences\\ScheduledTasks\\ScheduledTasks.xml", - "?:\\Windows\\SYSVOL\\domain\\Policies\\*\\MACHINE\\Preferences\\Services\\Services.xml" - ) and - not process.executable : "C:\\Windows\\System32\\dfsrs.exe" -''' note = """## Triage and analysis > **Disclaimer**: @@ -81,6 +58,34 @@ Group Policy Objects (GPOs) are crucial for centralized management in Windows en - Notify the security operations center (SOC) and escalate the incident to the incident response team for further investigation and to determine the scope of the compromise. - Implement additional monitoring on GPO paths and domain admin activities to detect any further unauthorized changes or suspicious behavior. - Review and strengthen access controls and auditing policies for GPO management to prevent unauthorized modifications in the future.""" +risk_score = 21 +rule_id = "c0429aa8-9974-42da-bfb6-53a0a515a145" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where host.os.type == "windows" and event.type != "deletion" and event.action != "open" and + file.name : ("ScheduledTasks.xml", "Services.xml") and + file.path : ( + "?:\\Windows\\SYSVOL\\domain\\Policies\\*\\MACHINE\\Preferences\\ScheduledTasks\\ScheduledTasks.xml", + "?:\\Windows\\SYSVOL\\domain\\Policies\\*\\MACHINE\\Preferences\\Services\\Services.xml" + ) and + not process.executable : "C:\\Windows\\System32\\dfsrs.exe" +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_group_policy_iniscript.toml b/rules/windows/privilege_escalation_group_policy_iniscript.toml index 5fc487de6..1c705e82d 100644 --- a/rules/windows/privilege_escalation_group_policy_iniscript.toml +++ b/rules/windows/privilege_escalation_group_policy_iniscript.toml @@ -2,9 +2,7 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml index 7caac286a..c7f65c3e7 100644 --- a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml +++ b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml @@ -2,9 +2,7 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml index b3450e863..1542e3128 100644 --- a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml +++ b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml @@ -2,9 +2,7 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml index 4572988bf..e9a7cdaea 100644 --- a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml +++ b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml @@ -2,9 +2,7 @@ creation_date = "2022/04/27" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,6 +16,39 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Service Creation via Local Kerberos Authentication" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Service Creation via Local Kerberos Authentication + +Kerberos is a network authentication protocol designed to provide strong authentication for client/server applications. In Windows environments, it is often used for secure identity verification. Adversaries may exploit Kerberos by relaying authentication tickets locally to escalate privileges, potentially creating services with elevated rights. The detection rule identifies suspicious local logons using Kerberos, followed by service creation, indicating possible misuse. By monitoring specific logon events and service installations, it helps detect unauthorized privilege escalation attempts. + +### Possible investigation steps + +- Review the event logs for the specific LogonId identified in the alert to gather details about the logon session, including the user account involved and the time of the logon event. +- Examine the source IP address and port from the logon event to confirm it matches the localhost (127.0.0.1 or ::1) and determine if this aligns with expected behavior for the user or system. +- Investigate the service creation event (event ID 4697) associated with the same LogonId to identify the service name, executable path, and any related command-line arguments to assess if it is legitimate or potentially malicious. +- Check for any recent changes or anomalies in the system or user account, such as modifications to user privileges, group memberships, or recent software installations, that could indicate unauthorized activity. +- Correlate the findings with other security alerts or logs from the same timeframe to identify any patterns or additional indicators of compromise that may suggest a broader attack or compromise. + +### False positive analysis + +- Routine administrative tasks may trigger the rule if administrators frequently log in locally using Kerberos and create services as part of their duties. To manage this, create exceptions for known administrative accounts or specific service creation activities that are part of regular maintenance. +- Automated scripts or software updates that use Kerberos authentication and subsequently install or update services can also generate false positives. Identify these scripts or update processes and exclude their associated logon IDs from the rule. +- Security software or monitoring tools that perform regular checks and use Kerberos for authentication might inadvertently trigger the rule. Review the behavior of these tools and whitelist their activities if they are verified as non-threatening. +- In environments where localhost is used for testing or development purposes, developers might log in using Kerberos and create services. Consider excluding specific development machines or user accounts from the rule to prevent unnecessary alerts. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or privilege escalation. +- Terminate any suspicious services created during the incident to halt potential malicious activities. +- Conduct a thorough review of the affected system's event logs, focusing on the specific LogonId and service creation events to identify the scope of the compromise. +- Reset the credentials of the compromised user account and any other accounts that may have been accessed using the relayed Kerberos tickets. +- Apply patches and updates to the affected system and any other systems in the network to address known vulnerabilities that could be exploited in similar attacks. +- Implement network segmentation to limit the ability of attackers to move laterally within the network, reducing the risk of privilege escalation. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken.""" references = [ "https://github.com/Dec0ne/KrbRelayUp", "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html", @@ -55,39 +86,6 @@ sequence by winlog.computer_name with maxspan=5m /* event 4697 need to be logged */ event.action : "service-installed"] by winlog.event_data.SubjectLogonId ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Service Creation via Local Kerberos Authentication - -Kerberos is a network authentication protocol designed to provide strong authentication for client/server applications. In Windows environments, it is often used for secure identity verification. Adversaries may exploit Kerberos by relaying authentication tickets locally to escalate privileges, potentially creating services with elevated rights. The detection rule identifies suspicious local logons using Kerberos, followed by service creation, indicating possible misuse. By monitoring specific logon events and service installations, it helps detect unauthorized privilege escalation attempts. - -### Possible investigation steps - -- Review the event logs for the specific LogonId identified in the alert to gather details about the logon session, including the user account involved and the time of the logon event. -- Examine the source IP address and port from the logon event to confirm it matches the localhost (127.0.0.1 or ::1) and determine if this aligns with expected behavior for the user or system. -- Investigate the service creation event (event ID 4697) associated with the same LogonId to identify the service name, executable path, and any related command-line arguments to assess if it is legitimate or potentially malicious. -- Check for any recent changes or anomalies in the system or user account, such as modifications to user privileges, group memberships, or recent software installations, that could indicate unauthorized activity. -- Correlate the findings with other security alerts or logs from the same timeframe to identify any patterns or additional indicators of compromise that may suggest a broader attack or compromise. - -### False positive analysis - -- Routine administrative tasks may trigger the rule if administrators frequently log in locally using Kerberos and create services as part of their duties. To manage this, create exceptions for known administrative accounts or specific service creation activities that are part of regular maintenance. -- Automated scripts or software updates that use Kerberos authentication and subsequently install or update services can also generate false positives. Identify these scripts or update processes and exclude their associated logon IDs from the rule. -- Security software or monitoring tools that perform regular checks and use Kerberos for authentication might inadvertently trigger the rule. Review the behavior of these tools and whitelist their activities if they are verified as non-threatening. -- In environments where localhost is used for testing or development purposes, developers might log in using Kerberos and create services. Consider excluding specific development machines or user accounts from the rule to prevent unnecessary alerts. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or privilege escalation. -- Terminate any suspicious services created during the incident to halt potential malicious activities. -- Conduct a thorough review of the affected system's event logs, focusing on the specific LogonId and service creation events to identify the scope of the compromise. -- Reset the credentials of the compromised user account and any other accounts that may have been accessed using the relayed Kerberos tickets. -- Apply patches and updates to the affected system and any other systems in the network to address known vulnerabilities that could be exploited in similar attacks. -- Implement network segmentation to limit the ability of attackers to move laterally within the network, reducing the risk of privilege escalation. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken.""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_make_token_local.toml b/rules/windows/privilege_escalation_make_token_local.toml index 512bcab7e..291c41803 100644 --- a/rules/windows/privilege_escalation_make_token_local.toml +++ b/rules/windows/privilege_escalation_make_token_local.toml @@ -2,9 +2,7 @@ creation_date = "2023/12/04" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,39 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Interactive Logon by an Unusual Process" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Interactive Logon by an Unusual Process + +Interactive logons in Windows environments typically involve standard processes like winlogon.exe. Adversaries may exploit alternate processes to create tokens, escalating privileges and bypassing controls. This detection rule identifies anomalies by flagging logons via non-standard executables, focusing on mismatched user SIDs and unusual process paths, thus highlighting potential privilege escalation attempts. + +### Possible investigation steps + +- Review the process executable path to determine if it is a known or expected application for interactive logons. Investigate any unfamiliar or suspicious paths. +- Examine the SubjectUserSid and TargetUserSid to identify the users involved in the logon attempt. Check for any discrepancies or unusual patterns in user activity. +- Analyze the event logs around the time of the alert to identify any related or preceding events that might indicate how the unusual process was initiated. +- Investigate the system for any signs of compromise, such as unexpected changes in system files, unauthorized software installations, or other indicators of malicious activity. +- Check for any recent privilege escalation attempts or access token manipulations that might correlate with the alert, using the MITRE ATT&CK framework references for guidance. + +### False positive analysis + +- Legitimate administrative tools or scripts may trigger this rule if they use non-standard executables for logon processes. To manage this, identify and whitelist these known tools by adding their executable paths to the exception list. +- Custom applications developed in-house that require interactive logon might be flagged. Review these applications and, if verified as safe, exclude their executable paths from the detection rule. +- Automated tasks or services that use alternate credentials for legitimate purposes can cause false positives. Analyze these tasks and, if they are part of regular operations, adjust the rule to exclude their specific user SIDs or executable paths. +- Security software or monitoring tools that perform logon actions for scanning or auditing purposes may be incorrectly flagged. Confirm their legitimacy and add them to the exception list to prevent unnecessary alerts. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement. +- Terminate any suspicious processes identified as executing from non-standard paths that are not part of the legitimate Windows system processes. +- Revoke any tokens or credentials associated with the anomalous logon session to prevent further misuse. +- Conduct a thorough review of user accounts involved, focusing on any unauthorized privilege escalations or changes in permissions, and reset passwords as necessary. +- Analyze the system for any signs of persistence mechanisms or additional malware, and remove any identified threats. +- Restore the system from a known good backup if any unauthorized changes or malware are detected that cannot be easily remediated. +- Report the incident to the appropriate internal security team or management for further investigation and potential escalation to law enforcement if necessary.""" references = ["https://attack.mitre.org/techniques/T1134/002/"] risk_score = 73 rule_id = "61766ef9-48a5-4247-ad74-3349de7eb2ad" @@ -51,39 +82,6 @@ authentication where "?:\\Windows\\System32\\inetsrv\\w3wp.exe", "?:\\Windows\\SysWOW64\\msiexec.exe") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Interactive Logon by an Unusual Process - -Interactive logons in Windows environments typically involve standard processes like winlogon.exe. Adversaries may exploit alternate processes to create tokens, escalating privileges and bypassing controls. This detection rule identifies anomalies by flagging logons via non-standard executables, focusing on mismatched user SIDs and unusual process paths, thus highlighting potential privilege escalation attempts. - -### Possible investigation steps - -- Review the process executable path to determine if it is a known or expected application for interactive logons. Investigate any unfamiliar or suspicious paths. -- Examine the SubjectUserSid and TargetUserSid to identify the users involved in the logon attempt. Check for any discrepancies or unusual patterns in user activity. -- Analyze the event logs around the time of the alert to identify any related or preceding events that might indicate how the unusual process was initiated. -- Investigate the system for any signs of compromise, such as unexpected changes in system files, unauthorized software installations, or other indicators of malicious activity. -- Check for any recent privilege escalation attempts or access token manipulations that might correlate with the alert, using the MITRE ATT&CK framework references for guidance. - -### False positive analysis - -- Legitimate administrative tools or scripts may trigger this rule if they use non-standard executables for logon processes. To manage this, identify and whitelist these known tools by adding their executable paths to the exception list. -- Custom applications developed in-house that require interactive logon might be flagged. Review these applications and, if verified as safe, exclude their executable paths from the detection rule. -- Automated tasks or services that use alternate credentials for legitimate purposes can cause false positives. Analyze these tasks and, if they are part of regular operations, adjust the rule to exclude their specific user SIDs or executable paths. -- Security software or monitoring tools that perform logon actions for scanning or auditing purposes may be incorrectly flagged. Confirm their legitimacy and add them to the exception list to prevent unnecessary alerts. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement. -- Terminate any suspicious processes identified as executing from non-standard paths that are not part of the legitimate Windows system processes. -- Revoke any tokens or credentials associated with the anomalous logon session to prevent further misuse. -- Conduct a thorough review of user accounts involved, focusing on any unauthorized privilege escalations or changes in permissions, and reset passwords as necessary. -- Analyze the system for any signs of persistence mechanisms or additional malware, and remove any identified threats. -- Restore the system from a known good backup if any unauthorized changes or malware are detected that cannot be easily remediated. -- Report the incident to the appropriate internal security team or management for further investigation and potential escalation to law enforcement if necessary.""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml b/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml index 962de6246..8302d8047 100644 --- a/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml +++ b/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml @@ -2,20 +2,14 @@ creation_date = "2024/09/12" integration = ["endpoint", "sentinel_one_cloud_funnel", "m365_defender", "windows"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ -Identifies when a browser process navigates to the Microsoft Help page followed by spawning an elevated process. -This may indicate a successful exploitation for privilege escalation abusing a vulnerable Windows Installer repair setup. +Identifies when a browser process navigates to the Microsoft Help page followed by spawning an elevated process. This +may indicate a successful exploitation for privilege escalation abusing a vulnerable Windows Installer repair setup. """ -references = [ - "https://sec-consult.com/blog/detail/msi-installer-repair-to-system-a-detailed-journey/", - "https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38014" -] from = "now-9m" index = [ "winlogbeat-*", @@ -23,35 +17,11 @@ index = [ "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", - "logs-m365_defender.event-*" + "logs-m365_defender.event-*", ] language = "eql" license = "Elastic License v2" name = "Potential Escalation via Vulnerable MSI Repair" -risk_score = 73 -rule_id = "043d80a3-c49e-43ef-9c72-1088f0c7b278" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", - "Resources: Investigation Guide" -] -timestamp_override = "event.ingested" -type = "eql" -query = ''' -process where event.type == "start" and host.os.type == "windows" and - user.domain : ("NT AUTHORITY", "AUTORITE NT", "AUTORIDADE NT") and - process.parent.name : ("chrome.exe", "msedge.exe", "brave.exe", "whale.exe", "browser.exe", "dragon.exe", "vivaldi.exe", - "opera.exe", "iexplore", "firefox.exe", "waterfox.exe", "iexplore.exe", "tor.exe", "safari.exe") and - process.parent.command_line : "*go.microsoft.com*" -''' note = """## Triage and analysis > **Disclaimer**: @@ -86,6 +56,35 @@ Windows Installer (MSI) is a service used for software installation and maintena - Restore the affected system from a known good backup if unauthorized changes or persistent threats are detected that cannot be easily remediated. - Monitor the network for any signs of similar exploitation attempts or related suspicious activities, using enhanced detection rules and threat intelligence feeds. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation and recovery efforts.""" +references = [ + "https://sec-consult.com/blog/detail/msi-installer-repair-to-system-a-detailed-journey/", + "https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38014", +] +risk_score = 73 +rule_id = "043d80a3-c49e-43ef-9c72-1088f0c7b278" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where event.type == "start" and host.os.type == "windows" and + user.domain : ("NT AUTHORITY", "AUTORITE NT", "AUTORIDADE NT") and + process.parent.name : ("chrome.exe", "msedge.exe", "brave.exe", "whale.exe", "browser.exe", "dragon.exe", "vivaldi.exe", + "opera.exe", "iexplore", "firefox.exe", "waterfox.exe", "iexplore.exe", "tor.exe", "safari.exe") and + process.parent.command_line : "*go.microsoft.com*" +''' [[rule.threat]] @@ -100,8 +99,6 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -119,3 +116,4 @@ reference = "https://attack.mitre.org/techniques/T1218/007/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index b75be0c16..17355c1cb 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml b/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml index 56562a07b..d0e6efc72 100644 --- a/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml +++ b/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml @@ -2,9 +2,7 @@ creation_date = "2023/11/15" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,17 +15,6 @@ index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"] language = "kuery" license = "Elastic License v2" name = "First Time Seen NewCredentials Logon Process" -references = ["https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation"] -risk_score = 47 -rule_id = "e468f3f6-7c4c-45bb-846a-053738b3fe5d" -severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "new_terms" - -query = ''' -event.category:"authentication" and host.os.type:"windows" and winlog.logon.type:"NewCredentials" and winlog.event_data.LogonProcessName:(Advapi* or "Advapi ") and not winlog.event_data.SubjectUserName:*$ and not process.executable :???\\Program?Files* -''' note = """## Triage and analysis > **Disclaimer**: @@ -62,6 +49,24 @@ The NewCredentials logon type in Windows allows processes to impersonate a user - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring for similar suspicious logon activities across the network to detect and respond to potential future attempts promptly. - Review and update access control policies and token management practices to mitigate the risk of access token manipulation in the future.""" +references = ["https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation"] +risk_score = 47 +rule_id = "e468f3f6-7c4c-45bb-846a-053738b3fe5d" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.category:"authentication" and host.os.type:"windows" and winlog.logon.type:"NewCredentials" and winlog.event_data.LogonProcessName:(Advapi* or "Advapi ") and not winlog.event_data.SubjectUserName:*$ and not process.executable :???\\Program?Files* +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index 6ae392c41..cd692fd1c 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/14" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_posh_token_impersonation.toml b/rules/windows/privilege_escalation_posh_token_impersonation.toml index 4fb0bd7c8..a2b11219b 100644 --- a/rules/windows/privilege_escalation_posh_token_impersonation.toml +++ b/rules/windows/privilege_escalation_posh_token_impersonation.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/17" integration = ["windows"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml index 410f3e64a..742afb6cc 100644 --- a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml +++ b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/26" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,6 +16,40 @@ index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_op language = "eql" license = "Elastic License v2" name = "Suspicious Print Spooler Point and Print DLL" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious Print Spooler Point and Print DLL + +The Windows Print Spooler service manages print jobs and is integral to printing operations. Adversaries exploit vulnerabilities like CVE-2020-1030 to escalate privileges by loading malicious DLLs into the spooler process, which runs with SYSTEM-level permissions. The detection rule identifies suspicious registry modifications linked to the Print Spooler, indicating potential exploitation attempts by monitoring specific registry paths and data patterns. + +### Possible investigation steps + +- Review the registry paths specified in the alert to confirm any unauthorized modifications, focusing on the paths: HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\*\\SpoolDirectory and HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\*\\CopyFiles\\Payload\\Module. +- Check the registry data strings for any unexpected or suspicious DLLs located in C:\\Windows\\System32\\spool\\drivers\\x64\\4, which may indicate a malicious payload. +- Investigate the host identified by host.id to determine if there are any other signs of compromise or unusual activity, such as unexpected processes or network connections. +- Correlate the alert with other security events or logs from the same host to identify any related activities or patterns that could suggest a broader attack. +- Assess the system's patch level and update status to ensure that all known vulnerabilities, including CVE-2020-1030, have been addressed and mitigated. +- If a malicious DLL is confirmed, isolate the affected system to prevent further exploitation and begin remediation efforts, such as removing the malicious files and restoring the system to a known good state. + +### False positive analysis + +- Legitimate printer driver updates or installations may trigger the rule due to registry modifications in the specified paths. Users can create exceptions for known and trusted driver update processes to prevent false alerts. +- Custom print configurations by IT departments that modify the SpoolDirectory or CopyFiles registry paths might be flagged. Document and exclude these configurations if they are verified as safe and necessary for business operations. +- Automated scripts or software that manage printer settings and inadvertently modify the monitored registry paths can cause false positives. Identify and whitelist these scripts or applications after confirming their legitimacy. +- Third-party print management solutions that interact with the Print Spooler service may lead to false detections. Evaluate these solutions and exclude their known benign activities from the detection rule. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further exploitation or lateral movement by the adversary. +- Terminate the Print Spooler service on the compromised system to stop any ongoing malicious activity and prevent further DLL loading. +- Conduct a thorough scan of the system using updated antivirus and anti-malware tools to identify and remove any malicious DLLs or related files. +- Review and restore the registry paths identified in the detection query to their default values to ensure no malicious configurations remain. +- Apply the latest security patches and updates from Microsoft to address CVE-2020-1030 and other known vulnerabilities in the Print Spooler service. +- Monitor the network for any signs of similar exploitation attempts, focusing on the registry paths and data patterns specified in the detection rule. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.""" references = [ "https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Privilege%20Escalation/privesc_sysmon_cve_20201030_spooler.evtx", @@ -54,40 +86,6 @@ sequence by host.id with maxspan=30s ) and registry.data.strings : "C:\\Windows\\System32\\spool\\drivers\\x64\\4\\*"] ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious Print Spooler Point and Print DLL - -The Windows Print Spooler service manages print jobs and is integral to printing operations. Adversaries exploit vulnerabilities like CVE-2020-1030 to escalate privileges by loading malicious DLLs into the spooler process, which runs with SYSTEM-level permissions. The detection rule identifies suspicious registry modifications linked to the Print Spooler, indicating potential exploitation attempts by monitoring specific registry paths and data patterns. - -### Possible investigation steps - -- Review the registry paths specified in the alert to confirm any unauthorized modifications, focusing on the paths: HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\*\\SpoolDirectory and HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\*\\CopyFiles\\Payload\\Module. -- Check the registry data strings for any unexpected or suspicious DLLs located in C:\\Windows\\System32\\spool\\drivers\\x64\\4, which may indicate a malicious payload. -- Investigate the host identified by host.id to determine if there are any other signs of compromise or unusual activity, such as unexpected processes or network connections. -- Correlate the alert with other security events or logs from the same host to identify any related activities or patterns that could suggest a broader attack. -- Assess the system's patch level and update status to ensure that all known vulnerabilities, including CVE-2020-1030, have been addressed and mitigated. -- If a malicious DLL is confirmed, isolate the affected system to prevent further exploitation and begin remediation efforts, such as removing the malicious files and restoring the system to a known good state. - -### False positive analysis - -- Legitimate printer driver updates or installations may trigger the rule due to registry modifications in the specified paths. Users can create exceptions for known and trusted driver update processes to prevent false alerts. -- Custom print configurations by IT departments that modify the SpoolDirectory or CopyFiles registry paths might be flagged. Document and exclude these configurations if they are verified as safe and necessary for business operations. -- Automated scripts or software that manage printer settings and inadvertently modify the monitored registry paths can cause false positives. Identify and whitelist these scripts or applications after confirming their legitimacy. -- Third-party print management solutions that interact with the Print Spooler service may lead to false detections. Evaluate these solutions and exclude their known benign activities from the detection rule. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further exploitation or lateral movement by the adversary. -- Terminate the Print Spooler service on the compromised system to stop any ongoing malicious activity and prevent further DLL loading. -- Conduct a thorough scan of the system using updated antivirus and anti-malware tools to identify and remove any malicious DLLs or related files. -- Review and restore the registry paths identified in the detection query to their default values to ensure no malicious configurations remain. -- Apply the latest security patches and updates from Microsoft to address CVE-2020-1030 and other known vulnerabilities in the Print Spooler service. -- Monitor the network for any signs of similar exploitation attempts, focusing on the registry paths and data patterns specified in the detection rule. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index 30d052601..5fd974a88 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -25,33 +23,6 @@ index = [ language = "kuery" license = "Elastic License v2" name = "Suspicious PrintSpooler Service Executable File Creation" -references = [ - "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/", - "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files", -] -risk_score = 21 -rule_id = "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "new_terms" - -query = ''' -event.category : "file" and host.os.type : "windows" and event.type : "creation" and - process.name : "spoolsv.exe" and file.extension : "dll" -''' note = """## Triage and analysis > **Disclaimer**: @@ -86,56 +57,84 @@ The Print Spooler service in Windows manages print jobs, but vulnerabilities lik - Conduct a thorough review of user accounts and privileges on the affected system to ensure no unauthorized privilege escalation has occurred. - Monitor the network for any signs of similar exploitation attempts or related suspicious activity, using enhanced logging and alerting mechanisms. - Report the incident to the appropriate internal security team or external authorities if required, providing details of the exploit and actions taken for further investigation and response.""" +references = [ + "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/", + "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files", +] +risk_score = 21 +rule_id = "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.category : "file" and host.os.type : "windows" and event.type : "creation" and + process.name : "spoolsv.exe" and file.extension : "dll" +''' + [[rule.filters]] + [rule.filters.meta] negate = false [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Windows\\\\Sys?????\\\\*" - +case_insensitive = true +value = "?:\\\\Windows\\\\Sys?????\\\\*" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Windows\\\\Sys?????\\\\PrintConfig.dll" - +case_insensitive = true +value = "?:\\\\Windows\\\\Sys?????\\\\PrintConfig.dll" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Windows\\\\Sys?????\\\\x5lrs.dll" - +case_insensitive = true +value = "?:\\Windows\\Sys?????\\u005lrs.dll" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\x64\\\\*.dll" - +case_insensitive = true +value = "?:\\Windows\\system32\\spool\\DRIVERS\\u0064\\\\*.dll" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\W32X86\\\\*.dll" - +case_insensitive = true +value = "?:\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\W32X86\\\\*.dll" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Windows\\\\system32\\\\spool\\\\PRTPROCS\\\\x64\\\\*.dll" - +case_insensitive = true +value = "?:\\Windows\\system32\\spool\\PRTPROCS\\u0064\\\\*.dll" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Windows\\\\system32\\\\spool\\\\{????????-????-????-????-????????????}\\\\*.dll" - +case_insensitive = true +value = "?:\\\\Windows\\\\system32\\\\spool\\\\{????????-????-????-????-????????????}\\\\*.dll" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -155,3 +154,5 @@ value = ["host.id", "file.path"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml index a4d9dff6d..75067c258 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/06" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -19,35 +17,17 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Suspicious Print Spooler File Deletion" -references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"] -risk_score = 47 -rule_id = "c4818812-d44f-47be-aaef-4cfb2f9cc799" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -file where host.os.type == "windows" and event.type == "deletion" and - file.extension : "dll" and file.path : "?:\\Windows\\System32\\spool\\drivers\\x64\\3\\*.dll" and - not process.name : ("spoolsv.exe", "dllhost.exe", "explorer.exe") -''' note = """## Triage and analysis > **Disclaimer**: @@ -82,6 +62,31 @@ The Print Spooler service in Windows manages print jobs and interactions with pr - Apply the latest security patches and updates to the Print Spooler service and related components to mitigate known vulnerabilities. - Monitor the affected system and network for any signs of further suspicious activity, focusing on similar file deletion patterns or privilege escalation attempts. - Escalate the incident to the security operations center (SOC) or relevant IT security team for further investigation and to assess the need for broader organizational response measures.""" +references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"] +risk_score = 47 +rule_id = "c4818812-d44f-47be-aaef-4cfb2f9cc799" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where host.os.type == "windows" and event.type == "deletion" and + file.extension : "dll" and file.path : "?:\\Windows\\System32\\spool\\drivers\\x64\\3\\*.dll" and + not process.name : ("spoolsv.exe", "dllhost.exe", "explorer.exe") +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml index 12a9f06a2..348e56d1e 100644 --- a/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml +++ b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml @@ -2,9 +2,7 @@ creation_date = "2024/06/05" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,9 +16,42 @@ index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via Service ImagePath Modification" -references = [ - "https://cube0x0.github.io/Pocing-Beyond-DA/" -] +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Privilege Escalation via Service ImagePath Modification + +Windows services are crucial for system operations, often running with high privileges. Adversaries exploit this by altering the ImagePath registry key of services to execute malicious code with elevated privileges. The detection rule identifies suspicious modifications to service ImagePaths, focusing on changes that deviate from standard executable paths, thus flagging potential privilege escalation attempts. + +### Possible investigation steps + +- Review the specific registry key and value that triggered the alert to confirm it matches one of the monitored service keys, such as those listed in the query (e.g., *\\LanmanServer, *\\Winmgmt). +- Examine the modified ImagePath value to determine if it points to a non-standard executable path or a suspicious executable, especially those not located in %systemroot%\\system32\\. +- Check the process.executable field to identify the process responsible for the registry modification and assess its legitimacy. +- Investigate the user account associated with the modification event to determine if it has elevated privileges, such as membership in the Server Operators group. +- Correlate the event with other logs or alerts to identify any related suspicious activities, such as unexpected service starts or process executions. +- Review recent changes or activities on the host to identify any unauthorized access or configuration changes that could indicate a broader compromise. + +### False positive analysis + +- Legitimate software updates or installations may modify service ImagePaths. Users can create exceptions for known update processes or installation paths to prevent false positives. +- System administrators might intentionally change service configurations for maintenance or troubleshooting. Document and exclude these changes by adding exceptions for specific administrator actions or paths. +- Custom scripts or automation tools that modify service settings as part of their operation can trigger alerts. Identify and whitelist these scripts or tools to avoid unnecessary alerts. +- Some third-party security or management software may alter service ImagePaths as part of their functionality. Verify the legitimacy of such software and exclude their known paths from detection. +- Changes made by trusted IT personnel during system configuration or optimization should be logged and excluded from alerts to reduce noise. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement. +- Terminate any suspicious processes identified as running from non-standard executable paths, especially those not originating from the system32 directory. +- Restore the modified ImagePath registry key to its original state using a known good configuration or backup. +- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or persistence mechanisms. +- Review and audit user accounts and group memberships, particularly those with elevated privileges like Server Operators, to ensure no unauthorized changes have been made. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +- Implement enhanced monitoring and alerting for future modifications to service ImagePath registry keys, focusing on deviations from standard paths to detect similar threats promptly.""" +references = ["https://cube0x0.github.io/Pocing-Beyond-DA/"] risk_score = 47 rule_id = "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b" severity = "medium" @@ -32,7 +63,7 @@ tags = [ "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" @@ -88,41 +119,6 @@ registry where host.os.type == "windows" and event.type == "change" and process. ) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Privilege Escalation via Service ImagePath Modification - -Windows services are crucial for system operations, often running with high privileges. Adversaries exploit this by altering the ImagePath registry key of services to execute malicious code with elevated privileges. The detection rule identifies suspicious modifications to service ImagePaths, focusing on changes that deviate from standard executable paths, thus flagging potential privilege escalation attempts. - -### Possible investigation steps - -- Review the specific registry key and value that triggered the alert to confirm it matches one of the monitored service keys, such as those listed in the query (e.g., *\\LanmanServer, *\\Winmgmt). -- Examine the modified ImagePath value to determine if it points to a non-standard executable path or a suspicious executable, especially those not located in %systemroot%\\system32\\. -- Check the process.executable field to identify the process responsible for the registry modification and assess its legitimacy. -- Investigate the user account associated with the modification event to determine if it has elevated privileges, such as membership in the Server Operators group. -- Correlate the event with other logs or alerts to identify any related suspicious activities, such as unexpected service starts or process executions. -- Review recent changes or activities on the host to identify any unauthorized access or configuration changes that could indicate a broader compromise. - -### False positive analysis - -- Legitimate software updates or installations may modify service ImagePaths. Users can create exceptions for known update processes or installation paths to prevent false positives. -- System administrators might intentionally change service configurations for maintenance or troubleshooting. Document and exclude these changes by adding exceptions for specific administrator actions or paths. -- Custom scripts or automation tools that modify service settings as part of their operation can trigger alerts. Identify and whitelist these scripts or tools to avoid unnecessary alerts. -- Some third-party security or management software may alter service ImagePaths as part of their functionality. Verify the legitimacy of such software and exclude their known paths from detection. -- Changes made by trusted IT personnel during system configuration or optimization should be logged and excluded from alerts to reduce noise. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement. -- Terminate any suspicious processes identified as running from non-standard executable paths, especially those not originating from the system32 directory. -- Restore the modified ImagePath registry key to its original state using a known good configuration or backup. -- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or persistence mechanisms. -- Review and audit user accounts and group memberships, particularly those with elevated privileges like Server Operators, to ensure no unauthorized changes have been made. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. -- Implement enhanced monitoring and alerting for future modifications to service ImagePath registry keys, focusing on deviations from standard paths to detect similar threats promptly.""" [[rule.threat]] @@ -136,6 +132,7 @@ id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" @@ -151,9 +148,6 @@ reference = "https://attack.mitre.org/techniques/T1574/011/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml index fb4436a95..e47c1e19c 100644 --- a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml +++ b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/26" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,46 +11,17 @@ Identifies a privilege escalation attempt via a rogue Windows directory (Windir) primitive that is often combined with other vulnerabilities to elevate privileges. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Privilege Escalation via Windir Environment Variable" -references = ["https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html"] -risk_score = 73 -rule_id = "d563aaba-2e72-462b-8658-3e5ea22db3a6" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and event.type == "change" and -registry.value : ("windir", "systemroot") and -registry.path : ( - "HKEY_USERS\\*\\Environment\\windir", - "HKEY_USERS\\*\\Environment\\systemroot", - "HKU\\*\\Environment\\windir", - "HKU\\*\\Environment\\systemroot", - "HKCU\\*\\Environment\\windir", - "HKCU\\*\\Environment\\systemroot", - "\\REGISTRY\\USER\\*\\Environment\\windir", - "\\REGISTRY\\USER\\*\\Environment\\systemroot", - "USER\\*\\Environment\\windir", - "USER\\*\\Environment\\systemroot" - ) and - not registry.data.strings : ("C:\\windows", "%SystemRoot%") -''' note = """## Triage and analysis > **Disclaimer**: @@ -89,6 +58,42 @@ The Windir environment variable points to the Windows directory, crucial for sys - Reset passwords for any user accounts that may have been compromised, especially those with elevated privileges. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring on the affected system and similar endpoints to detect any further attempts to alter critical environment variables or other suspicious activities.""" +references = ["https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html"] +risk_score = 73 +rule_id = "d563aaba-2e72-462b-8658-3e5ea22db3a6" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.type == "change" and +registry.value : ("windir", "systemroot") and +registry.path : ( + "HKEY_USERS\\*\\Environment\\windir", + "HKEY_USERS\\*\\Environment\\systemroot", + "HKU\\*\\Environment\\windir", + "HKU\\*\\Environment\\systemroot", + "HKCU\\*\\Environment\\windir", + "HKCU\\*\\Environment\\systemroot", + "\\REGISTRY\\USER\\*\\Environment\\windir", + "\\REGISTRY\\USER\\*\\Environment\\systemroot", + "USER\\*\\Environment\\windir", + "USER\\*\\Environment\\systemroot" + ) and + not registry.data.strings : ("C:\\windows", "%SystemRoot%") +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml index 9e9d868ea..2b34ae9ac 100644 --- a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml +++ b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml @@ -2,9 +2,7 @@ creation_date = "2021/12/12" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,36 +16,6 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Potential Privileged Escalation via SamAccountName Spoofing" -references = [ - "https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e", - "https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/", - "https://github.com/cube0x0/noPac", - "https://twitter.com/exploitph/status/1469157138928914432", - "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html", -] -risk_score = 73 -rule_id = "bdcf646b-08d4-492c-870a-6c04e3700034" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Use Case: Vulnerability", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -iam where event.action == "renamed-user-account" and - /* machine account name renamed to user like account name */ - winlog.event_data.OldTargetUserName : "*$" and not winlog.event_data.NewTargetUserName : "*$" -''' note = """## Triage and analysis > **Disclaimer**: @@ -82,6 +50,36 @@ In Active Directory environments, the samAccountName attribute is crucial for id - Apply the latest security patches and updates to all domain controllers and critical systems to mitigate vulnerabilities like CVE-2021-42278. - Enhance monitoring and logging for Active Directory events, specifically focusing on account renaming activities, to detect similar threats in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken.""" +references = [ + "https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e", + "https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/", + "https://github.com/cube0x0/noPac", + "https://twitter.com/exploitph/status/1469157138928914432", + "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html", +] +risk_score = 73 +rule_id = "bdcf646b-08d4-492c-870a-6c04e3700034" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Use Case: Vulnerability", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +iam where event.action == "renamed-user-account" and + /* machine account name renamed to user like account name */ + winlog.event_data.OldTargetUserName : "*$" and not winlog.event_data.NewTargetUserName : "*$" +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml index 1ab090ec6..c2d36fb1b 100644 --- a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml +++ b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml index da1c2f521..4324c4d2b 100644 --- a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml +++ b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml @@ -2,9 +2,7 @@ creation_date = "2022/05/11" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -19,36 +17,6 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Remote Computer Account DnsHostName Update" -references = [ - "https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4", - "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26923", -] -risk_score = 73 -rule_id = "6bed021a-0afb-461c-acbe-ffdb9574d3f3" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Use Case: Vulnerability", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -iam where event.action == "changed-computer-account" and user.id : ("S-1-5-21-*", "S-1-12-1-*") and - - /* if DnsHostName value equal a DC DNS hostname then it's highly suspicious */ - winlog.event_data.DnsHostName : "??*" and - - /* exclude FPs where DnsHostName starts with the ComputerName that was changed */ - not startswith~(winlog.event_data.DnsHostName, substring(winlog.event_data.TargetUserName, 0, length(winlog.event_data.TargetUserName) - 1)) -''' note = """## Triage and analysis > **Disclaimer**: @@ -84,6 +52,36 @@ In Active Directory environments, the DnsHostName attribute links computer accou - Escalate the incident to the security operations team for further investigation and to assess potential exploitation of CVE-2022-26923 or other vulnerabilities. - Implement additional monitoring on the affected system and similar systems to detect any further suspicious activities or attempts to exploit vulnerabilities. - Review and update access controls and permissions for computer accounts in Active Directory to ensure only authorized personnel can make changes to critical attributes like DnsHostName.""" +references = [ + "https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4", + "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26923", +] +risk_score = 73 +rule_id = "6bed021a-0afb-461c-acbe-ffdb9574d3f3" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Use Case: Vulnerability", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +iam where event.action == "changed-computer-account" and user.id : ("S-1-5-21-*", "S-1-12-1-*") and + + /* if DnsHostName value equal a DC DNS hostname then it's highly suspicious */ + winlog.event_data.DnsHostName : "??*" and + + /* exclude FPs where DnsHostName starts with the ComputerName that was changed */ + not startswith~(winlog.event_data.DnsHostName, substring(winlog.event_data.TargetUserName, 0, length(winlog.event_data.TargetUserName) - 1)) +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml index c8f95b7f3..a6208c452 100644 --- a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml +++ b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml @@ -2,9 +2,7 @@ creation_date = "2022/10/20" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,41 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "SeDebugPrivilege Enabled by a Suspicious Process" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating SeDebugPrivilege Enabled by a Suspicious Process + +SeDebugPrivilege is a powerful Windows privilege allowing processes to debug and modify other processes, typically reserved for system-level tasks. Adversaries exploit this to escalate privileges, bypassing security controls by impersonating system processes. The detection rule identifies suspicious processes enabling SeDebugPrivilege, excluding known legitimate processes, to flag potential privilege escalation attempts. + +### Possible investigation steps + +- Review the event logs for the specific event.provider "Microsoft-Windows-Security-Auditing" and event.action "Token Right Adjusted Events" to gather more details about the process that enabled SeDebugPrivilege. +- Identify the process name from winlog.event_data.ProcessName and determine if it is known or expected in the environment. Investigate any unknown or suspicious processes. +- Check the winlog.event_data.SubjectUserSid to identify the user account associated with the process. Investigate if this account has a history of suspicious activity or if it should have the ability to enable SeDebugPrivilege. +- Analyze the parent process of the suspicious process to understand how it was initiated and if it was spawned by a legitimate or malicious process. +- Correlate the timestamp of the event with other security events or alerts to identify any related activities or patterns that could indicate a broader attack or compromise. +- Investigate the network activity of the suspicious process to determine if it is communicating with any known malicious IP addresses or domains. + +### False positive analysis + +- Legitimate system maintenance tasks may trigger the rule, such as Windows Update or system diagnostics. Users can monitor the timing of these tasks and correlate them with alerts to determine if they are the cause. +- Software installations or updates using msiexec.exe might be flagged. Consider excluding msiexec.exe from the rule if it is frequently used in your environment for legitimate purposes. +- Administrative tools like taskhostw.exe and mmc.exe can sometimes enable SeDebugPrivilege during normal operations. Evaluate the necessity of these tools in your environment and exclude them if they are regularly used by trusted administrators. +- Temporary files created by legitimate applications, such as DismHost.exe in user temp directories, may be flagged. Review the context of these files and exclude them if they are part of routine application behavior. +- Regularly review and update the exclusion list to include any new legitimate processes that are identified as false positives, ensuring the rule remains effective without generating unnecessary alerts. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. +- Terminate the suspicious process identified in the alert to stop any ongoing malicious activity and prevent privilege escalation. +- Conduct a thorough review of the affected system's event logs, focusing on the "Token Right Adjusted Events" to identify any additional unauthorized privilege changes or suspicious activities. +- Reset credentials for any accounts that may have been compromised or used by the suspicious process, especially those with elevated privileges. +- Restore the affected system from a known good backup to ensure any malicious changes are removed and the system is returned to a secure state. +- Implement additional monitoring on the affected system and similar systems to detect any recurrence of the threat, focusing on processes attempting to enable SeDebugPrivilege. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" references = [ "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703", "https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e", @@ -77,41 +110,6 @@ any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Secur "?:\\Windows\\System32\\wbem\\WmiPrvSe.exe", "?:\\Windows\\SysWOW64\\wbem\\WmiPrvSe.exe") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating SeDebugPrivilege Enabled by a Suspicious Process - -SeDebugPrivilege is a powerful Windows privilege allowing processes to debug and modify other processes, typically reserved for system-level tasks. Adversaries exploit this to escalate privileges, bypassing security controls by impersonating system processes. The detection rule identifies suspicious processes enabling SeDebugPrivilege, excluding known legitimate processes, to flag potential privilege escalation attempts. - -### Possible investigation steps - -- Review the event logs for the specific event.provider "Microsoft-Windows-Security-Auditing" and event.action "Token Right Adjusted Events" to gather more details about the process that enabled SeDebugPrivilege. -- Identify the process name from winlog.event_data.ProcessName and determine if it is known or expected in the environment. Investigate any unknown or suspicious processes. -- Check the winlog.event_data.SubjectUserSid to identify the user account associated with the process. Investigate if this account has a history of suspicious activity or if it should have the ability to enable SeDebugPrivilege. -- Analyze the parent process of the suspicious process to understand how it was initiated and if it was spawned by a legitimate or malicious process. -- Correlate the timestamp of the event with other security events or alerts to identify any related activities or patterns that could indicate a broader attack or compromise. -- Investigate the network activity of the suspicious process to determine if it is communicating with any known malicious IP addresses or domains. - -### False positive analysis - -- Legitimate system maintenance tasks may trigger the rule, such as Windows Update or system diagnostics. Users can monitor the timing of these tasks and correlate them with alerts to determine if they are the cause. -- Software installations or updates using msiexec.exe might be flagged. Consider excluding msiexec.exe from the rule if it is frequently used in your environment for legitimate purposes. -- Administrative tools like taskhostw.exe and mmc.exe can sometimes enable SeDebugPrivilege during normal operations. Evaluate the necessity of these tools in your environment and exclude them if they are regularly used by trusted administrators. -- Temporary files created by legitimate applications, such as DismHost.exe in user temp directories, may be flagged. Review the context of these files and exclude them if they are part of routine application behavior. -- Regularly review and update the exclusion list to include any new legitimate processes that are identified as false positives, ensuring the rule remains effective without generating unnecessary alerts. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. -- Terminate the suspicious process identified in the alert to stop any ongoing malicious activity and prevent privilege escalation. -- Conduct a thorough review of the affected system's event logs, focusing on the "Token Right Adjusted Events" to identify any additional unauthorized privilege changes or suspicious activities. -- Reset credentials for any accounts that may have been compromised or used by the suspicious process, especially those with elevated privileges. -- Restore the affected system from a known good backup to ensure any malicious changes are removed and the system is returned to a secure state. -- Implement additional monitoring on the affected system and similar systems to detect any recurrence of the threat, focusing on processes attempting to enable SeDebugPrivilege. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml index db3e02e16..4f92ccdc7 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/28" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,37 +11,17 @@ Identifies attempts to bypass User Account Control (UAC) by abusing an elevated ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface" -references = ["https://github.com/hfiref0x/UACME"] -risk_score = 73 -rule_id = "b90cdde7-7e0d-4359-8bf0-2c112ce2008a" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and process.name : "Clipup.exe" and - not process.executable : "C:\\Windows\\System32\\ClipUp.exe" and process.parent.name : "dllhost.exe" and - /* CLSID of the Elevated COM Interface IEditionUpgradeManager */ - process.parent.args : "/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}" -''' note = """## Triage and analysis > **Disclaimer**: @@ -79,6 +57,33 @@ User Account Control (UAC) is a security feature in Windows designed to prevent - Update and patch the operating system and all installed software to the latest versions to mitigate known vulnerabilities. - Implement application whitelisting to prevent unauthorized programs from executing, focusing on blocking non-standard paths for critical system executables. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.""" +references = ["https://github.com/hfiref0x/UACME"] +risk_score = 73 +rule_id = "b90cdde7-7e0d-4359-8bf0-2c112ce2008a" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and process.name : "Clipup.exe" and + not process.executable : "C:\\Windows\\System32\\ClipUp.exe" and process.parent.name : "dllhost.exe" and + /* CLSID of the Elevated COM Interface IEditionUpgradeManager */ + process.parent.args : "/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}" +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index 37eb6ce56..97b2898d6 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,39 +11,17 @@ Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer" -references = ["https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html"] -risk_score = 47 -rule_id = "fc7c0fa4-8f03-4b3e-8336-c5feab0be022" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.executable : "C:\\*\\AppData\\*\\Temp\\IDC*.tmp\\*.exe" and - process.parent.name : "ieinstal.exe" and process.parent.args : "-Embedding" - - /* uncomment once in winlogbeat */ - /* and not (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) */ -''' note = """## Triage and analysis > **Disclaimer**: @@ -82,6 +58,35 @@ User Account Control (UAC) is a security feature in Windows designed to prevent - Update and patch the affected system to the latest security updates to mitigate known vulnerabilities that could be exploited for UAC bypass. - Implement application whitelisting to prevent unauthorized executables from running, particularly those in temporary directories. - Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network.""" +references = ["https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html"] +risk_score = 47 +rule_id = "fc7c0fa4-8f03-4b3e-8336-c5feab0be022" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.executable : "C:\\*\\AppData\\*\\Temp\\IDC*.tmp\\*.exe" and + process.parent.name : "ieinstal.exe" and process.parent.args : "-Embedding" + + /* uncomment once in winlogbeat */ + /* and not (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) */ +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml index 336f80f31..cc5a3e44a 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,35 +11,16 @@ Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevate to bypass UAC to stealthily execute code with elevated permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "UAC Bypass via ICMLuaUtil Elevated COM Interface" -risk_score = 73 -rule_id = "68d56fdc-7ffa-4419-8e95-81641bd6f845" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.parent.name == "dllhost.exe" and - process.parent.args in ("/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}", "/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}") and - process.pe.original_file_name != "WerFault.exe" -''' note = """## Triage and analysis > **Disclaimer**: @@ -77,6 +56,31 @@ The ICMLuaUtil Elevated COM Interface is a Windows component that facilitates Us - Update and patch the operating system and all installed software to mitigate any known vulnerabilities that could be exploited for UAC bypass. - Implement application whitelisting to prevent unauthorized applications from executing, focusing on blocking the execution of `dllhost.exe` with suspicious arguments. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network.""" +risk_score = 73 +rule_id = "68d56fdc-7ffa-4419-8e95-81641bd6f845" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.parent.name == "dllhost.exe" and + process.parent.args in ("/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}", "/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}") and + process.pe.original_file_name != "WerFault.exe" +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index d7cc1793a..4702999f4 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -27,40 +25,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "UAC Bypass via DiskCleanup Scheduled Task Hijack" -risk_score = 47 -rule_id = "1dcc51f6-ba26-49e7-9ef4-2655abb2361e" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: Sysmon", - "Data Source: SentinelOne", - "Data Source: Crowdstrike", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.args : "/autoclean" and process.args : "/d" and process.executable != null and - not process.executable : ( - "C:\\Windows\\System32\\cleanmgr.exe", - "C:\\Windows\\SysWOW64\\cleanmgr.exe", - "C:\\Windows\\System32\\taskhostw.exe", - "\\Device\\HarddiskVolume?\\Windows\\System32\\cleanmgr.exe", - "\\Device\\HarddiskVolume?\\Windows\\SysWOW64\\cleanmgr.exe", - "\\Device\\HarddiskVolume?\\Windows\\System32\\taskhostw.exe" -) -''' note = """## Triage and analysis > **Disclaimer**: @@ -97,6 +61,40 @@ User Account Control (UAC) is a security feature in Windows that helps prevent u - Update and patch the affected system to the latest security updates to mitigate any known vulnerabilities that could be exploited for UAC bypass. - Monitor the affected system and network for any signs of recurring unauthorized activity or similar UAC bypass attempts. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" +risk_score = 47 +rule_id = "1dcc51f6-ba26-49e7-9ef4-2655abb2361e" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.args : "/autoclean" and process.args : "/d" and process.executable != null and + not process.executable : ( + "C:\\Windows\\System32\\cleanmgr.exe", + "C:\\Windows\\SysWOW64\\cleanmgr.exe", + "C:\\Windows\\System32\\taskhostw.exe", + "\\Device\\HarddiskVolume?\\Windows\\System32\\cleanmgr.exe", + "\\Device\\HarddiskVolume?\\Windows\\SysWOW64\\cleanmgr.exe", + "\\Device\\HarddiskVolume?\\Windows\\System32\\taskhostw.exe" +) +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml index dc35aabe1..cf962445d 100644 --- a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +++ b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/27" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -13,40 +11,17 @@ Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. A stealthily execute code with elevated permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "UAC Bypass Attempt via Privileged IFileOperation COM Interface" -references = [ - "https://github.com/hfiref0x/UACME", - "https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies", -] -risk_score = 73 -rule_id = "5a14d01d-7ac8-4545-914c-b687c2cf66b3" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -file where host.os.type == "windows" and event.type : "change" and process.name : "dllhost.exe" and - /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */ - file.name : ("wow64log.dll", "comctl32.dll", "DismCore.dll", "OskSupport.dll", "duser.dll", "Accessibility.ni.dll") and - /* has no impact on rule logic just to avoid OS install related FPs */ - not file.path : ("C:\\Windows\\SoftwareDistribution\\*", "C:\\Windows\\WinSxS\\*") -''' note = """## Triage and analysis > **Disclaimer**: @@ -83,6 +58,36 @@ The IFileOperation COM interface is a Windows component used for file operations - Apply any pending security patches and updates to the operating system and installed software to mitigate known vulnerabilities. - Monitor the network for any signs of similar activity or attempts to exploit the IFileOperation COM interface on other systems. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +references = [ + "https://github.com/hfiref0x/UACME", + "https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies", +] +risk_score = 73 +rule_id = "5a14d01d-7ac8-4545-914c-b687c2cf66b3" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where host.os.type == "windows" and event.type : "change" and process.name : "dllhost.exe" and + /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */ + file.name : ("wow64log.dll", "comctl32.dll", "DismCore.dll", "OskSupport.dll", "duser.dll", "Accessibility.ni.dll") and + /* has no impact on rule logic just to avoid OS install related FPs */ + not file.path : ("C:\\Windows\\SoftwareDistribution\\*", "C:\\Windows\\WinSxS\\*") +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index f2c7c23ec..3fa0c18ee 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/17" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index 41c0ca0ac..43a347532 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index 64b893efd..fa2fd7c19 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -39,7 +37,14 @@ Identifies attempts to bypass User Account Control (UAC) by hijacking the Micros Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "UAC Bypass via Windows Firewall Snap-In Hijack" diff --git a/rules/windows/privilege_escalation_unquoted_service_path.toml b/rules/windows/privilege_escalation_unquoted_service_path.toml index e833d2756..c0971cf49 100644 --- a/rules/windows/privilege_escalation_unquoted_service_path.toml +++ b/rules/windows/privilege_escalation_unquoted_service_path.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/13" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -25,32 +23,6 @@ index = [ language = "eql" license = "Elastic License v2" name = "Potential Exploitation of an Unquoted Service Path Vulnerability" -risk_score = 21 -rule_id = "12de29d4-bbb0-4eef-b687-857e8a163870" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Data Source: Sysmon", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - ( - process.executable : "?:\\Program.exe" or - process.executable regex """(C:\\Program Files \(x86\)\\|C:\\Program Files\\)\w+.exe""" - ) -''' note = """## Triage and analysis > **Disclaimer**: @@ -86,6 +58,32 @@ Unquoted service paths in Windows can be exploited by adversaries to escalate pr - Restore the affected system from a known good backup if malicious activity is confirmed and system integrity is compromised. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for similar suspicious activities across the network to detect and respond to future attempts promptly.""" +risk_score = 21 +rule_id = "12de29d4-bbb0-4eef-b687-857e8a163870" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Data Source: Sysmon", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + ( + process.executable : "?:\\Program.exe" or + process.executable regex """(C:\\Program Files \(x86\)\\|C:\\Program Files\\)\w+.exe""" + ) +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index f5bc7027f..35225fad8 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] [[transform.osquery]] diff --git a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml index 1818cfcba..de94d161c 100644 --- a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml +++ b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/06" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -23,40 +21,6 @@ index = ["logs-endpoint.events.process-*", "logs-system.security*", "logs-window language = "eql" license = "Elastic License v2" name = "Unusual Print Spooler Child Process" -references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"] -risk_score = 47 -rule_id = "ee5300a7-7e31-4a72-a258-250abb8b3aa1" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", - "Data Source: Windows Security Event Logs", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.parent.name : "spoolsv.exe" and process.command_line != null and - (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") and - - /* exclusions for FP control below */ - not process.name : ("splwow64.exe", "PDFCreator.exe", "acrodist.exe", "spoolsv.exe", "msiexec.exe", "route.exe", "WerFault.exe") and - not process.command_line : "*\\WINDOWS\\system32\\spool\\DRIVERS*" and - not (process.name : "net.exe" and process.command_line : ("*stop*", "*start*")) and - not (process.name : ("cmd.exe", "powershell.exe") and process.command_line : ("*.spl*", "*\\program files*", "*route add*")) and - not (process.name : "netsh.exe" and process.command_line : ("*add portopening*", "*rule name*")) and - not (process.name : "regsvr32.exe" and process.command_line : "*PrintConfig.dll*") and - not process.executable : ( - "?:\\Program Files (x86)\\CutePDF Writer\\CPWriter2.exe", - "?:\\Program Files (x86)\\GPLGS\\gswin32c.exe" - ) -''' note = """## Triage and analysis > **Disclaimer**: @@ -94,6 +58,40 @@ The Print Spooler service, integral to Windows environments, manages print jobs - Restore the system from a clean backup if any unauthorized changes or malicious activities are confirmed. - Monitor the system closely for any recurrence of similar suspicious activities, ensuring enhanced logging and alerting are in place for spoolsv.exe and its child processes. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.""" +references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"] +risk_score = 47 +rule_id = "ee5300a7-7e31-4a72-a258-250abb8b3aa1" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "spoolsv.exe" and process.command_line != null and + (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") and + + /* exclusions for FP control below */ + not process.name : ("splwow64.exe", "PDFCreator.exe", "acrodist.exe", "spoolsv.exe", "msiexec.exe", "route.exe", "WerFault.exe") and + not process.command_line : "*\\WINDOWS\\system32\\spool\\DRIVERS*" and + not (process.name : "net.exe" and process.command_line : ("*stop*", "*start*")) and + not (process.name : ("cmd.exe", "powershell.exe") and process.command_line : ("*.spl*", "*\\program files*", "*route add*")) and + not (process.name : "netsh.exe" and process.command_line : ("*add portopening*", "*rule name*")) and + not (process.name : "regsvr32.exe" and process.command_line : "*PrintConfig.dll*") and + not process.executable : ( + "?:\\Program Files (x86)\\CutePDF Writer\\CPWriter2.exe", + "?:\\Program Files (x86)\\GPLGS\\gswin32c.exe" + ) +''' [[rule.threat]] diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml index d2e880586..5205c3c67 100644 --- a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,10 +12,53 @@ This may indicate a code injection or an equivalent form of exploitation. """ false_positives = ["Changes to Windows services or a rarely executed child process."] from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Unusual Service Host Child Process - Childless Service" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Service Host Child Process - Childless Service + +Service Host (svchost.exe) is a critical Windows process that hosts multiple services to optimize resource usage. Typically, certain services under svchost.exe do not spawn child processes. Adversaries exploit this by injecting malicious code to execute unauthorized processes, evading detection. The detection rule identifies anomalies by monitoring child processes of traditionally childless services, flagging potential exploitation attempts. + +### Possible investigation steps + +- Review the process details of the child process, including its name and executable path, to determine if it is a known legitimate process or potentially malicious. +- Examine the parent process arguments to confirm if the svchost.exe instance is associated with a service that traditionally does not spawn child processes, as listed in the query. +- Check the process creation time and correlate it with any other suspicious activities or alerts in the system around the same timeframe. +- Investigate the user account under which the child process was executed to assess if it has the necessary privileges and if the activity aligns with typical user behavior. +- Analyze any network connections or file modifications made by the child process to identify potential malicious actions or data exfiltration attempts. +- Cross-reference the child process with known false positives listed in the query to rule out benign activities. +- Utilize threat intelligence sources to determine if the child process or its executable path is associated with known malware or attack patterns. + +### False positive analysis + +- Processes like WerFault.exe, WerFaultSecure.exe, and wermgr.exe are known to be legitimate Windows error reporting tools that may occasionally be spawned by svchost.exe. To handle these, add them to the exclusion list in the detection rule to prevent unnecessary alerts. +- RelPost.exe associated with WdiSystemHost can be a legitimate process in certain environments. If this is a common occurrence, consider adding an exception for this executable when it is spawned by WdiSystemHost. +- Rundll32.exe executing winethc.dll with ForceProxyDetectionOnNextRun arguments under WdiServiceHost may be a benign operation in some network configurations. If verified as non-malicious, exclude this specific process and argument combination. +- Processes under the imgsvc service, such as lexexe.exe from Kodak directories, might be legitimate in environments using specific imaging software. Validate these occurrences and exclude them if they are confirmed to be non-threatening. +- Regularly review and update the exclusion list to ensure it reflects the current environment and does not inadvertently allow malicious activity. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further spread or communication with potential command and control servers. +- Terminate any suspicious child processes spawned by svchost.exe that are not typically associated with legitimate operations, as identified in the alert. +- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any injected malicious code or associated malware. +- Review and analyze the process tree and parent-child relationships to understand the scope of the compromise and identify any additional affected processes or systems. +- Restore the affected system from a known good backup if malicious activity is confirmed and cannot be fully remediated through cleaning. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised. +- Implement enhanced monitoring and logging for svchost.exe and related processes to detect similar anomalies in the future, ensuring that alerts are configured to notify the appropriate personnel promptly.""" risk_score = 47 rule_id = "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7" severity = "medium" @@ -65,42 +106,6 @@ process where host.os.type == "windows" and event.type == "start" and ) and process.parent.args : "imgsvc" ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Unusual Service Host Child Process - Childless Service - -Service Host (svchost.exe) is a critical Windows process that hosts multiple services to optimize resource usage. Typically, certain services under svchost.exe do not spawn child processes. Adversaries exploit this by injecting malicious code to execute unauthorized processes, evading detection. The detection rule identifies anomalies by monitoring child processes of traditionally childless services, flagging potential exploitation attempts. - -### Possible investigation steps - -- Review the process details of the child process, including its name and executable path, to determine if it is a known legitimate process or potentially malicious. -- Examine the parent process arguments to confirm if the svchost.exe instance is associated with a service that traditionally does not spawn child processes, as listed in the query. -- Check the process creation time and correlate it with any other suspicious activities or alerts in the system around the same timeframe. -- Investigate the user account under which the child process was executed to assess if it has the necessary privileges and if the activity aligns with typical user behavior. -- Analyze any network connections or file modifications made by the child process to identify potential malicious actions or data exfiltration attempts. -- Cross-reference the child process with known false positives listed in the query to rule out benign activities. -- Utilize threat intelligence sources to determine if the child process or its executable path is associated with known malware or attack patterns. - -### False positive analysis - -- Processes like WerFault.exe, WerFaultSecure.exe, and wermgr.exe are known to be legitimate Windows error reporting tools that may occasionally be spawned by svchost.exe. To handle these, add them to the exclusion list in the detection rule to prevent unnecessary alerts. -- RelPost.exe associated with WdiSystemHost can be a legitimate process in certain environments. If this is a common occurrence, consider adding an exception for this executable when it is spawned by WdiSystemHost. -- Rundll32.exe executing winethc.dll with ForceProxyDetectionOnNextRun arguments under WdiServiceHost may be a benign operation in some network configurations. If verified as non-malicious, exclude this specific process and argument combination. -- Processes under the imgsvc service, such as lexexe.exe from Kodak directories, might be legitimate in environments using specific imaging software. Validate these occurrences and exclude them if they are confirmed to be non-threatening. -- Regularly review and update the exclusion list to ensure it reflects the current environment and does not inadvertently allow malicious activity. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further spread or communication with potential command and control servers. -- Terminate any suspicious child processes spawned by svchost.exe that are not typically associated with legitimate operations, as identified in the alert. -- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any injected malicious code or associated malware. -- Review and analyze the process tree and parent-child relationships to understand the scope of the compromise and identify any additional affected processes or systems. -- Restore the affected system from a known good backup if malicious activity is confirmed and cannot be fully remediated through cleaning. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised. -- Implement enhanced monitoring and logging for svchost.exe and related processes to detect similar anomalies in the future, ensuring that alerts are configured to notify the appropriate personnel promptly.""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml index cedf86936..cb89a43db 100644 --- a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml +++ b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/13" integration = ["windows"] maturity = "production" -updated_date = "2025/02/25" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -17,6 +15,40 @@ index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Privilege Escalation via Rogue Named Pipe Impersonation" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Privilege Escalation via Rogue Named Pipe Impersonation + +Named pipes in Windows facilitate inter-process communication, allowing data exchange between processes. Adversaries exploit this by creating rogue named pipes, tricking privileged processes into connecting and executing malicious actions under elevated privileges. The detection rule identifies suspicious named pipe creation events, focusing on patterns indicative of impersonation attempts, thus flagging potential privilege escalation activities. + +### Possible investigation steps + +- Review the event logs for the specific named pipe creation event identified by the query, focusing on the file.name field to determine the exact named pipe path and assess its legitimacy. +- Correlate the event with the process that created the named pipe by examining related process creation logs, identifying the process ID and executable responsible for the action. +- Investigate the user context under which the named pipe was created to determine if it aligns with expected behavior or if it indicates potential misuse of privileges. +- Check for any recent changes or anomalies in the system's configuration or user accounts that could suggest unauthorized access or privilege escalation attempts. +- Analyze historical data for similar named pipe creation events to identify patterns or repeated attempts that could indicate a persistent threat or ongoing attack. + +### False positive analysis + +- Legitimate software or system processes may create named pipes that match the detection pattern. Regularly review and whitelist known benign processes that frequently create named pipes to reduce noise. +- System management tools and monitoring software might generate named pipe creation events as part of their normal operation. Identify these tools and exclude their events from triggering alerts. +- Custom in-house applications that use named pipes for inter-process communication can trigger false positives. Work with development teams to document these applications and create exceptions for their activity. +- Scheduled tasks or scripts that run with elevated privileges and create named pipes could be mistaken for malicious activity. Ensure these tasks are documented and excluded from the detection rule. +- Security software or endpoint protection solutions may use named pipes for legitimate purposes. Verify these activities and adjust the rule to prevent unnecessary alerts. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. +- Terminate any suspicious processes associated with the rogue named pipe to halt any ongoing malicious activities. +- Conduct a thorough review of the system's event logs, focusing on named pipe creation events, to identify any other potentially compromised processes or systems. +- Reset credentials for any accounts that may have been exposed or used in the privilege escalation attempt to prevent further unauthorized access. +- Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited. +- Implement enhanced monitoring for named pipe creation events across the network to detect and respond to similar threats in the future. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken.""" references = [ "https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/", "https://github.com/zcgonvh/EfsPotato", @@ -57,40 +89,6 @@ file where host.os.type == "windows" and /* Sysmon truncates the "Pipe" keyword in normal named pipe creation events */ file.name : "\\*\\Pipe\\*" ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Privilege Escalation via Rogue Named Pipe Impersonation - -Named pipes in Windows facilitate inter-process communication, allowing data exchange between processes. Adversaries exploit this by creating rogue named pipes, tricking privileged processes into connecting and executing malicious actions under elevated privileges. The detection rule identifies suspicious named pipe creation events, focusing on patterns indicative of impersonation attempts, thus flagging potential privilege escalation activities. - -### Possible investigation steps - -- Review the event logs for the specific named pipe creation event identified by the query, focusing on the file.name field to determine the exact named pipe path and assess its legitimacy. -- Correlate the event with the process that created the named pipe by examining related process creation logs, identifying the process ID and executable responsible for the action. -- Investigate the user context under which the named pipe was created to determine if it aligns with expected behavior or if it indicates potential misuse of privileges. -- Check for any recent changes or anomalies in the system's configuration or user accounts that could suggest unauthorized access or privilege escalation attempts. -- Analyze historical data for similar named pipe creation events to identify patterns or repeated attempts that could indicate a persistent threat or ongoing attack. - -### False positive analysis - -- Legitimate software or system processes may create named pipes that match the detection pattern. Regularly review and whitelist known benign processes that frequently create named pipes to reduce noise. -- System management tools and monitoring software might generate named pipe creation events as part of their normal operation. Identify these tools and exclude their events from triggering alerts. -- Custom in-house applications that use named pipes for inter-process communication can trigger false positives. Work with development teams to document these applications and create exceptions for their activity. -- Scheduled tasks or scripts that run with elevated privileges and create named pipes could be mistaken for malicious activity. Ensure these tasks are documented and excluded from the detection rule. -- Security software or endpoint protection solutions may use named pipes for legitimate purposes. Verify these activities and adjust the rule to prevent unnecessary alerts. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. -- Terminate any suspicious processes associated with the rogue named pipe to halt any ongoing malicious activities. -- Conduct a thorough review of the system's event logs, focusing on named pipe creation events, to identify any other potentially compromised processes or systems. -- Reset credentials for any accounts that may have been exposed or used in the privilege escalation attempt to prevent further unauthorized access. -- Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited. -- Implement enhanced monitoring for named pipe creation events across the network to detect and respond to similar threats in the future. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken.""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml index bb3ec426e..3f5256352 100644 --- a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml +++ b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml @@ -2,9 +2,7 @@ creation_date = "2022/02/07" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -18,6 +16,41 @@ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Windows Service Installed via an Unusual Client" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Windows Service Installed via an Unusual Client + +Windows services are crucial for running background processes with elevated privileges. Adversaries exploit this by creating services to escalate privileges from administrator to SYSTEM. The detection rule identifies anomalies by flagging service installations initiated by atypical processes, excluding known legitimate services. This helps in spotting potential privilege escalation attempts by monitoring unusual client activity. + +### Possible investigation steps + +- Review the event logs to identify the specific client process that initiated the service installation by examining the winlog.event_data.ClientProcessId and winlog.event_data.ParentProcessId fields. +- Investigate the parent process associated with the unusual client process to determine if it is a known legitimate application or potentially malicious. +- Check the winlog.event_data.ServiceFileName to verify the path and name of the service file, ensuring it is not a known legitimate service excluded in the query. +- Analyze the timeline of events around the service installation to identify any preceding suspicious activities or related alerts that might indicate a broader attack. +- Conduct a reputation check on the client process and service file using threat intelligence sources to assess if they are associated with known malicious activities. +- Examine the system for any additional indicators of compromise, such as unexpected network connections or changes to critical system files, that may suggest privilege escalation or lateral movement attempts. + +### False positive analysis + +- Legitimate software installations or updates may trigger the rule if they create services using unusual client processes. To manage this, identify and whitelist these processes in the detection rule to prevent unnecessary alerts. +- System management tools like Veeam and PDQ Inventory are already excluded, but other similar tools might not be. Regularly review and update the exclusion list to include any additional legitimate tools used in your environment. +- Custom scripts or administrative tools that create services for maintenance or monitoring purposes can also cause false positives. Document these scripts and consider adding them to the exclusion list if they are verified as safe. +- Temporary or one-time service installations for troubleshooting or testing can be mistaken for threats. Ensure that such activities are logged and communicated to the security team to avoid confusion and unnecessary alerts. +- Changes in system configurations or updates to existing software might alter the behavior of legitimate processes, causing them to be flagged. Regularly review and adjust the detection rule to accommodate these changes while maintaining security integrity. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. +- Terminate the suspicious service and any associated processes identified by the alert to stop potential privilege escalation or malicious activity. +- Conduct a thorough review of the service's configuration and associated files to identify any unauthorized changes or malicious code. +- Restore any altered or compromised system files from a known good backup to ensure system integrity. +- Change all administrator and SYSTEM account passwords on the affected system and any connected systems to prevent further unauthorized access. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach. +- Implement additional monitoring and logging on the affected system and similar environments to detect any recurrence of the threat or related suspicious activities.""" references = [ "https://www.x86matthew.com/view_post?id=create_svc_rpc", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697", @@ -65,41 +98,6 @@ configuration where host.os.type == "windows" and "\"%windir%\\AdminArsenal\\PDQInventory-Scanner\\service-1\\PDQInventory-Scanner-1.exe\" " ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Windows Service Installed via an Unusual Client - -Windows services are crucial for running background processes with elevated privileges. Adversaries exploit this by creating services to escalate privileges from administrator to SYSTEM. The detection rule identifies anomalies by flagging service installations initiated by atypical processes, excluding known legitimate services. This helps in spotting potential privilege escalation attempts by monitoring unusual client activity. - -### Possible investigation steps - -- Review the event logs to identify the specific client process that initiated the service installation by examining the winlog.event_data.ClientProcessId and winlog.event_data.ParentProcessId fields. -- Investigate the parent process associated with the unusual client process to determine if it is a known legitimate application or potentially malicious. -- Check the winlog.event_data.ServiceFileName to verify the path and name of the service file, ensuring it is not a known legitimate service excluded in the query. -- Analyze the timeline of events around the service installation to identify any preceding suspicious activities or related alerts that might indicate a broader attack. -- Conduct a reputation check on the client process and service file using threat intelligence sources to assess if they are associated with known malicious activities. -- Examine the system for any additional indicators of compromise, such as unexpected network connections or changes to critical system files, that may suggest privilege escalation or lateral movement attempts. - -### False positive analysis - -- Legitimate software installations or updates may trigger the rule if they create services using unusual client processes. To manage this, identify and whitelist these processes in the detection rule to prevent unnecessary alerts. -- System management tools like Veeam and PDQ Inventory are already excluded, but other similar tools might not be. Regularly review and update the exclusion list to include any additional legitimate tools used in your environment. -- Custom scripts or administrative tools that create services for maintenance or monitoring purposes can also cause false positives. Document these scripts and consider adding them to the exclusion list if they are verified as safe. -- Temporary or one-time service installations for troubleshooting or testing can be mistaken for threats. Ensure that such activities are logged and communicated to the security team to avoid confusion and unnecessary alerts. -- Changes in system configurations or updates to existing software might alter the behavior of legitimate processes, causing them to be flagged. Regularly review and adjust the detection rule to accommodate these changes while maintaining security integrity. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. -- Terminate the suspicious service and any associated processes identified by the alert to stop potential privilege escalation or malicious activity. -- Conduct a thorough review of the service's configuration and associated files to identify any unauthorized changes or malicious code. -- Restore any altered or compromised system files from a known good backup to ensure system integrity. -- Change all administrator and SYSTEM account passwords on the affected system and any connected systems to prevent further unauthorized access. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach. -- Implement additional monitoring and logging on the affected system and similar environments to detect any recurrence of the threat or related suspicious activities.""" [[rule.threat]] diff --git a/rules_building_block/collection_files_staged_in_recycle_bin_root.toml b/rules_building_block/collection_files_staged_in_recycle_bin_root.toml index 9ac967089..5fd3ef741 100644 --- a/rules_building_block/collection_files_staged_in_recycle_bin_root.toml +++ b/rules_building_block/collection_files_staged_in_recycle_bin_root.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -30,7 +28,7 @@ tags = [ "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame", - "Data Source: Sysmon" + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/collection_outlook_email_archive.toml b/rules_building_block/collection_outlook_email_archive.toml index e62bcef9a..529eff840 100644 --- a/rules_building_block/collection_outlook_email_archive.toml +++ b/rules_building_block/collection_outlook_email_archive.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/21" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/collection_posh_compression.toml b/rules_building_block/collection_posh_compression.toml index 758463862..62459cca5 100644 --- a/rules_building_block/collection_posh_compression.toml +++ b/rules_building_block/collection_posh_compression.toml @@ -3,13 +3,11 @@ bypass_bbr_timing = true creation_date = "2023/07/06" integration = ["windows"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/01/10" - +updated_date = "2025/03/20" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the use of Cmdlets and methods related to archive compression activities. Adversaries will often compress and encrypt data in preparation for exfiltration. @@ -40,10 +38,16 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Data Source: PowerShell Logs", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "query" -building_block_type = "default" query = ''' event.category:process and host.os.type:windows and @@ -75,41 +79,42 @@ not file.directory : ( ) ''' + [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\\*" - +case_insensitive = true +value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\\*" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*" - +case_insensitive = true +value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\dbatools\\\\*\\\\optional\\\\Expand-Archive.ps1" - +case_insensitive = true +value = "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\dbatools\\\\*\\\\optional\\\\Expand-Archive.ps1" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\dbatools\\\\*\\\\optional\\\\Compress-Archive.ps1" - +case_insensitive = true +value = "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\dbatools\\\\*\\\\optional\\\\Compress-Archive.ps1" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Program Files\\\\Azure\\\\StorageSyncAgent\\\\AFSDiag.ps1" - +case_insensitive = true +value = "?:\\\\Program Files\\\\Azure\\\\StorageSyncAgent\\\\AFSDiag.ps1" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -117,26 +122,26 @@ id = "T1560" name = "Archive Collected Data" reference = "https://attack.mitre.org/techniques/T1560/" + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/command_and_control_bitsadmin_activity.toml b/rules_building_block/command_and_control_bitsadmin_activity.toml index d2170ca13..3952b0606 100644 --- a/rules_building_block/command_and_control_bitsadmin_activity.toml +++ b/rules_building_block/command_and_control_bitsadmin_activity.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/21" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/command_and_control_certutil_network_connection.toml b/rules_building_block/command_and_control_certutil_network_connection.toml index 3216e4d2f..4ed4c5547 100644 --- a/rules_building_block/command_and_control_certutil_network_connection.toml +++ b/rules_building_block/command_and_control_certutil_network_connection.toml @@ -1,13 +1,42 @@ [metadata] +bypass_bbr_timing = true creation_date = "2020/03/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" -bypass_bbr_timing = true -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [transform] +[[transform.investigate]] +label = "Alerts associated with the user in the last 48h" +providers = [ + [ + { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" }, + { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" } + ] +] +relativeFrom = "now-48h/h" +relativeTo = "now" + +[[transform.investigate]] +label = "Alerts associated with the host in the last 48h" +providers = [ + [ + { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" }, + { excluded = false, field = "host.name", queryType = "phrase", value = "{{host.name}}", valueType = "string" } + ] +] +relativeFrom = "now-48h/h" +relativeTo = "now" + +[[transform.investigate]] +label = "Investigate the Subject Process Network Events" +providers = [ + [ + { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }, + { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" } + ] +] + [[transform.osquery]] label = "Osquery - Retrieve DNS Cache" query = "SELECT * FROM dns_cache" @@ -32,37 +61,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ -[[transform.investigate]] -label = "Alerts associated with the user in the last 48h" -relativeFrom = "now-48h/h" -relativeTo = "now" -providers = [ - [ - {field = "event.kind", excluded = false, queryType = "phrase", value = "signal", valueType = "string"}, - {field = "user.id", excluded = false, queryType = "phrase", value = "{{user.id}}", valueType = "string"} - ] -] - -[[transform.investigate]] -label = "Alerts associated with the host in the last 48h" -relativeFrom = "now-48h/h" -relativeTo = "now" -providers = [ - [ - {field = "event.kind", excluded = false, queryType = "phrase", value = "signal", valueType = "string"}, - {field = "host.name", excluded = false, queryType = "phrase", value = "{{host.name}}", valueType = "string"} - ] -] - -[[transform.investigate]] -label = "Investigate the Subject Process Network Events" -providers = [ - [ - {field = "process.entity_id", excluded = false, queryType = "phrase", value = "{{process.entity_id}}", valueType = "string"}, - {field = "event.category", excluded = false, queryType = "phrase", value = "network", valueType = "string"} - ] -] - [rule] author = ["Elastic"] @@ -137,7 +135,17 @@ references = [ risk_score = 21 rule_id = "3838e0e3-1850-4850-a411-2e8c5ba40ba8" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Elastic Endgame", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Elastic Endgame", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml index a2cbeacc1..6eb634e33 100644 --- a/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -2,10 +2,8 @@ bypass_bbr_timing = true creation_date = "2020/08/18" integration = ["endpoint", "windows", "system"] -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -15,7 +13,13 @@ Identifies the Internet Information Services (IIS) command-line tool, AppCmd, be with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd. """ from = "now-9m" -index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.*", + "winlogbeat-*", +] language = "eql" license = "Elastic License v2" name = "Microsoft IIS Service Account Password Dumped" diff --git a/rules_building_block/credential_access_win_private_key_access.toml b/rules_building_block/credential_access_win_private_key_access.toml index b310d2c5f..c4ef158a6 100644 --- a/rules_building_block/credential_access_win_private_key_access.toml +++ b/rules_building_block/credential_access_win_private_key_access.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/21" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml index 9bf8d3042..b46bd062d 100644 --- a/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml +++ b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/defense_evasion_cmstp_execution.toml b/rules_building_block/defense_evasion_cmstp_execution.toml index 74c2776b8..d01afb351 100644 --- a/rules_building_block/defense_evasion_cmstp_execution.toml +++ b/rules_building_block/defense_evasion_cmstp_execution.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/24" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml b/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml index 55afd9005..789ad40cc 100644 --- a/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml +++ b/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml @@ -2,16 +2,20 @@ creation_date = "2023/08/24" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] building_block_type = "default" description = "Identifies indirect command execution via Program Compatibility Assistant (pcalua.exe) or forfiles.exe.\n" from = "now-119m" -index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.*", + "winlogbeat-*", +] interval = "60m" language = "eql" license = "Elastic License v2" diff --git a/rules_building_block/defense_evasion_installutil_command_activity.toml b/rules_building_block/defense_evasion_installutil_command_activity.toml index 64165d53d..86102a0b4 100644 --- a/rules_building_block/defense_evasion_installutil_command_activity.toml +++ b/rules_building_block/defense_evasion_installutil_command_activity.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/24" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -15,7 +13,13 @@ installer components specified in .NET binaries. Adversaries may use InstallUtil a trusted Windows utility. """ from = "now-119m" -index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.*", + "winlogbeat-*", +] interval = "60m" language = "eql" license = "Elastic License v2" diff --git a/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml b/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml index 7854e0caa..6c94369c5 100644 --- a/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml +++ b/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/26" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ Identifies the execution of the Microsoft Diagnostic Wizard to open a diagcab fi unusual parent process. This may indicate an attempt to execute malicious Troubleshooting Pack Cabinet files. """ from = "now-119m" -index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.*", + "winlogbeat-*", +] interval = "60m" language = "eql" license = "Elastic License v2" diff --git a/rules_building_block/defense_evasion_posh_defender_tampering.toml b/rules_building_block/defense_evasion_posh_defender_tampering.toml index bfccbb39e..91d9ec2d5 100644 --- a/rules_building_block/defense_evasion_posh_defender_tampering.toml +++ b/rules_building_block/defense_evasion_posh_defender_tampering.toml @@ -3,13 +3,11 @@ bypass_bbr_timing = true creation_date = "2024/09/11" integration = ["windows"] maturity = "production" -updated_date = "2025/01/13" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." - +updated_date = "2025/03/20" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies PowerShell scripts containing cmdlets and parameters that attackers can abuse to disable Windows Defender features. Attackers can tamper with antivirus to reduce the risk of detection when executing their payloads. @@ -40,10 +38,16 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "query" -building_block_type = "default" query = ''' event.category: "process" and host.os.type:windows and diff --git a/rules_building_block/defense_evasion_powershell_clear_logs_script.toml b/rules_building_block/defense_evasion_powershell_clear_logs_script.toml index ed5067dbc..2626ddc3e 100644 --- a/rules_building_block/defense_evasion_powershell_clear_logs_script.toml +++ b/rules_building_block/defense_evasion_powershell_clear_logs_script.toml @@ -2,25 +2,24 @@ creation_date = "2023/07/06" integration = ["windows"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2024/10/28" +updated_date = "2025/03/20" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the use of Cmdlets and methods related to Windows event log deletion activities. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system. """ from = "now-119m" -interval = "60m" index = ["winlogbeat-*", "logs-windows.powershell*"] +interval = "60m" language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Log Clear Capabilities" references = [ - "https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear", - "https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog" + "https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear", + "https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog", ] risk_score = 21 rule_id = "3d3aa8f9-12af-441f-9344-9f31053e316d" @@ -43,10 +42,16 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "query" -building_block_type = "default" query = ''' event.category:process and host.os.type:windows and @@ -62,20 +67,21 @@ event.category:process and host.os.type:windows and not file.directory : "C:\Program Files\WindowsAdminCenter\PowerShellModules\Microsoft.WindowsAdminCenter.Configuration" ''' + [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\Microsoft.PowerShell.Management\\\\*.psd1" - +case_insensitive = true +value = "?:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\Microsoft.PowerShell.Management\\\\*.psd1" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Resources\\\\*\\\\M365Library.ps1" - +case_insensitive = true +value = "?:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Resources\\\\*\\\\M365Library.ps1" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -87,26 +93,27 @@ id = "T1070.001" name = "Clear Windows Event Logs" reference = "https://attack.mitre.org/techniques/T1070/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/defense_evasion_service_path_registry.toml b/rules_building_block/defense_evasion_service_path_registry.toml index d8411c0a5..9eb28e159 100644 --- a/rules_building_block/defense_evasion_service_path_registry.toml +++ b/rules_building_block/defense_evasion_service_path_registry.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -30,7 +28,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR", - "Data Source: Sysmon" + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/defense_evasion_services_exe_path.toml b/rules_building_block/defense_evasion_services_exe_path.toml index 088e46ce1..5a13a3271 100644 --- a/rules_building_block/defense_evasion_services_exe_path.toml +++ b/rules_building_block/defense_evasion_services_exe_path.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml b/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml index 6928b4187..086653872 100644 --- a/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml +++ b/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/26" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/defense_evasion_unusual_process_path_wbem.toml b/rules_building_block/defense_evasion_unusual_process_path_wbem.toml index 70173ff15..90930db47 100644 --- a/rules_building_block/defense_evasion_unusual_process_path_wbem.toml +++ b/rules_building_block/defense_evasion_unusual_process_path_wbem.toml @@ -2,16 +2,20 @@ creation_date = "2023/08/23" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] building_block_type = "default" description = "Identifies unusual processes running from the WBEM path, uncommon outside WMI-related Windows processes.\n" from = "now-119m" -index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.*", + "winlogbeat-*", +] interval = "60m" language = "eql" license = "Elastic License v2" diff --git a/rules_building_block/defense_evasion_write_dac_access.toml b/rules_building_block/defense_evasion_write_dac_access.toml index 1d1c148c5..ca738169f 100644 --- a/rules_building_block/defense_evasion_write_dac_access.toml +++ b/rules_building_block/defense_evasion_write_dac_access.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/15" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml b/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml index b9a6fec30..2fec57a2b 100644 --- a/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml +++ b/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2022/11/01" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -15,7 +13,13 @@ Identifies the execution of discovery commands to enumerate system information, Command Shell. """ from = "now-9m" -index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.*", + "winlogbeat-*", +] language = "eql" license = "Elastic License v2" name = "System Information Discovery via Windows Command Shell" diff --git a/rules_building_block/discovery_generic_process_discovery.toml b/rules_building_block/discovery_generic_process_discovery.toml index e2de88493..60a147263 100644 --- a/rules_building_block/discovery_generic_process_discovery.toml +++ b/rules_building_block/discovery_generic_process_discovery.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/13" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -15,7 +13,13 @@ This rule identifies the execution of commands that can be used to enumerate run enumerate processes to identify installed applications and security solutions. """ from = "now-9m" -index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.*", + "winlogbeat-*", +] language = "eql" license = "Elastic License v2" name = "Process Discovery Using Built-in Tools" diff --git a/rules_building_block/discovery_net_share_discovery_winlog.toml b/rules_building_block/discovery_net_share_discovery_winlog.toml index 1842896d8..4d83aa906 100644 --- a/rules_building_block/discovery_net_share_discovery_winlog.toml +++ b/rules_building_block/discovery_net_share_discovery_winlog.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/14" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/discovery_net_view.toml b/rules_building_block/discovery_net_view.toml index 2a994dd41..196586ddc 100644 --- a/rules_building_block/discovery_net_view.toml +++ b/rules_building_block/discovery_net_view.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/discovery_posh_generic.toml b/rules_building_block/discovery_posh_generic.toml index 0e3060ae3..38dee1fa6 100644 --- a/rules_building_block/discovery_posh_generic.toml +++ b/rules_building_block/discovery_posh_generic.toml @@ -2,20 +2,18 @@ creation_date = "2023/07/06" integration = ["windows"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/01/13" - +updated_date = "2025/03/20" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the use of Cmdlets and methods related to discovery activities. Attackers can use these to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc. """ from = "now-119m" -interval = "60m" index = ["winlogbeat-*", "logs-windows.powershell*"] +interval = "60m" language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Discovery Capabilities" @@ -40,10 +38,17 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Discovery", "Data Source: PowerShell Logs", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Tactic: Discovery", + "Data Source: PowerShell Logs", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "query" -building_block_type = "default" query = ''' event.category:process and host.os.type:windows and @@ -142,84 +147,89 @@ event.category:process and host.os.type:windows and not user.id : ("S-1-5-18" or "S-1-5-19" or "S-1-5-20") ''' + [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\*.ps?1" - +case_insensitive = true +value = "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\*.ps?1" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Program Files\\\\Microsoft Azure AD Sync\\\\Extensions\\\\AADConnector.psm1" - +case_insensitive = true +value = "?:\\\\Program Files\\\\Microsoft Azure AD Sync\\\\Extensions\\\\AADConnector.psm1" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "*ServiceNow MID Server*\\\\agent\\\\scripts\\\\PowerShell\\\\*.psm1" - +case_insensitive = true +value = "*ServiceNow MID Server*\\\\agent\\\\scripts\\\\PowerShell\\\\*.psm1" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Windows\\\\IMECache\\\\HealthScripts\\\\*\\\\detect.ps1" - +case_insensitive = true +value = "?:\\\\Windows\\\\IMECache\\\\HealthScripts\\\\*\\\\detect.ps1" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Windows\\\\TEMP\\\\SDIAG*" - +case_insensitive = true +value = "?:\\\\Windows\\\\TEMP\\\\SDIAG*" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Temp\\\\SDIAG*" - +case_insensitive = true +value = "?:\\\\Temp\\\\SDIAG*" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\SDIAG*" - +case_insensitive = true +value = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\SDIAG*" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Monitoring Host Temporary Files*" - - +case_insensitive = true +value = "?:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Monitoring Host Temporary Files*" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1007" +name = "System Service Discovery" +reference = "https://attack.mitre.org/techniques/T1007/" [[rule.threat.technique]] -id = "T1087" -name = "Account Discovery" -reference = "https://attack.mitre.org/techniques/T1087/" -[[rule.threat.technique.subtechnique]] -id = "T1087.001" -name = "Local Account" -reference = "https://attack.mitre.org/techniques/T1087/001/" -[[rule.threat.technique.subtechnique]] -id = "T1087.002" -name = "Domain Account" -reference = "https://attack.mitre.org/techniques/T1087/002/" - +id = "T1012" +name = "Query Registry" +reference = "https://attack.mitre.org/techniques/T1012/" [[rule.threat.technique]] -id = "T1482" -name = "Domain Trust Discovery" -reference = "https://attack.mitre.org/techniques/T1482/" +id = "T1049" +name = "System Network Connections Discovery" +reference = "https://attack.mitre.org/techniques/T1049/" + +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" [[rule.threat.technique]] id = "T1082" @@ -232,9 +242,19 @@ name = "File and Directory Discovery" reference = "https://attack.mitre.org/techniques/T1083/" [[rule.threat.technique]] -id = "T1615" -name = "Group Policy Discovery" -reference = "https://attack.mitre.org/techniques/T1615/" +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" +[[rule.threat.technique.subtechnique]] +id = "T1087.001" +name = "Local Account" +reference = "https://attack.mitre.org/techniques/T1087/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1087.002" +name = "Domain Account" +reference = "https://attack.mitre.org/techniques/T1087/002/" + [[rule.threat.technique]] id = "T1135" @@ -247,45 +267,30 @@ name = "Password Policy Discovery" reference = "https://attack.mitre.org/techniques/T1201/" [[rule.threat.technique]] -id = "T1057" -name = "Process Discovery" -reference = "https://attack.mitre.org/techniques/T1057/" +id = "T1482" +name = "Domain Trust Discovery" +reference = "https://attack.mitre.org/techniques/T1482/" [[rule.threat.technique]] id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" - [[rule.threat.technique.subtechnique]] id = "T1518.001" name = "Security Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/001/" -[[rule.threat.technique]] -id = "T1012" -name = "Query Registry" -reference = "https://attack.mitre.org/techniques/T1012/" [[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" +id = "T1615" +name = "Group Policy Discovery" +reference = "https://attack.mitre.org/techniques/T1615/" -[[rule.threat.technique]] -id = "T1049" -name = "System Network Connections Discovery" -reference = "https://attack.mitre.org/techniques/T1049/" - -[[rule.threat.technique]] -id = "T1007" -name = "System Service Discovery" -reference = "https://attack.mitre.org/techniques/T1007/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules_building_block/discovery_posh_password_policy.toml b/rules_building_block/discovery_posh_password_policy.toml index 3178120fd..2c41449a8 100644 --- a/rules_building_block/discovery_posh_password_policy.toml +++ b/rules_building_block/discovery_posh_password_policy.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/12" integration = ["windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml index 37b12767e..49272de50 100644 --- a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml +++ b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml @@ -2,10 +2,8 @@ bypass_bbr_timing = true creation_date = "2020/12/04" integration = ["endpoint", "windows"] -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" maturity = "production" -updated_date = "2024/10/28" +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/discovery_security_software_wmic.toml b/rules_building_block/discovery_security_software_wmic.toml index e56e9b0e2..ace9b215e 100644 --- a/rules_building_block/discovery_security_software_wmic.toml +++ b/rules_building_block/discovery_security_software_wmic.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2020/10/19" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -15,7 +13,13 @@ Identifies the use of Windows Management Instrumentation Command (WMIC) to disco such as AntiVirus or Host Firewall details. """ from = "now-9m" -index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.*", + "winlogbeat-*", +] language = "eql" license = "Elastic License v2" name = "Security Software Discovery using WMIC" diff --git a/rules_building_block/discovery_system_service_discovery.toml b/rules_building_block/discovery_system_service_discovery.toml index c5519bc74..6a3814558 100644 --- a/rules_building_block/discovery_system_service_discovery.toml +++ b/rules_building_block/discovery_system_service_discovery.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/01/24" integration = ["windows", "endpoint", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -16,7 +14,13 @@ reconnaissance phase after compromising a system in order to gain a better under escalate privileges. """ from = "now-9m" -index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.*", + "winlogbeat-*", +] language = "eql" license = "Elastic License v2" name = "System Service Discovery through built-in Windows Utilities" diff --git a/rules_building_block/discovery_system_time_discovery.toml b/rules_building_block/discovery_system_time_discovery.toml index 1e62fda4a..4966907e2 100644 --- a/rules_building_block/discovery_system_time_discovery.toml +++ b/rules_building_block/discovery_system_time_discovery.toml @@ -2,10 +2,8 @@ bypass_bbr_timing = true creation_date = "2023/01/24" integration = ["windows", "endpoint", "system"] -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -15,7 +13,13 @@ Detects the usage of commonly used system time discovery techniques, which attac phase after compromising a system. """ from = "now-9m" -index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.*", + "winlogbeat-*", +] language = "eql" license = "Elastic License v2" name = "System Time Discovery" diff --git a/rules_building_block/discovery_windows_system_information_discovery.toml b/rules_building_block/discovery_windows_system_information_discovery.toml index a498c69d5..c2deaf422 100644 --- a/rules_building_block/discovery_windows_system_information_discovery.toml +++ b/rules_building_block/discovery_windows_system_information_discovery.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/06" integration = ["windows", "endpoint", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -15,7 +13,13 @@ Detects the execution of commands used to discover information about the system, compromising a system to gain situational awareness. """ from = "now-9m" -index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.*", + "winlogbeat-*", +] language = "eql" license = "Elastic License v2" name = "Windows System Information Discovery" diff --git a/rules_building_block/execution_settingcontent_ms_file_creation.toml b/rules_building_block/execution_settingcontent_ms_file_creation.toml index e359ebfef..1c0144646 100644 --- a/rules_building_block/execution_settingcontent_ms_file_creation.toml +++ b/rules_building_block/execution_settingcontent_ms_file_creation.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -31,7 +29,7 @@ tags = [ "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", - "Data Source: Elastic Endgame" + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/execution_wmi_wbemtest.toml b/rules_building_block/execution_wmi_wbemtest.toml index 35ebcffc2..882eb57f1 100644 --- a/rules_building_block/execution_wmi_wbemtest.toml +++ b/rules_building_block/execution_wmi_wbemtest.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/24" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ Adversaries may abuse the WMI diagnostic tool, wbemtest.exe, to enumerate WMI ob local or remote endpoints. """ from = "now-119m" -index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.*", + "winlogbeat-*", +] interval = "60m" language = "eql" license = "Elastic License v2" diff --git a/rules_building_block/lateral_movement_at.toml b/rules_building_block/lateral_movement_at.toml index 57593d58f..ddedfe457 100644 --- a/rules_building_block/lateral_movement_at.toml +++ b/rules_building_block/lateral_movement_at.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/21" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ Identifies use of at.exe to interact with the task scheduler on remote hosts. Re execution could be indicative of adversary lateral movement. """ from = "now-119m" -index = ["endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.*", "winlogbeat-*"] +index = [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.*", + "winlogbeat-*", +] interval = "60m" language = "eql" license = "Elastic License v2" diff --git a/rules_building_block/lateral_movement_posh_winrm_activity.toml b/rules_building_block/lateral_movement_posh_winrm_activity.toml index 10926d95c..be606f963 100644 --- a/rules_building_block/lateral_movement_posh_winrm_activity.toml +++ b/rules_building_block/lateral_movement_posh_winrm_activity.toml @@ -2,26 +2,25 @@ creation_date = "2023/07/12" integration = ["windows"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." -min_stack_version = "8.14.0" -updated_date = "2025/01/13" +updated_date = "2025/03/20" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools. """ from = "now-119m" -interval = "60m" index = ["winlogbeat-*", "logs-windows.powershell*"] +interval = "60m" language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Remote Execution Capabilities via WinRM" references = [ - "https://attack.mitre.org/techniques/T1021/006/", - "https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/LateralMovement/PowerShellRemoting.cs", - "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/modules/powershell/lateral_movement/invoke_psremoting.py" + "https://attack.mitre.org/techniques/T1021/006/", + "https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/LateralMovement/PowerShellRemoting.cs", + "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/modules/powershell/lateral_movement/invoke_psremoting.py", ] risk_score = 21 rule_id = "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83" @@ -43,12 +42,18 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ - severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Execution", "Data Source: PowerShell Logs", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Execution", + "Data Source: PowerShell Logs", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "query" -building_block_type = "default" query = ''' event.category:process and host.os.type:windows and @@ -67,27 +72,28 @@ event.category:process and host.os.type:windows and ) ''' + [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\dbatools\\\\*\\\\allcommands.ps1" - +case_insensitive = true +value = "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\dbatools\\\\*\\\\allcommands.ps1" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.directory"] -"case_insensitive" = true -"value" = "?:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\*\\\\bin" - +case_insensitive = true +value = "?:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\*\\\\bin" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.directory"] -"case_insensitive" = true -"value" = "?:\\\\ExchangeServer\\\\bin*" - +case_insensitive = true +value = "?:\\\\ExchangeServer\\\\bin*" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -105,21 +111,19 @@ reference = "https://attack.mitre.org/techniques/T1021/006/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules_building_block/lateral_movement_wmic_remote.toml b/rules_building_block/lateral_movement_wmic_remote.toml index 63d3a181f..75ac81fc7 100644 --- a/rules_building_block/lateral_movement_wmic_remote.toml +++ b/rules_building_block/lateral_movement_wmic_remote.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/24" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules_building_block/persistence_transport_agent_exchange.toml b/rules_building_block/persistence_transport_agent_exchange.toml index d4a1efd3b..977415453 100644 --- a/rules_building_block/persistence_transport_agent_exchange.toml +++ b/rules_building_block/persistence_transport_agent_exchange.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/14" integration = ["windows"] maturity = "production" -updated_date = "2024/10/28" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/03/20" [rule] author = ["Elastic"]