security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Refresh Manifest and Schemas November Update (#5298)

Browse Source
This commit is contained in:
shashank-elastic
2025-11-11 18:04:20 +05:30
committed by GitHub
parent 29393f2ca4
commit e938ecf41a
80 changed files with 319 additions and 450 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/api_schemas/master/master.base.json
+21 -42
View File
@@ -83,15 +83,15 @@
]
},
"interval": {
"type": [
"string"
]
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"minLength": 1,
"type": "string"
},
"type": "array"
@@ -108,9 +108,8 @@
]
},
"max_signals": {
"type": [
"integer"
]
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
@@ -147,22 +146,11 @@
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"type": [
"string"
]
},
"package": {
"type": "string"
},
"version": {
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
@@ -178,16 +166,12 @@
"type": "boolean"
},
"name": {
"type": "string"
},
"type": {
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
"ecs"
],
"type": "object"
},
@@ -203,6 +187,8 @@
]
},
"risk_score": {
"maximum": 100,
"minimum": 1,
"type": "integer"
},
"risk_score_mapping": {
@@ -236,6 +222,7 @@
]
},
"rule_id": {
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$",
"type": "string"
},
"rule_name_override": {
@@ -323,13 +310,13 @@
"type": "string"
},
"reference": {
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
"name"
],
"type": "object"
},
@@ -344,6 +331,7 @@
"type": "string"
},
"reference": {
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
@@ -357,13 +345,13 @@
"type": "string"
},
"reference": {
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
"name"
],
"type": "object"
},
@@ -374,8 +362,7 @@
},
"required": [
"id",
"name",
"reference"
"name"
],
"type": "object"
},
@@ -400,14 +387,10 @@
]
},
"timeline_id": {
"type": [
"string"
]
"type": "string"
},
"timeline_title": {
"type": [
"string"
]
"type": "string"
},
"timestamp_override": {
"type": [
@@ -434,17 +417,13 @@
"type": "string"
},
"version": {
"type": [
"integer"
]
"minimum": 1,
"type": "integer"
}
},
"required": [
"author",
"description",
"name",
"risk_score",
"rule_id",
"severity",
"type"
],
detection_rules/etc/api_schemas/master/master.eql.json
+31 -48
View File
@@ -35,29 +35,33 @@
"type": "string"
},
"value": {
"minimum": 1,
"type": "integer"
}
},
"required": [
"unit",
"value"
"unit"
],
"type": "object"
},
"group_by": {
"items": {
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
},
"missing_fields_strategy": {
"enum": [
"suppress",
"doNotSuppress"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"group_by",
"missing_fields_strategy"
],
"type": "object"
},
"author": {
@@ -143,15 +147,15 @@
]
},
"interval": {
"type": [
"string"
]
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"minLength": 1,
"type": "string"
},
"type": "array"
@@ -174,9 +178,8 @@
]
},
"max_signals": {
"type": [
"integer"
]
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
@@ -216,22 +219,11 @@
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"type": [
"string"
]
},
"package": {
"type": "string"
},
"version": {
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
@@ -247,16 +239,12 @@
"type": "boolean"
},
"name": {
"type": "string"
},
"type": {
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
"ecs"
],
"type": "object"
},
@@ -272,6 +260,8 @@
]
},
"risk_score": {
"maximum": 100,
"minimum": 1,
"type": "integer"
},
"risk_score_mapping": {
@@ -305,6 +295,7 @@
]
},
"rule_id": {
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$",
"type": "string"
},
"rule_name_override": {
@@ -392,13 +383,13 @@
"type": "string"
},
"reference": {
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
"name"
],
"type": "object"
},
@@ -413,6 +404,7 @@
"type": "string"
},
"reference": {
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
@@ -426,13 +418,13 @@
"type": "string"
},
"reference": {
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
"name"
],
"type": "object"
},
@@ -443,8 +435,7 @@
},
"required": [
"id",
"name",
"reference"
"name"
],
"type": "object"
},
@@ -475,14 +466,10 @@
]
},
"timeline_id": {
"type": [
"string"
]
"type": "string"
},
"timeline_title": {
"type": [
"string"
]
"type": "string"
},
"timestamp_field": {
"min_compat": "8.0",
@@ -507,19 +494,15 @@
"type": "string"
},
"version": {
"type": [
"integer"
]
"minimum": 1,
"type": "integer"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"type"
],
detection_rules/etc/api_schemas/master/master.esql.json
+31 -48
View File
@@ -35,29 +35,33 @@
"type": "string"
},
"value": {
"minimum": 1,
"type": "integer"
}
},
"required": [
"unit",
"value"
"unit"
],
"type": "object"
},
"group_by": {
"items": {
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
},
"missing_fields_strategy": {
"enum": [
"suppress",
"doNotSuppress"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"group_by",
"missing_fields_strategy"
],
"type": "object"
},
"author": {
@@ -137,15 +141,15 @@
]
},
"interval": {
"type": [
"string"
]
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"minLength": 1,
"type": "string"
},
"type": "array"
@@ -168,9 +172,8 @@
]
},
"max_signals": {
"type": [
"integer"
]
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
@@ -210,22 +213,11 @@
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"type": [
"string"
]
},
"package": {
"type": "string"
},
"version": {
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
@@ -241,16 +233,12 @@
"type": "boolean"
},
"name": {
"type": "string"
},
"type": {
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
"ecs"
],
"type": "object"
},
@@ -266,6 +254,8 @@
]
},
"risk_score": {
"maximum": 100,
"minimum": 1,
"type": "integer"
},
"risk_score_mapping": {
@@ -299,6 +289,7 @@
]
},
"rule_id": {
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$",
"type": "string"
},
"rule_name_override": {
@@ -386,13 +377,13 @@
"type": "string"
},
"reference": {
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
"name"
],
"type": "object"
},
@@ -407,6 +398,7 @@
"type": "string"
},
"reference": {
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
@@ -420,13 +412,13 @@
"type": "string"
},
"reference": {
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
"name"
],
"type": "object"
},
@@ -437,8 +429,7 @@
},
"required": [
"id",
"name",
"reference"
"name"
],
"type": "object"
},
@@ -463,14 +454,10 @@
]
},
"timeline_id": {
"type": [
"string"
]
"type": "string"
},
"timeline_title": {
"type": [
"string"
]
"type": "string"
},
"timestamp_override": {
"type": [
@@ -489,19 +476,15 @@
"type": "string"
},
"version": {
"type": [
"integer"
]
"minimum": 1,
"type": "integer"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"type"
],
detection_rules/etc/api_schemas/master/master.machine_learning.json
+31 -48
View File
@@ -35,29 +35,33 @@
"type": "string"
},
"value": {
"minimum": 1,
"type": "integer"
}
},
"required": [
"unit",
"value"
"unit"
],
"type": "object"
},
"group_by": {
"items": {
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
},
"missing_fields_strategy": {
"enum": [
"suppress",
"doNotSuppress"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"group_by",
"missing_fields_strategy"
],
"type": "object"
},
"anomaly_threshold": {
@@ -127,15 +131,15 @@
]
},
"interval": {
"type": [
"string"
]
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"minLength": 1,
"type": "string"
},
"type": "array"
@@ -165,9 +169,8 @@
]
},
"max_signals": {
"type": [
"integer"
]
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
@@ -204,22 +207,11 @@
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"type": [
"string"
]
},
"package": {
"type": "string"
},
"version": {
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
@@ -235,16 +227,12 @@
"type": "boolean"
},
"name": {
"type": "string"
},
"type": {
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
"ecs"
],
"type": "object"
},
@@ -260,6 +248,8 @@
]
},
"risk_score": {
"maximum": 100,
"minimum": 1,
"type": "integer"
},
"risk_score_mapping": {
@@ -293,6 +283,7 @@
]
},
"rule_id": {
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$",
"type": "string"
},
"rule_name_override": {
@@ -380,13 +371,13 @@
"type": "string"
},
"reference": {
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
"name"
],
"type": "object"
},
@@ -401,6 +392,7 @@
"type": "string"
},
"reference": {
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
@@ -414,13 +406,13 @@
"type": "string"
},
"reference": {
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
"name"
],
"type": "object"
},
@@ -431,8 +423,7 @@
},
"required": [
"id",
"name",
"reference"
"name"
],
"type": "object"
},
@@ -457,14 +448,10 @@
]
},
"timeline_id": {
"type": [
"string"
]
"type": "string"
},
"timeline_title": {
"type": [
"string"
]
"type": "string"
},
"timestamp_override": {
"type": [
@@ -483,9 +470,8 @@
"type": "string"
},
"version": {
"type": [
"integer"
]
"minimum": 1,
"type": "integer"
}
},
"required": [
@@ -493,9 +479,6 @@
"author",
"description",
"machine_learning_job_id",
"name",
"risk_score",
"rule_id",
"severity",
"type"
],
detection_rules/etc/api_schemas/master/master.new_terms.json
+37 -58
View File
@@ -35,29 +35,33 @@
"type": "string"
},
"value": {
"minimum": 1,
"type": "integer"
}
},
"required": [
"unit",
"value"
"unit"
],
"type": "object"
},
"group_by": {
"items": {
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
},
"missing_fields_strategy": {
"enum": [
"suppress",
"doNotSuppress"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"group_by",
"missing_fields_strategy"
],
"type": "object"
},
"author": {
@@ -137,15 +141,15 @@
]
},
"interval": {
"type": [
"string"
]
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"minLength": 1,
"type": "string"
},
"type": "array"
@@ -172,9 +176,8 @@
]
},
"max_signals": {
"type": [
"integer"
]
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
@@ -197,6 +200,7 @@
"additionalProperties": false,
"properties": {
"field": {
"minLength": 1,
"type": "string"
},
"history_window_start": {
@@ -204,31 +208,26 @@
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"value": {
"minLength": 1,
"type": "string"
}
},
"required": [
"field",
"value"
],
"type": "object"
},
"type": "array"
},
"value": {
"items": {
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
}
},
"required": [
"field",
"history_window_start",
"value"
"history_window_start"
],
"type": "object"
},
@@ -253,22 +252,11 @@
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"type": [
"string"
]
},
"package": {
"type": "string"
},
"version": {
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
@@ -284,16 +272,12 @@
"type": "boolean"
},
"name": {
"type": "string"
},
"type": {
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
"ecs"
],
"type": "object"
},
@@ -309,6 +293,8 @@
]
},
"risk_score": {
"maximum": 100,
"minimum": 1,
"type": "integer"
},
"risk_score_mapping": {
@@ -342,6 +328,7 @@
]
},
"rule_id": {
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$",
"type": "string"
},
"rule_name_override": {
@@ -429,13 +416,13 @@
"type": "string"
},
"reference": {
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
"name"
],
"type": "object"
},
@@ -450,6 +437,7 @@
"type": "string"
},
"reference": {
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
@@ -463,13 +451,13 @@
"type": "string"
},
"reference": {
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
"name"
],
"type": "object"
},
@@ -480,8 +468,7 @@
},
"required": [
"id",
"name",
"reference"
"name"
],
"type": "object"
},
@@ -506,14 +493,10 @@
]
},
"timeline_id": {
"type": [
"string"
]
"type": "string"
},
"timeline_title": {
"type": [
"string"
]
"type": "string"
},
"timestamp_override": {
"type": [
@@ -532,20 +515,16 @@
"type": "string"
},
"version": {
"type": [
"integer"
]
"minimum": 1,
"type": "integer"
}
},
"required": [
"author",
"description",
"language",
"name",
"new_terms",
"query",
"risk_score",
"rule_id",
"severity",
"type"
],
detection_rules/etc/api_schemas/master/master.query.json
+31 -48
View File
@@ -35,29 +35,33 @@
"type": "string"
},
"value": {
"minimum": 1,
"type": "integer"
}
},
"required": [
"unit",
"value"
"unit"
],
"type": "object"
},
"group_by": {
"items": {
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
},
"missing_fields_strategy": {
"enum": [
"suppress",
"doNotSuppress"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"group_by",
"missing_fields_strategy"
],
"type": "object"
},
"author": {
@@ -137,15 +141,15 @@
]
},
"interval": {
"type": [
"string"
]
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"minLength": 1,
"type": "string"
},
"type": "array"
@@ -172,9 +176,8 @@
]
},
"max_signals": {
"type": [
"integer"
]
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
@@ -214,22 +217,11 @@
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"type": [
"string"
]
},
"package": {
"type": "string"
},
"version": {
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
@@ -245,16 +237,12 @@
"type": "boolean"
},
"name": {
"type": "string"
},
"type": {
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
"ecs"
],
"type": "object"
},
@@ -270,6 +258,8 @@
]
},
"risk_score": {
"maximum": 100,
"minimum": 1,
"type": "integer"
},
"risk_score_mapping": {
@@ -303,6 +293,7 @@
]
},
"rule_id": {
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$",
"type": "string"
},
"rule_name_override": {
@@ -390,13 +381,13 @@
"type": "string"
},
"reference": {
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
"name"
],
"type": "object"
},
@@ -411,6 +402,7 @@
"type": "string"
},
"reference": {
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
@@ -424,13 +416,13 @@
"type": "string"
},
"reference": {
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
"name"
],
"type": "object"
},
@@ -441,8 +433,7 @@
},
"required": [
"id",
"name",
"reference"
"name"
],
"type": "object"
},
@@ -467,14 +458,10 @@
]
},
"timeline_id": {
"type": [
"string"
]
"type": "string"
},
"timeline_title": {
"type": [
"string"
]
"type": "string"
},
"timestamp_override": {
"type": [
@@ -493,19 +480,15 @@
"type": "string"
},
"version": {
"type": [
"integer"
]
"minimum": 1,
"type": "integer"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"type"
],
detection_rules/etc/api_schemas/master/master.threat_match.json
+33 -64
View File
@@ -35,29 +35,33 @@
"type": "string"
},
"value": {
"minimum": 1,
"type": "integer"
}
},
"required": [
"unit",
"value"
"unit"
],
"type": "object"
},
"group_by": {
"items": {
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
},
"missing_fields_strategy": {
"enum": [
"suppress",
"doNotSuppress"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"group_by",
"missing_fields_strategy"
],
"type": "object"
},
"author": {
@@ -74,11 +78,6 @@
"string"
]
},
"concurrent_searches": {
"type": [
"integer"
]
},
"data_view_id": {
"type": [
"string"
@@ -142,15 +141,15 @@
]
},
"interval": {
"type": [
"string"
]
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"minLength": 1,
"type": "string"
},
"type": "array"
@@ -161,11 +160,6 @@
],
"type": "object"
},
"items_per_search": {
"type": [
"integer"
]
},
"language": {
"enum": [
"eql",
@@ -182,9 +176,8 @@
]
},
"max_signals": {
"type": [
"integer"
]
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
@@ -224,22 +217,11 @@
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"type": [
"string"
]
},
"package": {
"type": "string"
},
"version": {
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
@@ -255,16 +237,12 @@
"type": "boolean"
},
"name": {
"type": "string"
},
"type": {
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
"ecs"
],
"type": "object"
},
@@ -280,6 +258,8 @@
]
},
"risk_score": {
"maximum": 100,
"minimum": 1,
"type": "integer"
},
"risk_score_mapping": {
@@ -313,6 +293,7 @@
]
},
"rule_id": {
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$",
"type": "string"
},
"rule_name_override": {
@@ -400,13 +381,13 @@
"type": "string"
},
"reference": {
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
"name"
],
"type": "object"
},
@@ -421,6 +402,7 @@
"type": "string"
},
"reference": {
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
@@ -434,13 +416,13 @@
"type": "string"
},
"reference": {
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
"name"
],
"type": "object"
},
@@ -451,8 +433,7 @@
},
"required": [
"id",
"name",
"reference"
"name"
],
"type": "object"
},
@@ -520,6 +501,7 @@
"additionalProperties": false,
"properties": {
"field": {
"minLength": 1,
"type": "string"
},
"negate": {
@@ -533,15 +515,10 @@
"mapping"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field",
"type",
"value"
"type"
],
"type": "object"
},
@@ -566,14 +543,10 @@
]
},
"timeline_id": {
"type": [
"string"
]
"type": "string"
},
"timeline_title": {
"type": [
"string"
]
"type": "string"
},
"timestamp_override": {
"type": [
@@ -592,19 +565,15 @@
"type": "string"
},
"version": {
"type": [
"integer"
]
"minimum": 1,
"type": "integer"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"threat_index",
"threat_mapping",
detection_rules/etc/api_schemas/master/master.threshold.json
+28 -50
View File
@@ -35,12 +35,12 @@
"type": "string"
},
"value": {
"minimum": 1,
"type": "integer"
}
},
"required": [
"unit",
"value"
"unit"
],
"type": "object"
}
@@ -127,15 +127,15 @@
]
},
"interval": {
"type": [
"string"
]
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"minLength": 1,
"type": "string"
},
"type": "array"
@@ -162,9 +162,8 @@
]
},
"max_signals": {
"type": [
"integer"
]
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
@@ -204,22 +203,11 @@
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"type": [
"string"
]
},
"package": {
"type": "string"
},
"version": {
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
@@ -235,16 +223,12 @@
"type": "boolean"
},
"name": {
"type": "string"
},
"type": {
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
"ecs"
],
"type": "object"
},
@@ -260,6 +244,8 @@
]
},
"risk_score": {
"maximum": 100,
"minimum": 1,
"type": "integer"
},
"risk_score_mapping": {
@@ -293,6 +279,7 @@
]
},
"rule_id": {
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$",
"type": "string"
},
"rule_name_override": {
@@ -380,13 +367,13 @@
"type": "string"
},
"reference": {
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
"name"
],
"type": "object"
},
@@ -401,6 +388,7 @@
"type": "string"
},
"reference": {
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
@@ -414,13 +402,13 @@
"type": "string"
},
"reference": {
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
"name"
],
"type": "object"
},
@@ -431,8 +419,7 @@
},
"required": [
"id",
"name",
"reference"
"name"
],
"type": "object"
},
@@ -462,12 +449,12 @@
"type": "string"
},
"value": {
"minimum": 1,
"type": "integer"
}
},
"required": [
"field",
"value"
"field"
],
"type": "object"
},
@@ -477,18 +464,17 @@
},
"field": {
"items": {
"minLength": 1,
"type": "string"
},
"maxItems": 5,
"type": "array"
},
"value": {
"minimum": 1,
"type": "integer"
}
},
"required": [
"field",
"value"
],
"type": "object"
},
"throttle": {
@@ -497,14 +483,10 @@
]
},
"timeline_id": {
"type": [
"string"
]
"type": "string"
},
"timeline_title": {
"type": [
"string"
]
"type": "string"
},
"timestamp_override": {
"type": [
@@ -523,19 +505,15 @@
"type": "string"
},
"version": {
"type": [
"integer"
]
"minimum": 1,
"type": "integer"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"threshold",
"type"
detection_rules/etc/attack-technique-redirects.json
+1 -1
View File
@@ -133,5 +133,5 @@
"T1547.011": "T1647",
"T1574.002": "T1574.001"
},
"saved_date": "Fri Oct 17 17:21:42 2025"
"saved_date": "Tue Nov 11 12:54:18 2025"
}
detection_rules/etc/attack-v17.1.0.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/attack-v18.0.0.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/beats_schemas/main.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/beats_schemas/v9.2.0.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/9.1.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/9.1.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/9.2.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/9.2.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/master_9.3.0-dev/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/integration-manifests.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/integration-schemas.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/stack-schema-map.yaml
+4 -4
View File
@@ -140,11 +140,11 @@
endgame: "8.4.0"
"9.2.0":
beats: "9.1.5"
ecs: "9.2.0-rc1"
beats: "9.2.0"
ecs: "9.2.0"
endgame: "8.4.0"
"9.3.0":
beats: "9.1.5"
ecs: "9.2.0-rc1"
beats: "9.2.0"
ecs: "9.2.0"
endgame: "8.4.0"
pyproject.toml
+1 -1
View File
@@ -1,6 +1,6 @@
[project]
name = "detection_rules"
version = "1.5.5"
version = "1.5.6"
description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Securitys Detection Engine."
readme = "README.md"
requires-python = ">=3.12"
rules/linux/privilege_escalation_potential_suid_sgid_proxy_execution.toml
+33 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2025/10/30"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/10/30"
updated_date = "2025/11/11"
[rule]
author = ["Elastic"]
@@ -17,6 +17,37 @@ index = ["logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Privilege Escalation via SUID/SGID Proxy Execution"
note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating Potential Privilege Escalation via SUID/SGID Proxy Execution
This rule surfaces executions of well-known SUID/SGID helpers on Linux that run with root privileges while the launching user remains nonroot, signaling an attempt to proxy elevated rights. It matters because a nonprivileged process invoking pkexec can spawn /bin/sh as root via environment manipulation, turning a low-privilege foothold into full system control.
### Possible investigation steps
- Determine if the invocation is interactive and expected (e.g., admin using su/sudo) by correlating with a TTY/SSH session, recent successful authentication logs, and sudo/polkit policy outcomes in journald.
- For pkexec events, inspect the environment for exploit indicators (e.g., unset argv or suspicious GCONV_PATH, PATH, LD_PRELOAD, LC_* values) and look for attacker-created files in /tmp or the user's home that match gconv or loader artifacts.
- Review the child/descendant process tree of the SUID/SGID helper to see if it spawned a root shell or arbitrary interpreter, and pivot to concurrent network connections or file writes by those children.
- Validate whether the executables SUID/SGID file on disk has been tampered with by checking its hash, permissions, ownership, and recent mtime against package manager metadata and known-good baselines.
- If the binary is mount/umount/fusermount or newuidmap/newgidmap, correlate with container or FUSE activity to confirm a legitimate workflow and inspect mounts or namespace changes for risky options (e.g., suid, exec) or unusual target directories.
### False positive analysis
- An authorized pkexec or polkit-agent-helper invocation by a user to perform a permitted administrative task may run as root while the real user is nonroot, often with a singleargument parent, and should align with an interactive prompt and expected policy.
- Normal unprivileged workflows using fusermount3 or newuidmap/newgidmap legitimately leverage SUID/SGID helpers, typically launched by a simple shell with one argument, and should correlate with expected mount or usernamespace activity.
### Response and remediation
- Immediately isolate the host, kill the offending SUID/SGID child processes (e.g., pkexec spawning /bin/sh), and temporarily remove the setuid/setgid bit from the abused binary (chmod u-s /usr/bin/pkexec or chmod g-s /usr/bin/newgrp) to halt further elevation.
- Reinstall and verify integrity of abused packages and SUID helpers (e.g., polkit to replace /usr/bin/pkexec, dbus-daemon-launch-helper, fusermount3) and delete attacker artifacts such as gconv modules or LD_PRELOAD payloads from /tmp, /var/tmp, and user homes.
- Undo attacker changes by restoring /etc/sudoers, /etc/passwd and /etc/shadow, and polkit rules under /usr/share/polkit-1 or /etc/polkit-1, unmount suspicious FUSE or bind mounts created by fusermount3/mount, and rotate credentials and keys.
- Escalate to incident command if you observe a SUID helper launching an interactive root shell (/bin/sh -p or bash -p), root-owned droppers in /tmp or /usr/local/bin, or similar events on more than one host or account.
- Permanently reduce the SUID/SGID attack surface by auditing and removing setuid bits from rarely used binaries (e.g., chfn, chsh, newgrp, ssh-keysign), restricting pkexec via polkit rules to specific callers, and mounting /tmp, /var/tmp, and home directories with nosuid,nodev,noexec.
- Strengthen monitoring and policy by enabling AppArmor/SELinux confinement for pkexec and mount helpers, adding auditd rules for exec of setuid binaries and writes to /tmp by root, and enforcing least-privilege sudoers by removing broad NOPASSWD entries and requiring MFA for privileged tasks.
"""
references = [
"https://dfir.ch/posts/today_i_learned_binfmt_misc/",
"https://gtfobins.github.io/#+suid",
@@ -58,6 +89,7 @@ tags = [
"Tactic: Persistence",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml
+37 -37
View File
@@ -2,7 +2,7 @@
creation_date = "2023/09/25"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/11/11"
[rule]
author = ["Elastic"]
@@ -15,6 +15,41 @@ index = ["logs-endpoint.events.process-*"]
language = "eql"
license = "Elastic License v2"
name = "Delayed Execution via Ping"
note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating Delayed Execution via Ping
Ping, a network utility, can be misused by attackers to delay execution of malicious commands, aiding in evasion. Adversaries may use ping to introduce pauses, allowing them to execute harmful scripts or binaries stealthily. The detection rule identifies suspicious ping usage followed by execution of known malicious utilities, flagging potential threats by monitoring specific command patterns and excluding benign processes.
### Possible investigation steps
- Review the process tree to understand the sequence of events, focusing on the parent-child relationship between cmd.exe, ping.exe, and any subsequent suspicious processes like rundll32.exe or powershell.exe.
- Examine the command line arguments used with ping.exe to determine the delay introduced and assess if it aligns with typical malicious behavior.
- Investigate the user account associated with the process execution, especially if the user.id is not S-1-5-18, to determine if the account has been compromised or is being misused.
- Check the file path and code signature of any executables launched from the user's AppData directory to verify if they are trusted or potentially malicious.
- Analyze the command line arguments and working directory of any suspicious processes to identify any known malicious patterns or scripts being executed.
- Correlate the alert with any other recent alerts or logs from the same host or user to identify potential patterns or ongoing malicious activity.
### False positive analysis
- Legitimate administrative scripts or maintenance tasks may use ping to introduce delays, especially in batch files executed by system administrators. To handle this, identify and exclude specific scripts or command lines that are known to be safe.
- Software installations or updates might use ping for timing purposes. Review the command lines and parent processes involved, and create exceptions for trusted software paths or signatures.
- Automated testing environments may use ping to simulate network latency or wait for services to start. Exclude these processes by identifying the testing framework or environment and adding it to the exception list.
- Some legitimate applications might use ping as part of their normal operation. Monitor these applications and, if verified as safe, exclude their specific command patterns or executable paths.
- Regularly review and update the exception list to ensure it reflects the current environment and any new legitimate use cases that arise.
### Response and remediation
- Isolate the affected system from the network immediately to prevent further malicious activity and lateral movement.
- Terminate any suspicious processes identified in the alert, such as those involving ping.exe followed by the execution of known malicious utilities.
- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malware or unauthorized software.
- Review and analyze the command history and logs of the affected system to understand the scope of the attack and identify any additional compromised systems.
- Restore the system from a known good backup if malware removal is not feasible or if the system's integrity is in question.
- Implement application whitelisting to prevent unauthorized execution of scripts and binaries, focusing on the utilities identified in the alert.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
risk_score = 21
rule_id = "e00b8d49-632f-4dc6-94a5-76153a481915"
severity = "low"
@@ -64,41 +99,6 @@ sequence by process.parent.entity_id with maxspan=1m
"?:\\Users\\*\\AppData\\Local\\Temp\\QBTools\\"))
]
'''
note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating Delayed Execution via Ping
Ping, a network utility, can be misused by attackers to delay execution of malicious commands, aiding in evasion. Adversaries may use ping to introduce pauses, allowing them to execute harmful scripts or binaries stealthily. The detection rule identifies suspicious ping usage followed by execution of known malicious utilities, flagging potential threats by monitoring specific command patterns and excluding benign processes.
### Possible investigation steps
- Review the process tree to understand the sequence of events, focusing on the parent-child relationship between cmd.exe, ping.exe, and any subsequent suspicious processes like rundll32.exe or powershell.exe.
- Examine the command line arguments used with ping.exe to determine the delay introduced and assess if it aligns with typical malicious behavior.
- Investigate the user account associated with the process execution, especially if the user.id is not S-1-5-18, to determine if the account has been compromised or is being misused.
- Check the file path and code signature of any executables launched from the user's AppData directory to verify if they are trusted or potentially malicious.
- Analyze the command line arguments and working directory of any suspicious processes to identify any known malicious patterns or scripts being executed.
- Correlate the alert with any other recent alerts or logs from the same host or user to identify potential patterns or ongoing malicious activity.
### False positive analysis
- Legitimate administrative scripts or maintenance tasks may use ping to introduce delays, especially in batch files executed by system administrators. To handle this, identify and exclude specific scripts or command lines that are known to be safe.
- Software installations or updates might use ping for timing purposes. Review the command lines and parent processes involved, and create exceptions for trusted software paths or signatures.
- Automated testing environments may use ping to simulate network latency or wait for services to start. Exclude these processes by identifying the testing framework or environment and adding it to the exception list.
- Some legitimate applications might use ping as part of their normal operation. Monitor these applications and, if verified as safe, exclude their specific command patterns or executable paths.
- Regularly review and update the exception list to ensure it reflects the current environment and any new legitimate use cases that arise.
### Response and remediation
- Isolate the affected system from the network immediately to prevent further malicious activity and lateral movement.
- Terminate any suspicious processes identified in the alert, such as those involving ping.exe followed by the execution of known malicious utilities.
- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malware or unauthorized software.
- Review and analyze the command history and logs of the affected system to understand the scope of the attack and identify any additional compromised systems.
- Restore the system from a known good backup if malware removal is not feasible or if the system's integrity is in question.
- Implement application whitelisting to prevent unauthorized execution of scripts and binaries, focusing on the utilities identified in the alert.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
[[rule.threat]]
@@ -176,7 +176,7 @@ name = "Virtualization/Sandbox Evasion"
reference = "https://attack.mitre.org/techniques/T1497/"
[[rule.threat.technique.subtechnique]]
id = "T1497.003"
name = "Time Based Evasion"
name = "Time Based Checks"
reference = "https://attack.mitre.org/techniques/T1497/003/"