From 5d29dc9a4f131ca96d4700968670613faff6a393 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Mon, 5 Dec 2022 10:12:00 -0500 Subject: [PATCH] [Detection Rules][8.6] Add detection rule security document updates (#2761) * updating pre-existing pre-built detection rule security docs with newly generated * adjusted link to os-query investigation guides --- .../prebuilt-rules-changelog.asciidoc | 125 +- .../prebuilt-rules-reference.asciidoc | 918 +- .../prebuilt-rules/rule-desc-index.asciidoc | 27 +- .../a-scheduled-task-was-created.asciidoc | 26 +- .../a-scheduled-task-was-updated.asciidoc | 26 +- ...l-process-id-or-lock-file-created.asciidoc | 26 +- .../abnormally-large-dns-response.asciidoc | 10 +- ...d-default-telnet-port-connection.asciidoc} | 29 +- ...ess-to-a-sensitive-ldap-attribute.asciidoc | 94 + ...ured-with-never-expiring-password.asciidoc | 9 +- ...covery-command-via-system-account.asciidoc | 9 +- .../account-password-reset-remotely.asciidoc | 29 +- ...-hidden-file-attribute-via-attrib.asciidoc | 9 +- .../adfind-command-activity.asciidoc | 11 +- ...vileges-assigned-to-an-okta-group.asciidoc | 8 +- ...tor-role-assigned-to-an-okta-user.asciidoc | 8 +- ...insdholder-sdprop-exclusion-added.asciidoc | 9 +- .../adobe-hijack-persistence.asciidoc | 37 +- ...behavior-detected-elastic-endgame.asciidoc | 14 +- ...-added-to-google-workspace-domain.asciidoc | 7 +- ...rom-blocklist-in-google-workspace.asciidoc | 11 +- .../attempt-to-create-okta-api-token.asciidoc | 8 +- ...to-deactivate-an-okta-application.asciidoc | 8 +- ...o-deactivate-an-okta-network-zone.asciidoc | 8 +- ...to-deactivate-an-okta-policy-rule.asciidoc | 8 +- ...empt-to-deactivate-an-okta-policy.asciidoc | 8 +- ...vate-mfa-for-an-okta-user-account.asciidoc | 8 +- ...mpt-to-delete-an-okta-application.asciidoc | 8 +- ...pt-to-delete-an-okta-network-zone.asciidoc | 8 +- ...mpt-to-delete-an-okta-policy-rule.asciidoc | 8 +- .../attempt-to-delete-an-okta-policy.asciidoc | 8 +- ...mpt-to-modify-an-okta-application.asciidoc | 8 +- ...pt-to-modify-an-okta-network-zone.asciidoc | 8 +- ...mpt-to-modify-an-okta-policy-rule.asciidoc | 8 +- .../attempt-to-modify-an-okta-policy.asciidoc | 8 +- ...-factors-for-an-okta-user-account.asciidoc | 8 +- .../attempt-to-revoke-okta-api-token.asciidoc | 8 +- .../attempted-bypass-of-okta-mfa.asciidoc | 8 +- ...orce-a-microsoft-365-user-account.asciidoc | 7 +- ...-brute-force-an-okta-user-account.asciidoc | 8 +- ...-access-secret-in-secrets-manager.asciidoc | 9 +- .../aws-cloudtrail-log-created.asciidoc | 7 +- .../aws-cloudtrail-log-deleted.asciidoc | 9 +- .../aws-cloudtrail-log-suspended.asciidoc | 9 +- .../aws-cloudtrail-log-updated.asciidoc | 9 +- .../aws-cloudwatch-alarm-deletion.asciidoc | 9 +- ...aws-cloudwatch-log-group-deletion.asciidoc | 9 +- ...ws-cloudwatch-log-stream-deletion.asciidoc | 9 +- .../aws-config-resource-deletion.asciidoc | 9 +- ...ws-configuration-recorder-stopped.asciidoc | 7 +- ...letion-of-rds-instance-or-cluster.asciidoc | 7 +- .../aws-ec2-encryption-disabled.asciidoc | 7 +- ...l-network-packet-capture-detected.asciidoc | 7 +- ...work-access-control-list-creation.asciidoc | 7 +- ...work-access-control-list-deletion.asciidoc | 7 +- .../aws-ec2-snapshot-activity.asciidoc | 9 +- .../aws-ec2-vm-export-failure.asciidoc | 7 +- ...-efs-file-system-or-mount-deleted.asciidoc | 7 +- ...lasticache-security-group-created.asciidoc | 7 +- ...ecurity-group-modified-or-deleted.asciidoc | 7 +- ...ntbridge-rule-disabled-or-deleted.asciidoc | 7 +- .../aws-execution-via-system-manager.asciidoc | 9 +- .../aws-guardduty-detector-deletion.asciidoc | 7 +- ...aws-iam-assume-role-policy-update.asciidoc | 9 +- ...brute-force-of-assume-role-policy.asciidoc | 9 +- ...ws-iam-deactivation-of-mfa-device.asciidoc | 9 +- .../aws-iam-group-creation.asciidoc | 7 +- .../aws-iam-group-deletion.asciidoc | 7 +- ...s-iam-password-recovery-requested.asciidoc | 7 +- .../aws-iam-user-addition-to-group.asciidoc | 9 +- ...isabled-or-scheduled-for-deletion.asciidoc | 80 + ...brute-force-of-root-user-identity.asciidoc | 7 +- ...aws-management-console-root-login.asciidoc | 9 +- .../aws-rds-cluster-creation.asciidoc | 7 +- ...aws-rds-instance-cluster-stoppage.asciidoc | 7 +- .../aws-rds-instance-creation.asciidoc | 7 +- .../aws-rds-security-group-creation.asciidoc | 7 +- .../aws-rds-security-group-deletion.asciidoc | 7 +- .../aws-rds-snapshot-export.asciidoc | 7 +- .../aws-rds-snapshot-restored.asciidoc | 7 +- .../aws-redshift-cluster-creation.asciidoc | 7 +- .../aws-root-login-without-mfa.asciidoc | 9 +- ...-53-domain-transfer-lock-disabled.asciidoc | 7 +- ...in-transferred-to-another-account.asciidoc | 7 +- .../aws-route-table-created.asciidoc | 7 +- ...s-route-table-modified-or-deleted.asciidoc | 7 +- ...hosted-zone-associated-with-a-vpc.asciidoc | 7 +- ...-s3-bucket-configuration-deletion.asciidoc | 7 +- .../rule-details/aws-saml-activity.asciidoc | 7 +- ...up-configuration-change-detection.asciidoc | 7 +- ...oken-service-sts-assumerole-usage.asciidoc | 7 +- .../aws-sts-getsessiontoken-abuse.asciidoc | 7 +- .../aws-vpc-flow-logs-deletion.asciidoc | 9 +- ...-waf-access-control-list-deletion.asciidoc | 7 +- ...s-waf-rule-or-rule-group-deletion.asciidoc | 7 +- ...ctive-directory-high-risk-sign-in.asciidoc | 9 +- ...-high-risk-user-sign-in-heuristic.asciidoc | 9 +- ...tive-directory-powershell-sign-in.asciidoc | 9 +- ...lobal-administrator-role-assigned.asciidoc | 7 +- ...pression-rule-created-or-modified.asciidoc | 7 +- ...plication-credential-modification.asciidoc | 7 +- .../azure-automation-account-created.asciidoc | 7 +- ...ation-runbook-created-or-modified.asciidoc | 7 +- .../azure-automation-runbook-deleted.asciidoc | 7 +- .../azure-automation-webhook-created.asciidoc | 7 +- ...ntainer-access-level-modification.asciidoc | 7 +- ...ure-blob-permissions-modification.asciidoc | 7 +- ...mand-execution-on-virtual-machine.asciidoc | 7 +- ...onditional-access-policy-modified.asciidoc | 7 +- ...zure-diagnostic-settings-deletion.asciidoc | 7 +- ...orization-rule-created-or-updated.asciidoc | 7 +- .../azure-event-hub-deletion.asciidoc | 7 +- ...re-external-guest-user-invitation.asciidoc | 7 +- .../azure-firewall-policy-deletion.asciidoc | 7 +- ...ation-firewall-waf-policy-deleted.asciidoc | 7 +- ...l-network-packet-capture-detected.asciidoc | 7 +- ...strator-role-addition-to-pim-user.asciidoc | 7 +- .../azure-key-vault-modified.asciidoc | 8 +- .../azure-kubernetes-events-deleted.asciidoc | 7 +- .../azure-kubernetes-pods-deleted.asciidoc | 7 +- ...e-kubernetes-rolebindings-created.asciidoc | 7 +- .../azure-network-watcher-deletion.asciidoc | 7 +- ...identity-management-role-modified.asciidoc | 9 +- .../azure-resource-group-deletion.asciidoc | 7 +- .../azure-service-principal-addition.asciidoc | 9 +- ...rvice-principal-credentials-added.asciidoc | 7 +- ...e-storage-account-key-regenerated.asciidoc | 7 +- ...etwork-device-modified-or-deleted.asciidoc | 7 +- ...uted-from-shared-memory-directory.asciidoc | 8 +- .../bypass-uac-via-event-viewer.asciidoc | 38 +- .../clearing-windows-console-history.asciidoc | 24 +- .../clearing-windows-event-logs.asciidoc | 11 +- ...strike-command-and-control-beacon.asciidoc | 8 +- ...-execution-via-solarwinds-process.asciidoc | 9 +- ...ell-activity-started-via-rundll32.asciidoc | 9 +- .../component-object-model-hijacking.asciidoc | 64 +- ...wned-by-suspicious-parent-process.asciidoc | 11 +- ...n-to-commonly-abused-web-services.asciidoc | 74 +- ...el-process-with-unusual-arguments.asciidoc | 9 +- ...on-of-a-hidden-local-user-account.asciidoc | 9 +- ...idden-login-item-via-apple-script.asciidoc | 17 +- ...f-domain-backup-dpapi-private-key.asciidoc | 9 +- ...-modification-of-root-certificate.asciidoc | 39 +- ...isition-via-registry-hive-dumping.asciidoc | 12 +- ...-privileged-access-security-error.asciidoc | 7 +- ...cess-security-recommended-monitor.asciidoc | 7 +- ...lt-strike-team-server-certificate.asciidoc | 8 +- ...te-volume-usn-journal-with-fsutil.asciidoc | 9 +- ...ting-backup-catalogs-with-wbadmin.asciidoc | 9 +- .../direct-outbound-smb-connection.asciidoc | 38 +- ...ecurity-logs-using-built-in-tools.asciidoc | 11 +- ...-windows-firewall-rules-via-netsh.asciidoc | 11 +- ...control-via-registry-modification.asciidoc | 8 +- ...-security-settings-via-powershell.asciidoc | 11 +- ...s-over-https-enabled-via-registry.asciidoc | 9 +- ...-google-workspace-trusted-domains.asciidoc | 7 +- ...-host-network-discovery-via-netsh.asciidoc | 11 +- ...executable-stored-in-the-registry.asciidoc | 9 +- ...ncrypting-files-with-winrar-or-7z.asciidoc | 11 +- ...ting-domain-trusts-via-nltest.exe.asciidoc | 9 +- ...tion-command-spawned-via-wmiprvse.asciidoc | 9 +- ...eration-of-administrator-accounts.asciidoc | 11 +- ...rivileged-local-groups-membership.asciidoc | 36 +- ...creation-with-multiple-extensions.asciidoc | 9 +- ...om-unusual-directory-command-line.asciidoc | 38 +- ...ecution-of-com-object-via-xwizard.asciidoc | 9 +- ...n-or-modified-by-microsoft-office.asciidoc | 11 +- ...written-or-modified-by-pdf-reader.asciidoc | 11 +- ...ution-via-local-sxs-shared-module.asciidoc | 9 +- ...ssql-xp_cmdshell-stored-procedure.asciidoc | 10 +- ...g-exchange-mailbox-via-powershell.asciidoc | 11 +- ...p-lookup-from-non-browser-process.asciidoc | 9 +- ...-listener-established-via-netcat.asciidoc} | 49 +- .../gcp-firewall-rule-creation.asciidoc | 7 +- .../gcp-firewall-rule-deletion.asciidoc | 7 +- .../gcp-firewall-rule-modification.asciidoc | 7 +- .../gcp-iam-custom-role-creation.asciidoc | 7 +- .../gcp-iam-role-deletion.asciidoc | 7 +- ...-iam-service-account-key-deletion.asciidoc | 7 +- ...s-rolebindings-created-or-patched.asciidoc | 112 - .../gcp-logging-bucket-deletion.asciidoc | 7 +- .../gcp-logging-sink-deletion.asciidoc | 7 +- .../gcp-logging-sink-modification.asciidoc | 7 +- ...gcp-pub-sub-subscription-creation.asciidoc | 7 +- ...gcp-pub-sub-subscription-deletion.asciidoc | 7 +- .../gcp-pub-sub-topic-creation.asciidoc | 7 +- .../gcp-pub-sub-topic-deletion.asciidoc | 7 +- .../gcp-service-account-creation.asciidoc | 7 +- .../gcp-service-account-deletion.asciidoc | 7 +- .../gcp-service-account-disabled.asciidoc | 7 +- .../gcp-service-account-key-creation.asciidoc | 7 +- ...bucket-configuration-modification.asciidoc | 7 +- .../gcp-storage-bucket-deletion.asciidoc | 7 +- ...e-bucket-permissions-modification.asciidoc | 7 +- ...al-private-cloud-network-deletion.asciidoc | 7 +- ...tual-private-cloud-route-creation.asciidoc | 7 +- ...tual-private-cloud-route-deletion.asciidoc | 7 +- ...-transferred-via-google-workspace.asciidoc | 11 +- ...gle-workspace-2sv-policy-disabled.asciidoc | 11 +- ...ace-admin-role-assigned-to-a-user.asciidoc | 7 +- ...gle-workspace-admin-role-deletion.asciidoc | 7 +- ...main-wide-delegation-of-authority.asciidoc | 7 +- ...kspace-bitlocker-setting-disabled.asciidoc | 11 +- ...rkspace-custom-admin-role-created.asciidoc | 7 +- ...m-gmail-route-created-or-modified.asciidoc | 11 +- ...orkspace-mfa-enforcement-disabled.asciidoc | 9 +- ...orkspace-password-policy-modified.asciidoc | 7 +- ...etplace-modified-to-allow-any-app.asciidoc | 11 +- .../google-workspace-role-modified.asciidoc | 7 +- ...modified-to-allow-external-access.asciidoc | 11 +- ...-user-organizational-unit-changed.asciidoc | 11 +- ...licy-abuse-for-privilege-addition.asciidoc | 9 +- ...password-reset-or-unlock-attempts.asciidoc | 8 +- ...ocess-and-or-service-terminations.asciidoc | 13 +- ...gh-number-of-process-terminations.asciidoc | 9 +- .../rule-details/hosts-file-modified.asciidoc | 8 +- .../iis-http-logging-disabled.asciidoc | 9 +- ...windows-update-auto-update-client.asciidoc | 9 +- ...-authentication-disabled-for-user.asciidoc | 9 +- ...eros-traffic-from-unusual-process.asciidoc | 37 +- ...etes-anonymous-request-authorized.asciidoc | 21 +- ...with-excessive-linux-capabilities.asciidoc | 115 + ...es-denied-service-account-request.asciidoc | 11 +- ...ervice-created-with-type-nodeport.asciidoc | 18 +- ...-with-a-sensitive-hostpath-volume.asciidoc | 50 +- ...bernetes-pod-created-with-hostipc.asciidoc | 36 +- ...etes-pod-created-with-hostnetwork.asciidoc | 34 +- ...bernetes-pod-created-with-hostpid.asciidoc | 34 +- ...kubernetes-privileged-pod-created.asciidoc | 36 +- ...ent-of-controller-service-account.asciidoc | 25 +- ...es-suspicious-self-subject-review.asciidoc | 26 +- .../kubernetes-user-exec-into-pod.asciidoc | 16 +- ...count-tokenfilter-policy-disabled.asciidoc | 81 + .../local-scheduled-task-creation.asciidoc | 12 +- .../lsass-memory-dump-creation.asciidoc | 9 +- .../lsass-memory-dump-handle-access.asciidoc | 39 +- ...masquerading-space-after-filename.asciidoc | 74 + ...for-google-workspace-organization.asciidoc | 7 +- ...change-anti-phish-policy-deletion.asciidoc | 7 +- ...ange-anti-phish-rule-modification.asciidoc | 7 +- ...im-signing-configuration-disabled.asciidoc | 7 +- ...t-365-exchange-dlp-policy-removed.asciidoc | 7 +- ...ge-malware-filter-policy-deletion.asciidoc | 7 +- ...-malware-filter-rule-modification.asciidoc | 7 +- ...-management-group-role-assignment.asciidoc | 7 +- ...nge-safe-attachment-rule-disabled.asciidoc | 7 +- ...xchange-safe-link-policy-disabled.asciidoc | 7 +- ...-exchange-transport-rule-creation.asciidoc | 7 +- ...hange-transport-rule-modification.asciidoc | 7 +- ...lobal-administrator-role-assigned.asciidoc | 7 +- ...365-inbox-forwarding-rule-created.asciidoc | 7 +- ...365-potential-ransomware-activity.asciidoc | 7 +- ...m-application-interaction-allowed.asciidoc | 7 +- ...365-teams-external-access-enabled.asciidoc | 7 +- ...ft-365-teams-guest-access-enabled.asciidoc | 7 +- ...5-unusual-volume-of-file-deletion.asciidoc | 7 +- ...ser-restricted-from-sending-email.asciidoc | 7 +- ...engine-started-an-unusual-process.asciidoc | 9 +- ...ngine-started-by-a-script-process.asciidoc | 9 +- ...ngine-started-by-a-system-process.asciidoc | 9 +- ...-started-by-an-office-application.asciidoc | 11 +- ...ld-engine-using-an-alternate-name.asciidoc | 9 +- ...iis-connection-strings-decryption.asciidoc | 9 +- ...s-service-account-password-dumped.asciidoc | 9 +- ...rosoft-windows-defender-tampering.asciidoc | 9 +- ...mimikatz-memssp-log-file-detected.asciidoc | 15 +- ...cation-of-amsienable-registry-key.asciidoc | 26 +- ...odification-of-boot-configuration.asciidoc | 9 +- ...on-of-the-mspkiaccountcredentials.asciidoc | 77 + ...tion-of-wdigest-security-provider.asciidoc | 31 +- ...n-okta-application-sign-on-policy.asciidoc | 8 +- ...ng-hidden-or-webdav-remote-shares.asciidoc | 18 +- ...o-security-registry-modifications.asciidoc | 33 +- ...cation-disabled-for-an-azure-user.asciidoc | 9 +- ...t-att-ck-tactics-on-a-single-host.asciidoc | 47 + ...ltiple-vault-web-credentials-read.asciidoc | 12 +- .../rule-details/my-first-alert.asciidoc | 80 + .../network-connection-via-certutil.asciidoc | 37 +- ...on-provider-registry-modification.asciidoc | 32 +- ...new-or-modified-federation-domain.asciidoc | 7 +- .../ntds-or-sam-database-file-copied.asciidoc | 10 +- ...sessionpipe-registry-modification.asciidoc | 20 +- ...orted-by-user-as-malware-or-phish.asciidoc | 7 +- ...ssive-single-sign-on-logon-errors.asciidoc | 7 +- ...spicious-mailbox-right-delegation.asciidoc | 7 +- ...o365-mailbox-audit-logging-bypass.asciidoc | 7 +- ...force-or-password-spraying-attack.asciidoc | 8 +- .../okta-user-session-impersonation.asciidoc | 8 +- .../onedrive-malware-file-upload.asciidoc | 7 +- .../peripheral-device-discovery.asciidoc | 11 +- ...ersistence-via-powershell-profile.asciidoc | 68 + ...pdate-orchestrator-service-hijack.asciidoc | 37 +- ...stence-via-wmi-event-subscription.asciidoc | 11 +- ...ia-wmi-standard-registry-provider.asciidoc | 8 +- ...-scripts-in-the-startup-directory.asciidoc | 37 +- .../port-forwarding-rule-addition.asciidoc | 23 +- ...-via-azure-registered-application.asciidoc | 9 +- .../possible-okta-dos-attack.asciidoc | 8 +- ...f-repeated-mfa-push-notifications.asciidoc | 8 +- ...-application-shimming-via-sdbinst.asciidoc | 14 +- ...tial-credential-access-via-dcsync.asciidoc | 9 +- ...cess-via-duplicatehandle-in-lsass.asciidoc | 8 +- ...tial-access-via-lsass-memory-dump.asciidoc | 9 +- ...cess-via-renamed-com-services-dll.asciidoc | 8 +- ...ess-via-trusted-developer-utility.asciidoc | 37 +- ...tial-access-via-windows-utilities.asciidoc | 11 +- ...ft-antimalware-service-executable.asciidoc | 9 +- ...ng-via-trusted-microsoft-programs.asciidoc | 9 +- ...ential-dns-tunneling-via-nslookup.asciidoc | 11 +- ...ential-evasion-via-filter-manager.asciidoc | 9 +- ...invoke-mimikatz-powershell-script.asciidoc | 10 +- ...al-java-jndi-exploitation-attempt.asciidoc | 9 +- ...teral-tool-transfer-via-smb-share.asciidoc | 9 +- ...tential-local-ntlm-relay-via-http.asciidoc | 9 +- ...e-creation-via-psscapturesnapshot.asciidoc | 8 +- ...emory-dump-via-psscapturesnapshot.asciidoc | 8 +- ...ication-of-accessibility-binaries.asciidoc | 37 +- ...-non-standard-port-ssh-connection.asciidoc | 70 + ...ng-of-microsoft-365-user-accounts.asciidoc | 7 +- ...ential-persistence-via-login-hook.asciidoc | 17 +- ...alation-via-installerfiletakeover.asciidoc | 37 +- ...tial-process-herpaderping-attempt.asciidoc | 23 +- ...-process-injection-via-powershell.asciidoc | 10 +- ...te-credential-access-via-registry.asciidoc | 33 +- ...remote-desktop-tunneling-detected.asciidoc | 11 +- ...verse-shell-activity-via-terminal.asciidoc | 8 +- ...file-deletion-via-sdelete-utility.asciidoc | 9 +- ...ow-credentials-added-to-ad-object.asciidoc | 15 +- ...e-read-via-command-line-utilities.asciidoc | 103 + .../potential-shell-via-web-server.asciidoc | 9 +- ...owershell-kerberos-ticket-request.asciidoc | 9 +- .../powershell-keylogging-script.asciidoc | 9 +- .../powershell-minidump-script.asciidoc | 9 +- .../powershell-psreflect-script.asciidoc | 37 +- ...ell-script-block-logging-disabled.asciidoc | 27 +- ...wershell-share-enumeration-script.asciidoc | 12 +- ...ery-related-windows-api-functions.asciidoc | 9 +- ...us-payload-encoded-and-compressed.asciidoc | 37 +- ...t-with-audio-capture-capabilities.asciidoc | 9 +- ...ript-with-screenshot-capabilities.asciidoc | 9 +- ...ia-rogue-named-pipe-impersonation.asciidoc | 8 +- ...n-via-parent-process-pid-spoofing.asciidoc | 81 + ...s-activity-via-compiled-html-file.asciidoc | 9 +- ...ss-created-with-an-elevated-token.asciidoc | 90 + ...cess-creation-via-secondary-logon.asciidoc | 32 +- ...ecution-from-an-unusual-directory.asciidoc | 9 +- ...ion-by-the-microsoft-build-engine.asciidoc | 8 +- ...-started-from-process-id-pid-file.asciidoc | 8 +- ...-termination-followed-by-deletion.asciidoc | 26 +- ...gram-files-directory-masquerading.asciidoc | 9 +- .../psexec-network-connection.asciidoc | 9 +- .../rule-details/rare-aws-error-code.asciidoc | 9 +- .../rdp-enabled-via-registry.asciidoc | 9 +- ...mputer-account-dnshostname-update.asciidoc | 27 +- ...bled-in-windows-firewall-by-netsh.asciidoc | 11 +- .../remote-execution-via-file-shares.asciidoc | 36 +- .../remote-file-copy-via-teamviewer.asciidoc | 39 +- ...oad-via-desktopimgdownldr-utility.asciidoc | 40 +- ...remote-file-download-via-mpcmdrun.asciidoc | 39 +- ...mote-file-download-via-powershell.asciidoc | 37 +- ...e-download-via-script-interpreter.asciidoc | 41 +- .../remote-scheduled-task-creation.asciidoc | 9 +- .../remote-system-discovery-commands.asciidoc | 11 +- .../remote-windows-service-installed.asciidoc | 98 + ...remotely-started-services-via-rpc.asciidoc | 37 +- ...enamed-autoit-scripts-interpreter.asciidoc | 9 +- ...erse-shell-created-via-named-pipe.asciidoc | 76 + ...d-task-execution-at-scale-via-gpo.asciidoc | 9 +- ...cheduled-tasks-at-command-enabled.asciidoc | 23 +- ...or-saved-credentials-via-vaultcmd.asciidoc | 10 +- ...ity-software-discovery-using-wmic.asciidoc | 11 +- ...urity-software-discovery-via-grep.asciidoc | 8 +- ...e-enabled-by-a-suspicious-process.asciidoc | 90 + ...ationprivilege-assigned-to-a-user.asciidoc | 9 +- ...e-read-via-command-line-utilities.asciidoc | 62 - .../sharepoint-malware-file-upload.asciidoc | 7 +- ...oxy-execution-via-ms-work-folders.asciidoc | 11 +- .../sip-provider-modification.asciidoc | 35 +- ...s-disabling-services-via-registry.asciidoc | 36 +- .../spike-in-aws-error-messages.asciidoc | 9 +- ...-persistence-via-unsigned-process.asciidoc | 37 +- ...ript-added-to-group-policy-object.asciidoc | 9 +- ...-or-run-key-registry-modification.asciidoc | 37 +- ...rsistence-by-a-suspicious-process.asciidoc | 41 +- ...urst-command-and-control-activity.asciidoc | 40 +- .../suspicious-.net-code-compilation.asciidoc | 9 +- ...us-.net-reflection-via-powershell.asciidoc | 37 +- ...us-activity-reported-by-okta-user.asciidoc | 8 +- .../suspicious-certutil-commands.asciidoc | 9 +- .../suspicious-cmd-execution-via-wmi.asciidoc | 9 +- ...rsistence-or-privilege-escalation.asciidoc | 8 +- ...-endpoint-security-parent-process.asciidoc | 9 +- ...ious-execution-short-program-name.asciidoc | 9 +- ...e-creation-in-etc-for-persistence.asciidoc | 19 +- .../suspicious-java-child-process.asciidoc | 10 +- ...ious-lsass-access-via-malseclogon.asciidoc | 8 +- ...soft-diagnostics-wizard-execution.asciidoc | 9 +- ...uspicious-ms-office-child-process.asciidoc | 13 +- ...spicious-ms-outlook-child-process.asciidoc | 9 +- ...spicious-pdf-reader-child-process.asciidoc | 11 +- ...able-encoded-in-powershell-script.asciidoc | 37 +- ...cious-powershell-engine-imageload.asciidoc | 49 +- .../suspicious-powershell-script.asciidoc | 8 +- ...us-print-spooler-spl-file-created.asciidoc | 37 +- ...ess-access-via-direct-system-call.asciidoc | 39 +- ...icious-process-creation-calltrace.asciidoc | 9 +- ...ion-via-renamed-psexec-executable.asciidoc | 9 +- ...stry-access-via-sebackupprivilege.asciidoc | 10 +- ...rvice-was-installed-in-the-system.asciidoc | 105 + ...spicious-solarwinds-child-process.asciidoc | 9 +- ...startup-shell-folder-modification.asciidoc | 37 +- ...suspicious-werfault-child-process.asciidoc | 9 +- ...ous-wmi-image-load-from-ms-office.asciidoc | 22 +- .../suspicious-zoom-child-process.asciidoc | 9 +- .../svchost-spawning-cmd.asciidoc | 40 +- ...bolic-link-to-shadow-copy-created.asciidoc | 11 +- ...scovery-via-windows-command-shell.asciidoc | 80 + .../system-log-file-deletion.asciidoc | 21 +- .../system-shells-via-services.asciidoc | 9 +- ...mporarily-scheduled-task-creation.asciidoc | 23 +- ...es-deleted-via-unexpected-process.asciidoc | 11 +- ...at-detected-by-okta-threatinsight.asciidoc | 8 +- ...ebeat-module-v8.x-indicator-match.asciidoc | 9 +- .../threat-intel-indicator-match.asciidoc | 9 +- ...eged-ifileoperation-com-interface.asciidoc | 8 +- ...ia-windows-directory-masquerading.asciidoc | 37 +- ...a-windows-firewall-snap-in-hijack.asciidoc | 37 +- ...zed-access-to-an-okta-application.asciidoc | 13 +- .../unusual-aws-command-for-a-user.asciidoc | 9 +- ...ess-from-a-system-virtual-process.asciidoc | 9 +- .../unusual-child-process-of-dns.exe.asciidoc | 10 +- .../unusual-city-for-an-aws-command.asciidoc | 9 +- ...nusual-country-for-an-aws-command.asciidoc | 9 +- ...tion-by-a-system-critical-process.asciidoc | 40 +- ...le-creation-alternate-data-stream.asciidoc | 37 +- ...sual-file-modification-by-dns.exe.asciidoc | 8 +- ...l-network-connection-via-rundll32.asciidoc | 9 +- ...unusual-parent-child-relationship.asciidoc | 38 +- ...nusual-parent-process-for-cmd.exe.asciidoc | 9 +- ...cution-path-alternate-data-stream.asciidoc | 9 +- ...nusual-process-for-a-windows-host.asciidoc | 9 +- ...nusual-process-network-connection.asciidoc | 9 +- .../user-account-creation.asciidoc | 10 +- ...-account-exposed-to-kerberoasting.asciidoc | 9 +- ...ed-as-owner-for-azure-application.asciidoc | 7 +- ...owner-for-azure-service-principal.asciidoc | 7 +- ...> user-added-to-privileged-group.asciidoc} | 14 +- ...y-deleted-or-resized-via-vssadmin.asciidoc | 9 +- ...adow-copy-deletion-via-powershell.asciidoc | 9 +- ...ume-shadow-copy-deletion-via-wmic.asciidoc | 9 +- ...ess-child-of-common-web-processes.asciidoc | 10 +- .../whoami-process-activity.asciidoc | 11 +- ...isabled-via-registry-modification.asciidoc | 38 +- ...r-exclusions-added-via-powershell.asciidoc | 11 +- .../windows-event-logs-cleared.asciidoc | 9 +- ...-firewall-disabled-via-powershell.asciidoc | 11 +- .../windows-network-enumeration.asciidoc | 11 +- ...gistry-file-creation-in-smb-share.asciidoc | 22 +- ...ndows-script-executing-powershell.asciidoc | 9 +- ...ntial-dumping-using-netsh-command.asciidoc | 88 + prebuilt-rules-scripts/changelog-entries.yml | 1 + .../final-files/final-rule-file-8.6.0.json | 92707 ++++++++++++++++ .../gen-files/json-from-docs-8.6.0.json | 58975 ++++++++++ prebuilt-rules-scripts/generate.py | 2 +- .../8.6.0-prebuilt-rule.json | 58975 ++++++++++ 465 files changed, 217146 insertions(+), 2128 deletions(-) rename docs/detections/prebuilt-rules/rule-details/{telnet-port-activity.asciidoc => accepted-default-telnet-port-connection.asciidoc} (81%) create mode 100644 docs/detections/prebuilt-rules/rule-details/access-to-a-sensitive-ldap-attribute.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/aws-kms-customer-managed-key-disabled-or-scheduled-for-deletion.asciidoc rename docs/detections/prebuilt-rules/rule-details/{netcat-network-activity.asciidoc => file-transfer-or-listener-established-via-netcat.asciidoc} (80%) delete mode 100644 docs/detections/prebuilt-rules/rule-details/gcp-kubernetes-rolebindings-created-or-patched.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/kubernetes-container-created-with-excessive-linux-capabilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/local-account-tokenfilter-policy-disabled.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/masquerading-space-after-filename.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/modification-of-the-mspkiaccountcredentials.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/multiple-alerts-in-different-att-ck-tactics-on-a-single-host.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/my-first-alert.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/persistence-via-powershell-profile.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-non-standard-port-ssh-connection.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-shadow-file-read-via-command-line-utilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/privileges-elevation-via-parent-process-pid-spoofing.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/process-created-with-an-elevated-token.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/remote-windows-service-installed.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/reverse-shell-created-via-named-pipe.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/sedebugprivilege-enabled-by-a-suspicious-process.asciidoc delete mode 100644 docs/detections/prebuilt-rules/rule-details/shadow-file-read-via-command-line-utilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-service-was-installed-in-the-system.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/system-information-discovery-via-windows-command-shell.asciidoc rename docs/detections/prebuilt-rules/rule-details/{user-added-to-privileged-group-in-active-directory.asciidoc => user-added-to-privileged-group.asciidoc} (92%) create mode 100644 docs/detections/prebuilt-rules/rule-details/wireless-credential-dumping-using-netsh-command.asciidoc create mode 100644 prebuilt-rules-scripts/diff-files/final-files/final-rule-file-8.6.0.json create mode 100644 prebuilt-rules-scripts/diff-files/gen-files/json-from-docs-8.6.0.json create mode 100644 prebuilt-rules-scripts/orig-rules-json-files/8.6.0-prebuilt-rule.json diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc index a2764cb15b..a03bd422b2 100644 --- a/docs/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc +++ b/docs/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc @@ -5,6 +5,101 @@ The following lists prebuilt rule updates per release. Only rules with significant modifications to their query or scope are listed. For detailed information about a rule's changes, see the rule's description page. +[float] +=== 8.6.0 + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + +<> + [float] === 8.5.0 @@ -409,8 +504,6 @@ information about a rule's changes, see the rule's description page. <> -<> - <> <> @@ -730,8 +823,6 @@ information about a rule's changes, see the rule's description page. <> -<> - <> <> @@ -930,6 +1021,8 @@ information about a rule's changes, see the rule's description page. [float] === 7.14.0 +<> + <> <> @@ -1014,8 +1107,6 @@ information about a rule's changes, see the rule's description page. <> -<> - <> <> @@ -1237,7 +1328,7 @@ information about a rule's changes, see the rule's description page. <> -<> +<> <> @@ -1564,14 +1655,14 @@ information about a rule's changes, see the rule's description page. <> +<> + <> <> <> -<> - <> <> @@ -1611,6 +1702,8 @@ information about a rule's changes, see the rule's description page. [float] === 7.9.0 +<> + <> <> @@ -1645,6 +1738,8 @@ information about a rule's changes, see the rule's description page. <> +<> + <> <> @@ -1671,8 +1766,6 @@ information about a rule's changes, see the rule's description page. <> -<> - <> <> @@ -1723,8 +1816,6 @@ information about a rule's changes, see the rule's description page. <> -<> - <> <> @@ -1792,6 +1883,8 @@ These prebuilt rules have been updated: <> +<> + <> <> @@ -1802,8 +1895,6 @@ These prebuilt rules have been updated: <> -<> - <> <> @@ -1874,6 +1965,8 @@ These prebuilt rules have been updated: [float] === 7.6.1 +<> + <> <> @@ -1888,8 +1981,6 @@ These prebuilt rules have been updated: <> -<> - <> <> diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc index 8c6744b91b..980b406671 100644 --- a/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc +++ b/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc @@ -14,147 +14,153 @@ and their rule type is `machine_learning`. |Rule |Description |Tags |Added |Version -|<> |Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence] |8.5.0 |1 +|<> |Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence] |8.5.0 |2 <> -|<> |Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence] |8.5.0 |1 +|<> |Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence] |8.5.0 |2 <> -|<> |An adversary may attempt to access the secrets in secrets manager to steal certificates, credentials, or other sensitive material |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Data Protection] [Credential Access] [has_guide] |7.9.0 |101 <> +|<> |An adversary may attempt to access the secrets in secrets manager to steal certificates, credentials, or other sensitive material |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Data Protection] [Credential Access] [Investigation Guide] |7.9.0 |103 <> -|<> |Identifies the creation of an AWS log trail that specifies the settings for delivery of log data. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] |7.9.0 |100 <> +|<> |Identifies the creation of an AWS log trail that specifies the settings for delivery of log data. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] |7.9.0 |101 <> -|<> |Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [has_guide] |7.9.0 |101 <> +|<> |Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Investigation Guide] |7.9.0 |103 <> -|<> |Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [has_guide] |7.9.0 |101 <> +|<> |Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Investigation Guide] |7.9.0 |103 <> -|<> |Identifies an update to an AWS log trail setting that specifies the delivery of log files. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [has_guide] |7.9.0 |101 <> +|<> |Identifies an update to an AWS log trail setting that specifies the delivery of log files. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Investigation Guide] |7.9.0 |103 <> -|<> |Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] [has_guide] |7.9.0 |101 <> +|<> |Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] [Investigation Guide] |7.9.0 |103 <> -|<> |Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [has_guide] |7.9.0 |101 <> +|<> |Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Investigation Guide] |7.9.0 |103 <> -|<> |Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Impact] [has_guide] |7.9.0 |101 <> +|<> |Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Impact] [Investigation Guide] |7.9.0 |103 <> -|<> |Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] [has_guide] |7.9.0 |101 <> +|<> |Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] [Investigation Guide] |7.9.0 |103 <> -|<> |Identifies an AWS configuration change to stop recording a designated set of resources. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.9.0 |100 <> +|<> |Identifies an AWS configuration change to stop recording a designated set of resources. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.9.0 |101 <> -|<> |Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database cluster, or database instance. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.9.0 |100 <> +|<> |Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database cluster, or database instance. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.9.0 |101 <> -|<> |Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Data Protection] |7.9.0 |100 <> +|<> |Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Data Protection] |7.9.0 |101 <> -|<> |Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.14.0 |100 <> +|<> |Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.14.0 |101 <> -|<> |Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.9.0 |100 <> +|<> |Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.9.0 |101 <> -|<> |Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.9.0 |100 <> +|<> |Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.9.0 |101 <> -|<> |An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] [Exfiltration] [has_guide] |7.9.0 |101 <> +|<> |An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] [Exfiltration] [Investigation Guide] |7.9.0 |103 <> -|<> |Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.14.0 |100 <> +|<> |Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.14.0 |101 <> -|<> |Detects when an EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Data Protection] |7.16.0 |100 <> +|<> |Detects when an EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Data Protection] |7.16.0 |101 <> -|<> |Identifies when an ElastiCache security group has been created. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.16.0 |100 <> +|<> |Identifies when an ElastiCache security group has been created. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.16.0 |101 <> -|<> |Identifies when an ElastiCache security group has been modified or deleted. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.16.0 |100 <> +|<> |Identifies when an ElastiCache security group has been modified or deleted. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.16.0 |101 <> -|<> |Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] [Impact] |7.16.0 |100 <> +|<> |Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] [Impact] |7.16.0 |101 <> -|<> |Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Initial Access] [has_guide] |7.9.0 |101 <> +|<> |Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Initial Access] [Investigation Guide] |7.9.0 |103 <> -|<> |Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.9.0 |100 <> +|<> |Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.9.0 |101 <> -|<> |Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] [has_guide] |7.9.0 |101 <> +|<> |Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] [Investigation Guide] |7.9.0 |103 <> -|<> |Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] [has_guide] |7.9.0 |101 <> +|<> |Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] [Investigation Guide] |7.9.0 |103 <> -|<> |Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] [has_guide] |7.9.0 |101 <> +|<> |Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] [Investigation Guide] |7.9.0 |103 <> -|<> |Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.9.0 |100 <> +|<> |Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.9.0 |101 <> -|<> |Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.9.0 |100 <> +|<> |Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.9.0 |101 <> -|<> |Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.9.0 |100 <> +|<> |Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.9.0 |101 <> -|<> |Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM). |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] [Credential Access] [Persistence] [has_guide] |7.9.0 |101 <> +|<> |Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM). |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] [Credential Access] [Persistence] [Investigation Guide] |7.9.0 |103 <> -|<> |Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.10.0 |100 <> +|<> |Identifies attempts to disable or schedule the deletion of an AWS KMS Customer Managed Key (CMK). Deleting an AWS KMS key is destructive and potentially dangerous. It deletes the key material and all metadata associated with the KMS key and is irreversible. After a KMS key is deleted, the data that was encrypted under that KMS key can no longer be decrypted, which means that data becomes unrecoverable. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Impact] |8.6.0 |1 -|<> |Identifies a successful login to the AWS Management Console by the Root user. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] [has_guide] |7.9.0 |101 <> +|<> |Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.10.0 |101 <> -|<> |Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.9.0 |100 <> +|<> |Identifies a successful login to the AWS Management Console by the Root user. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] [Investigation Guide] |7.9.0 |103 <> -|<> |Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] [Persistence] |7.14.0 |100 <> +|<> |Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.9.0 |101 <> -|<> |Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.9.0 |100 <> +|<> |Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] [Persistence] |7.14.0 |101 <> -|<> |Identifies the creation of an Amazon Relational Database Service (RDS) Security group. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.14.0 |100 <> +|<> |Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.9.0 |101 <> -|<> |Identifies the deletion of an Amazon Relational Database Service (RDS) Security group. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.14.0 |100 <> +|<> |Identifies the creation of an Amazon Relational Database Service (RDS) Security group. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.14.0 |101 <> -|<> |Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] [Exfiltration] |7.16.0 |100 <> +|<> |Identifies the deletion of an Amazon Relational Database Service (RDS) Security group. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.14.0 |101 <> -|<> |Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] [Defense Evasion] |7.16.0 |100 <> +|<> |Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] [Exfiltration] |7.16.0 |101 <> -|<> |Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] [Persistence] |8.3.0 |100 <> +|<> |Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] [Defense Evasion] |7.16.0 |101 <> -|<> |Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] [has_guide] |7.9.0 |101 <> +|<> |Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] [Persistence] |8.3.0 |101 <> -|<> |Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.14.0 |100 <> +|<> |Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] [Investigation Guide] |7.9.0 |103 <> -|<> |Identifies when a request has been made to transfer a Route 53 domain to another AWS account. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.14.0 |100 <> +|<> |Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.14.0 |101 <> -|<> |Identifies when an AWS Route Table has been created. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] [Persistence] |7.16.0 |100 <> +|<> |Identifies when a request has been made to transfer a Route 53 domain to another AWS account. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.14.0 |101 <> -|<> |Identifies when an AWS Route Table has been modified or deleted. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] [Persistence] |7.16.0 |100 <> +|<> |Identifies when an AWS Route Table has been created. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] [Persistence] |7.16.0 |101 <> -|<> |Identifies when a Route53 private hosted zone has been associated with VPC. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.16.0 |100 <> +|<> |Identifies when an AWS Route Table has been modified or deleted. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] [Persistence] |7.16.0 |101 <> -|<> |Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.9.0 |100 <> +|<> |Identifies when a Route53 private hosted zone has been associated with VPC. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.16.0 |101 <> -|<> |Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.16.0 |100 <> +|<> |Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.9.0 |101 <> -|<> |Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.16.0 |100 <> +|<> |Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.16.0 |101 <> -|<> |Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.15.0 |100 <> +|<> |Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.16.0 |101 <> -|<> |Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.16.0 |100 <> +|<> |Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.15.0 |101 <> -|<> |Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [has_guide] |7.9.0 |101 <> +|<> |Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.16.0 |101 <> -|<> |Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.9.0 |100 <> +|<> |Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Investigation Guide] |7.9.0 |103 <> -|<> |Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.9.0 |100 <> +|<> |Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.9.0 |101 <> -|<> |Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files. |[Elastic] [Host] [Linux] [Threat Detection] [Execution] [BPFDoor] |8.3.0 |101 <> +|<> |Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.9.0 |101 <> -|<> |Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service. |[Elastic] [Network] [Threat Detection] [Lateral Movement] [has_guide] |7.10.0 |101 <> +|<> |Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files. |[Elastic] [Host] [Linux] [Threat Detection] [Execution] [BPFDoor] [Investigation Guide] |8.3.0 |102 <> + +|<> |Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service. |[Elastic] [Network] [Threat Detection] [Lateral Movement] [Investigation Guide] |7.10.0 |102 <> + +|<> |This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic. |[Elastic] [Host] [Network] [Threat Detection] [Command and Control] [Host] [Lateral Movement] [Initial Access] |7.6.0 |101 <> |<> |Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser. |[Elastic] [Host] [macOS] [Threat Detection] [Credential Access] |7.12.0 |100 <> |<> |Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates. |[Elastic] [Host] [macOS] [Threat Detection] [Credential Access] |7.10.0 |100 <> -|<> |Detects the creation and modification of an account with the "Don't Expire Password" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence] [Active Directory] [has_guide] |8.2.0 |101 <> +|<> |Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens. |[Elastic] [Host] [Windows] [Threat Detection] [Credential Access] [Active Directory] |8.6.0 |1 -|<> |Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation. |[Elastic] [Host] [Windows] [Threat Detection] [Discovery] [has_guide] |7.7.0 |101 <> +|<> |Detects the creation and modification of an account with the "Don't Expire Password" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence] [Active Directory] [Investigation Guide] |8.2.0 |102 <> -|<> |Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence] |8.0.0 |100 <> +|<> |Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation. |[Elastic] [Host] [Windows] [Threat Detection] [Discovery] [Investigation Guide] |7.7.0 |102 <> -|<> |This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon. |[Elastic] [Host] [Windows] [Threat Detection] [Discovery] [has_guide] |7.11.0 |101 <> +|<> |Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence] |8.0.0 |101 <> -|<