diff --git a/rules/windows/defense_evasion_mshta_beacon.toml b/rules/windows/defense_evasion_mshta_beacon.toml index 5191203df..349d60d93 100644 --- a/rules/windows/defense_evasion_mshta_beacon.toml +++ b/rules/windows/defense_evasion_mshta_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/07/19" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = """ Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection. """ -from = "now-9m" +from = "now-20m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" @@ -21,7 +21,7 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "eql" query = ''' -sequence by process.entity_id with maxspan=2h +sequence by process.entity_id with maxspan=10m [process where event.type in ("start", "process_started") and process.name : "mshta.exe" and not process.parent.name : "Microsoft.ConfigurationManagement.exe" and not (process.parent.executable : "C:\\Amazon\\Amazon Assistant\\amazonAssistantService.exe" or @@ -48,4 +48,3 @@ reference = "https://attack.mitre.org/techniques/T1218/005/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_rundll32_no_arguments.toml b/rules/windows/defense_evasion_rundll32_no_arguments.toml index 03b8de715..a6987481c 100644 --- a/rules/windows/defense_evasion_rundll32_no_arguments.toml +++ b/rules/windows/defense_evasion_rundll32_no_arguments.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/07/19" [rule] author = ["Elastic"] @@ -9,8 +9,9 @@ description = """ Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity. """ -from = "now-9m" +from = "now-60m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] +interval = "30m" language = "eql" license = "Elastic License v2" name = "Unusual Child Processes of RunDLL32" diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index e9c270b16..067004551 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/07/19" [rule] author = ["Elastic"] @@ -9,8 +9,9 @@ description = """ Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of MS Office applications. """ -from = "now-9m" +from = "now-120m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Execution of File Written or Modified by Microsoft Office" diff --git a/rules/windows/execution_pdf_written_file.toml b/rules/windows/execution_pdf_written_file.toml index 7bb139462..fb4a69e2f 100644 --- a/rules/windows/execution_pdf_written_file.toml +++ b/rules/windows/execution_pdf_written_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/07/19" [rule] author = ["Elastic"] @@ -9,8 +9,9 @@ description = """ Identifies a suspicious file that was written by a PDF reader application and subsequently executed. These processes are often launched via exploitation of PDF applications. """ -from = "now-9m" +from = "now-120m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Execution of File Written or Modified by PDF Reader"