security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bcef5d74e16130af37dfd4eecce165443c76cfa2
sigma-rules/rules/ml/persistence_ml_windows_anomalous_service.toml
T
Apoorva Joshi d96eb29614 Adding related integrations to ML rules (#2972) 
* Adding related integrations to ML rules

* added adjustments to determine related integrations for ML rules

* fixed lint errors

* Empty commit

* Empty commit

* Empty commit

---------

Co-authored-by: Apoorva Joshi <apoorvajoshi@Apoorvas-MBP.lan>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Apoorva Joshi <apoorvajoshi@Apoorvas-MBP.fritz.box>

(cherry picked from commit 9482bda414)
2023-08-22 18:45:02 +00:00

53 lines
1.7 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/03/25"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
[rule]
anomaly_threshold = 50
author = ["Elastic"]
description = """
A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services,
malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique
services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.
"""
false_positives = [
"""
A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this
alert.
""",
]
from = "now-45m"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = ["v3_windows_anomalous_service"]
name = "Unusual Windows Service"
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "1781d055-5c66-4adf-9c71-fc0fa58338c7"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence"]
type = "machine_learning"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
reference = "https://attack.mitre.org/techniques/T1543/"
[[rule.threat.technique.subtechnique]]
id = "T1543.003"
name = "Windows Service"
reference = "https://attack.mitre.org/techniques/T1543/003/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
Reference in New Issue View Git Blame Copy Permalink