From 3fc34b86f215319039ee46bed42d987d671a1101 Mon Sep 17 00:00:00 2001 From: Justin Ibarra Date: Wed, 3 Mar 2021 22:12:11 -0900 Subject: [PATCH] Update License to Elastic v2 (#944) --- LICENSE.txt | 316 ++++++------------ README.md | 4 +- detection_rules/__init__.py | 5 +- detection_rules/__main__.py | 5 +- detection_rules/attack.py | 5 +- detection_rules/beats.py | 5 +- detection_rules/devtools.py | 35 +- detection_rules/docs.py | 5 +- detection_rules/ecs.py | 5 +- detection_rules/eswrap.py | 5 +- detection_rules/kbwrap.py | 5 +- detection_rules/main.py | 5 +- detection_rules/mappings.py | 5 +- detection_rules/misc.py | 10 +- detection_rules/packaging.py | 5 +- detection_rules/rule.py | 5 +- detection_rules/rule_formatter.py | 5 +- detection_rules/rule_loader.py | 5 +- detection_rules/schemas/__init__.py | 7 +- detection_rules/schemas/base.py | 5 +- detection_rules/schemas/rta_schema.py | 5 +- detection_rules/schemas/v7_10.py | 5 +- detection_rules/schemas/v7_11.py | 5 +- detection_rules/schemas/v7_12.py | 14 + detection_rules/schemas/v7_8.py | 5 +- detection_rules/schemas/v7_9.py | 7 +- detection_rules/semver.py | 5 +- detection_rules/utils.py | 5 +- kibana/__init__.py | 5 +- kibana/connector.py | 5 +- kibana/resources.py | 5 +- kql/__init__.py | 5 +- kql/ast.py | 5 +- kql/dsl.py | 5 +- kql/eql2kql.py | 5 +- kql/errors.py | 5 +- kql/evaluator.py | 5 +- kql/kql2eql.py | 5 +- kql/optimizer.py | 5 +- kql/parser.py | 5 +- rta/__init__.py | 5 +- rta/__main__.py | 5 +- rta/adobe_hijack.py | 5 +- rta/appcompat_shim.py | 5 +- rta/at_command.py | 5 +- rta/bin/__init__.py | 5 +- rta/bitsadmin_download.py | 5 +- rta/brute_force_login.py | 5 +- rta/certutil_file_obfuscation.py | 5 +- rta/certutil_webrequest.py | 5 +- rta/common.py | 5 +- rta/comsvcs_dump.py | 5 +- rta/dcom_lateral_movement_with_mmc.py | 5 +- rta/delete_bootconf.py | 5 +- rta/delete_catalogs.py | 5 +- rta/delete_usnjrnl.py | 5 +- rta/delete_volume_shadows.py | 5 +- rta/disable_windows_fw.py | 5 +- rta/enum_commands.py | 5 +- rta/findstr_pw_search.py | 5 +- rta/globalflags.py | 5 +- rta/hosts_file_modify.py | 5 +- rta/installutil_network.py | 5 +- rta/iqy_file_writes.py | 5 +- rta/lateral_command_psexec.py | 5 +- rta/lateral_commands.py | 5 +- rta/linux_compress_sensitive_files.py | 5 +- rta/linux_discovery_sensitive_files.py | 5 +- rta/mac_office_descendant.py | 5 +- ...dification_of_wdigest_security_provider.py | 5 +- rta/ms_office_drop_exe.py | 5 +- rta/msbuild_network.py | 5 +- rta/mshta_network.py | 5 +- rta/msiexec_http_installer.py | 5 +- rta/msxsl_network.py | 5 +- rta/net_user_add.py | 5 +- rta/obfuscated_cmd_commands.py | 5 +- rta/obfuscated_powershell.py | 5 +- rta/office_application_startup.py | 5 +- rta/persistent_scripts.py | 5 +- rta/port_monitor.py | 5 +- rta/powershell_args.py | 5 +- rta/powershell_base64_gzip.py | 5 +- rta/powershell_from_script.py | 5 +- rta/process_double_extension.py | 5 +- rta/process_extension_anomalies.py | 5 +- rta/process_name_masquerade.py | 5 +- rta/recycle_bin_process.py | 5 +- rta/registry_hive_export.py | 5 +- rta/registry_persistence_create.py | 5 +- rta/registry_rdp_enable.py | 5 +- rta/regsvr32_scrobj.py | 5 +- rta/rundll32_inf_callback.py | 5 +- rta/rundll32_javascript_callback.py | 5 +- rta/schtask_escalation.py | 5 +- rta/scrobj_com_hijack.py | 5 +- rta/secure_file_deletion.py | 5 +- rta/settingcontentms_files.py | 5 +- rta/sevenzip_encrypted.py | 5 +- rta/shortcut_file_suspicious_process.py | 5 +- rta/sip_provider.py | 5 +- rta/smb_connection.py | 5 +- rta/sticky_keys_write_execute.py | 5 +- rta/suspicious_dll_registration_regsvr32.py | 5 +- rta/suspicious_office_children.py | 5 +- rta/suspicious_office_descendant_fp.py | 5 +- rta/suspicious_powershell_download.py | 5 +- rta/suspicious_wmic_script.py | 5 +- rta/suspicious_wscript_parent.py | 5 +- rta/system_restore_process.py | 5 +- rta/trust_provider.py | 5 +- rta/uac_eventviewer.py | 5 +- rta/uac_sdclt.py | 5 +- rta/uac_sysprep.py | 5 +- rta/uncommon_persistence.py | 5 +- rta/unusual_ms_tool_network.py | 5 +- rta/unusual_parent_child.py | 5 +- rta/user_dir_escalation.py | 5 +- rta/vaultcmd_commands.py | 5 +- rta/werfault_persistence.py | 5 +- rta/wevtutil_log_clear.py | 5 +- rta/winrar_encrypted.py | 5 +- rta/winrar_startup_folder.py | 5 +- rta/wmi_incoming_logon.py | 5 +- rules/apm/apm_403_response_to_a_post.toml | 4 +- .../apm_405_response_method_not_allowed.toml | 4 +- rules/apm/apm_null_user_agent.toml | 4 +- rules/apm/apm_sqlmap_user_agent.toml | 4 +- ...collection_cloudtrail_logging_created.toml | 4 +- ...ccess_aws_iam_assume_role_brute_force.toml | 4 +- ...ial_access_iam_user_addition_to_group.toml | 4 +- ...cess_root_console_failure_brute_force.toml | 4 +- ..._access_secretsmanager_getsecretvalue.toml | 4 +- ...se_evasion_cloudtrail_logging_deleted.toml | 4 +- ..._evasion_cloudtrail_logging_suspended.toml | 4 +- ...nse_evasion_cloudwatch_alarm_deletion.toml | 4 +- ..._evasion_config_service_rule_deletion.toml | 4 +- ...vasion_configuration_recorder_stopped.toml | 4 +- ...defense_evasion_ec2_flow_log_deletion.toml | 4 +- ...ense_evasion_ec2_network_acl_deletion.toml | 4 +- ...e_evasion_guardduty_detector_deletion.toml | 4 +- ...sion_s3_bucket_configuration_deletion.toml | 4 +- .../aws/defense_evasion_waf_acl_deletion.toml | 4 +- ...asion_waf_rule_or_rule_group_deletion.toml | 4 +- ...ltration_ec2_snapshot_change_activity.toml | 4 +- .../impact_cloudtrail_logging_updated.toml | 4 +- .../impact_cloudwatch_log_group_deletion.toml | 4 +- ...impact_cloudwatch_log_stream_deletion.toml | 4 +- .../impact_ec2_disable_ebs_encryption.toml | 4 +- .../aws/impact_iam_deactivate_mfa_device.toml | 4 +- rules/aws/impact_iam_group_deletion.toml | 4 +- rules/aws/impact_rds_cluster_deletion.toml | 4 +- .../impact_rds_instance_cluster_stoppage.toml | 4 +- .../initial_access_console_login_root.toml | 4 +- .../aws/initial_access_password_recovery.toml | 4 +- .../initial_access_via_system_manager.toml | 4 +- .../persistence_ec2_network_acl_creation.toml | 4 +- rules/aws/persistence_iam_group_creation.toml | 4 +- .../aws/persistence_rds_cluster_creation.toml | 4 +- ...ege_escalation_root_login_without_mfa.toml | 4 +- ...ege_escalation_updateassumerolepolicy.toml | 4 +- ...collection_update_event_hub_auth_rule.toml | 4 +- .../credential_access_key_vault_modified.toml | 4 +- ...ccess_storage_account_key_regenerated.toml | 4 +- ...e_application_credential_modification.toml | 4 +- ...on_azure_diagnostic_settings_deletion.toml | 4 +- ...sion_azure_service_principal_addition.toml | 4 +- .../defense_evasion_event_hub_deletion.toml | 4 +- ...ense_evasion_firewall_policy_deletion.toml | 4 +- ...ense_evasion_network_watcher_deletion.toml | 4 +- .../discovery_blob_container_access_mod.toml | 4 +- .../execution_command_virtual_machine.toml | 4 +- ...pact_azure_automation_runbook_deleted.toml | 4 +- .../azure/impact_resource_group_deletion.toml | 4 +- ...ure_active_directory_high_risk_signin.toml | 4 +- ...re_active_directory_powershell_signin.toml | 4 +- ...tack_via_azure_registered_application.toml | 4 +- ...ial_access_external_guest_user_invite.toml | 4 +- ...ence_azure_automation_account_created.toml | 4 +- ...utomation_runbook_created_or_modified.toml | 4 +- ...ence_azure_automation_webhook_created.toml | 4 +- ...re_conditional_access_policy_modified.toml | 4 +- ...nce_azure_pim_user_added_global_admin.toml | 4 +- ...ged_identity_management_role_modified.toml | 4 +- ...rsistence_mfa_disabled_for_azure_user.toml | 4 +- ..._added_as_owner_for_azure_application.toml | 4 +- ..._as_owner_for_azure_service_principal.toml | 4 +- ...s_cookies_chromium_browsers_debugging.toml | 4 +- ...e_evasion_deleting_websvr_access_logs.toml | 4 +- .../discovery_security_software_grep.toml | 4 +- ...on_pentest_eggshell_remote_admin_tool.toml | 4 +- .../execution_python_script_in_cmdline.toml | 4 +- .../execution_revershell_via_shell_cmd.toml | 4 +- ...xecution_suspicious_jar_child_process.toml | 4 +- .../impact_hosts_file_modified.toml | 4 +- ..._access_zoom_meeting_with_no_passcode.toml | 4 +- ...l_access_modify_auth_module_or_config.toml | 4 +- ...stence_cron_jobs_creation_and_runtime.toml | 4 +- ...ersistence_shell_profile_modification.toml | 4 +- ...ence_ssh_authorized_keys_modification.toml | 4 +- ...lege_escalation_echo_nopasswd_sudoers.toml | 4 +- ...ation_setuid_setgid_bit_set_via_chmod.toml | 4 +- ...ilege_escalation_sudo_buffer_overflow.toml | 4 +- ...privilege_escalation_sudoers_file_mod.toml | 4 +- ...ion_gcp_pub_sub_subscription_creation.toml | 4 +- ...collection_gcp_pub_sub_topic_creation.toml | 4 +- ...nse_evasion_gcp_firewall_rule_created.toml | 4 +- ...nse_evasion_gcp_firewall_rule_deleted.toml | 4 +- ...se_evasion_gcp_firewall_rule_modified.toml | 4 +- ...e_evasion_gcp_logging_bucket_deletion.toml | 4 +- ...nse_evasion_gcp_logging_sink_deletion.toml | 4 +- ...ion_gcp_pub_sub_subscription_deletion.toml | 4 +- ...se_evasion_gcp_pub_sub_topic_deletion.toml | 4 +- ...storage_bucket_configuration_modified.toml | 4 +- ...p_storage_bucket_permissions_modified.toml | 4 +- ...tration_gcp_logging_sink_modification.toml | 4 +- rules/gcp/impact_gcp_iam_role_deletion.toml | 4 +- .../impact_gcp_service_account_deleted.toml | 4 +- .../impact_gcp_service_account_disabled.toml | 4 +- .../impact_gcp_storage_bucket_deleted.toml | 4 +- ...virtual_private_cloud_network_deleted.toml | 4 +- ...p_virtual_private_cloud_route_created.toml | 4 +- ...p_virtual_private_cloud_route_deleted.toml | 4 +- ...l_access_gcp_iam_custom_role_creation.toml | 4 +- ..._gcp_iam_service_account_key_deletion.toml | 4 +- ...e_gcp_key_created_for_service_account.toml | 4 +- ...rsistence_gcp_service_account_created.toml | 4 +- ...tion_added_to_google_workspace_domain.toml | 4 +- ...d_to_google_workspace_trusted_domains.toml | 4 +- .../google_workspace_admin_role_deletion.toml | 4 +- ...le_workspace_mfa_enforcement_disabled.toml | 4 +- .../google_workspace_policy_modified.toml | 4 +- ...led_for_google_workspace_organization.toml | 4 +- ...workspace_admin_role_assigned_to_user.toml | 4 +- ...a_domain_wide_delegation_of_authority.toml | 4 +- ...e_workspace_custom_admin_role_created.toml | 4 +- ...stence_google_workspace_role_modified.toml | 4 +- ...ial_access_collection_sensitive_files.toml | 4 +- .../credential_access_ssh_backdoor_log.toml | 4 +- .../credential_access_tcpdump_activity.toml | 4 +- ...tempt_to_disable_iptables_or_firewall.toml | 4 +- ...ion_attempt_to_disable_syslog_service.toml | 4 +- ..._base32_encoding_or_decoding_activity.toml | 4 +- ..._base64_encoding_or_decoding_activity.toml | 4 +- ...deletion_of_bash_command_line_history.toml | 5 +- ...fense_evasion_disable_selinux_attempt.toml | 4 +- ...fense_evasion_file_deletion_via_shred.toml | 4 +- ...defense_evasion_file_mod_writable_dir.toml | 4 +- ...ion_hex_encoding_or_decoding_activity.toml | 4 +- .../defense_evasion_hidden_file_dir_tmp.toml | 4 +- ...defense_evasion_kernel_module_removal.toml | 4 +- .../defense_evasion_log_files_deleted.toml | 4 +- .../defense_evasion_timestomp_touch.toml | 5 +- .../discovery_kernel_module_enumeration.toml | 4 +- ...covery_virtual_machine_fingerprinting.toml | 4 +- rules/linux/discovery_whoami_commmand.toml | 4 +- rules/linux/execution_perl_tty_shell.toml | 4 +- rules/linux/execution_python_tty_shell.toml | 4 +- .../linux/initial_access_login_failures.toml | 4 +- .../linux/initial_access_login_location.toml | 4 +- .../linux/initial_access_login_sessions.toml | 4 +- rules/linux/initial_access_login_time.toml | 4 +- ...ment_telnet_network_activity_external.toml | 4 +- ...ment_telnet_network_activity_internal.toml | 4 +- rules/linux/linux_hping_activity.toml | 4 +- rules/linux/linux_iodine_activity.toml | 4 +- rules/linux/linux_mknod_activity.toml | 4 +- .../linux_netcat_network_connection.toml | 4 +- rules/linux/linux_nmap_activity.toml | 4 +- rules/linux/linux_nping_activity.toml | 4 +- ...nux_process_started_in_temp_directory.toml | 4 +- rules/linux/linux_socat_activity.toml | 4 +- rules/linux/linux_strace_activity.toml | 4 +- ...credential_access_modify_ssh_binaries.toml | 4 +- ...ersistence_kde_autostart_modification.toml | 4 +- .../persistence_kernel_module_activity.toml | 4 +- ...sistence_shell_activity_by_web_server.toml | 4 +- ...lation_ld_preload_shared_object_modif.toml | 4 +- ...ccess_to_browser_credentials_procargs.toml | 4 +- ...edential_access_credentials_keychains.toml | 5 +- ...dential_access_dumping_hashes_bi_cmds.toml | 4 +- ...tial_access_dumping_keychain_security.toml | 4 +- .../credential_access_kerberosdump_kcc.toml | 4 +- ...s_keychain_pwd_retrieval_security_cmd.toml | 4 +- ...ential_access_mitm_localhost_webproxy.toml | 4 +- ...ntial_access_potential_ssh_bruteforce.toml | 9 +- ...al_access_promt_for_pwd_via_osascript.toml | 5 +- .../credential_access_systemkey_dumping.toml | 4 +- ...vasion_apple_softupdates_modification.toml | 4 +- ...evasion_attempt_del_quarantine_attrib.toml | 4 +- ...evasion_attempt_to_disable_gatekeeper.toml | 4 +- ...ense_evasion_install_root_certificate.toml | 4 +- ..._evasion_modify_environment_launchctl.toml | 4 +- ...cy_controls_tcc_database_modification.toml | 4 +- ...tion_privacy_pref_sshd_fulldiskaccess.toml | 4 +- .../defense_evasion_safari_config_change.toml | 4 +- ...dboxed_office_app_suspicious_zip_file.toml | 4 +- ...vasion_tcc_bypass_mounted_apfs_access.toml | 4 +- ..._evasion_unload_endpointsecurity_kext.toml | 4 +- ...covery_users_domain_built_in_commands.toml | 4 +- ...vasion_electron_app_childproc_node_js.toml | 4 +- ...l_access_suspicious_browser_childproc.toml | 4 +- ...ution_installer_spawned_network_event.toml | 5 +- ...cution_script_via_automator_workflows.toml | 10 +- ...ing_osascript_exec_followed_by_netcon.toml | 10 +- ...n_shell_execution_via_apple_scripting.toml | 9 +- ...uspicious_mac_ms_office_child_process.toml | 4 +- ...ential_access_kerberos_bifrostconsole.toml | 4 +- .../lateral_movement_mounting_smb_share.toml | 4 +- ...ral_movement_remote_ssh_login_enabled.toml | 4 +- ...teral_movement_vpn_connection_attempt.toml | 4 +- ...stence_account_creation_hide_at_logon.toml | 4 +- ...ce_creation_change_launch_agents_file.toml | 5 +- ..._creation_hidden_login_item_osascript.toml | 4 +- ...creation_modif_launch_deamon_sequence.toml | 5 +- ..._access_authorization_plugin_creation.toml | 4 +- ...launch_agent_deamon_logonitem_process.toml | 4 +- ...rectory_services_plugins_modification.toml | 4 +- ...e_docker_shortcuts_plist_modification.toml | 4 +- ...persistence_emond_rules_file_creation.toml | 4 +- ...istence_emond_rules_process_execution.toml | 4 +- .../persistence_enable_root_account.toml | 4 +- ...n_hidden_launch_agent_deamon_creation.toml | 4 +- ...sistence_finder_sync_plugin_pluginkit.toml | 14 +- ...istence_folder_action_scripts_runtime.toml | 8 +- ...rsistence_login_logout_hooks_defaults.toml | 4 +- ...stence_loginwindow_plist_modification.toml | 4 +- ...fication_sublime_app_plugin_or_script.toml | 4 +- ...ersistence_periodic_tasks_file_mdofiy.toml | 4 +- ...ence_suspicious_calendar_modification.toml | 4 +- ...tence_via_atom_init_file_modification.toml | 4 +- ...calation_applescript_with_admin_privs.toml | 4 +- ...calation_explicit_creds_via_scripting.toml | 4 +- ...alation_exploit_adobe_acrobat_updater.toml | 4 +- ..._escalation_local_user_added_to_admin.toml | 4 +- ...ilege_escalation_root_crontab_filemod.toml | 4 +- ..._365_brute_force_user_account_attempt.toml | 8 +- ...65_potential_password_spraying_attack.toml | 4 +- ...osoft_365_exchange_dlp_policy_removed.toml | 4 +- ...change_malware_filter_policy_deletion.toml | 4 +- ..._365_exchange_malware_filter_rule_mod.toml | 4 +- ...65_exchange_safe_attach_rule_disabled.toml | 4 +- ..._365_exchange_transport_rule_creation.toml | 4 +- ...osoft_365_exchange_transport_rule_mod.toml | 4 +- ...5_exchange_anti_phish_policy_deletion.toml | 4 +- ...soft_365_exchange_anti_phish_rule_mod.toml | 4 +- ...osoft_365_exchange_safelinks_disabled.toml | 4 +- ...exchange_dkim_signing_config_disabled.toml | 4 +- ..._teams_custom_app_interaction_allowed.toml | 4 +- ...5_exchange_management_role_assignment.toml | 4 +- ...oft_365_teams_external_access_enabled.toml | 4 +- ...rosoft_365_teams_guest_access_enabled.toml | 4 +- .../ml/ml_cloudtrail_error_message_spike.toml | 4 +- rules/ml/ml_cloudtrail_rare_error_code.toml | 4 +- .../ml/ml_cloudtrail_rare_method_by_city.toml | 4 +- .../ml_cloudtrail_rare_method_by_country.toml | 4 +- .../ml/ml_cloudtrail_rare_method_by_user.toml | 4 +- .../ml_linux_anomalous_compiler_activity.toml | 4 +- ...nux_anomalous_kernel_module_arguments.toml | 7 +- .../ml_linux_anomalous_metadata_process.toml | 4 +- .../ml/ml_linux_anomalous_metadata_user.toml | 4 +- .../ml_linux_anomalous_network_activity.toml | 4 +- ...linux_anomalous_network_port_activity.toml | 4 +- .../ml_linux_anomalous_network_service.toml | 4 +- ..._linux_anomalous_network_url_activity.toml | 4 +- .../ml_linux_anomalous_process_all_hosts.toml | 4 +- .../ml/ml_linux_anomalous_sudo_activity.toml | 4 +- rules/ml/ml_linux_anomalous_user_name.toml | 4 +- ...ml_linux_system_information_discovery.toml | 4 +- ...ystem_network_configuration_discovery.toml | 4 +- ...x_system_network_connection_discovery.toml | 4 +- .../ml/ml_linux_system_process_discovery.toml | 4 +- rules/ml/ml_linux_system_user_discovery.toml | 4 +- rules/ml/ml_packetbeat_dns_tunneling.toml | 4 +- rules/ml/ml_packetbeat_rare_dns_question.toml | 4 +- .../ml/ml_packetbeat_rare_server_domain.toml | 4 +- rules/ml/ml_packetbeat_rare_urls.toml | 4 +- rules/ml/ml_packetbeat_rare_user_agent.toml | 4 +- rules/ml/ml_rare_process_by_host_linux.toml | 4 +- rules/ml/ml_rare_process_by_host_windows.toml | 4 +- rules/ml/ml_suspicious_login_activity.toml | 4 +- ...ml_windows_anomalous_metadata_process.toml | 4 +- .../ml_windows_anomalous_metadata_user.toml | 4 +- ...ml_windows_anomalous_network_activity.toml | 4 +- .../ml_windows_anomalous_path_activity.toml | 4 +- ...l_windows_anomalous_process_all_hosts.toml | 4 +- ...ml_windows_anomalous_process_creation.toml | 4 +- rules/ml/ml_windows_anomalous_script.toml | 4 +- rules/ml/ml_windows_anomalous_service.toml | 4 +- rules/ml/ml_windows_anomalous_user_name.toml | 4 +- .../ml/ml_windows_rare_user_runas_event.toml | 4 +- ...windows_rare_user_type10_remote_login.toml | 4 +- ...mand_and_control_cobalt_strike_beacon.toml | 4 +- ...cobalt_strike_default_teamserver_cert.toml | 4 +- ..._control_dns_directly_to_the_internet.toml | 4 +- ...download_rar_powershell_from_internet.toml | 4 +- .../command_and_control_fin7_c2_behavior.toml | 4 +- ...fer_protocol_activity_to_the_internet.toml | 4 +- .../command_and_control_halfbaked_beacon.toml | 4 +- ...hat_protocol_activity_to_the_internet.toml | 4 +- ...d_control_nat_traversal_port_activity.toml | 4 +- .../command_and_control_port_26_activity.toml | 4 +- ...ol_port_8000_activity_to_the_internet.toml | 4 +- ..._to_point_tunneling_protocol_activity.toml | 4 +- ...l_proxy_port_activity_to_the_internet.toml | 4 +- ...te_desktop_protocol_from_the_internet.toml | 4 +- ...mand_and_control_smtp_to_the_internet.toml | 4 +- ..._server_port_activity_to_the_internet.toml | 4 +- ...ol_ssh_secure_shell_from_the_internet.toml | 4 +- ...trol_ssh_secure_shell_to_the_internet.toml | 4 +- ...mand_and_control_telnet_port_activity.toml | 4 +- ..._control_tor_activity_to_the_internet.toml | 4 +- ...l_network_computing_from_the_internet.toml | 4 +- ...ual_network_computing_to_the_internet.toml | 4 +- ...exploitation_public_ip_reconnaissance.toml | 4 +- ...mote_desktop_protocol_to_the_internet.toml | 4 +- ...mote_procedure_call_from_the_internet.toml | 4 +- ...remote_procedure_call_to_the_internet.toml | 4 +- ...file_sharing_activity_to_the_internet.toml | 4 +- ...al_access_unsecure_elasticsearch_node.toml | 4 +- ...tempt_to_deactivate_okta_network_zone.toml | 4 +- .../attempt_to_delete_okta_network_zone.toml | 4 +- ...l_access_attempted_bypass_of_okta_mfa.toml | 4 +- ...mpts_to_brute_force_okta_user_account.toml | 4 +- ...okta_brute_force_or_password_spraying.toml | 4 +- ...ser_password_reset_or_unlock_attempts.toml | 4 +- ...pact_attempt_to_revoke_okta_api_token.toml | 4 +- .../okta/impact_possible_okta_dos_attack.toml | 4 +- ...icious_activity_reported_by_okta_user.toml | 4 +- ...ttempt_to_deactivate_okta_application.toml | 4 +- ...kta_attempt_to_deactivate_okta_policy.toml | 4 +- ...ttempt_to_deactivate_okta_policy_rule.toml | 4 +- ...ta_attempt_to_delete_okta_application.toml | 4 +- .../okta_attempt_to_delete_okta_policy.toml | 4 +- ...ta_attempt_to_delete_okta_policy_rule.toml | 4 +- ...ta_attempt_to_modify_okta_application.toml | 4 +- ...a_attempt_to_modify_okta_network_zone.toml | 4 +- .../okta_attempt_to_modify_okta_policy.toml | 4 +- ...ta_attempt_to_modify_okta_policy_rule.toml | 4 +- ..._or_delete_application_sign_on_policy.toml | 4 +- ...threat_detected_by_okta_threatinsight.toml | 4 +- ...tor_privileges_assigned_to_okta_group.toml | 4 +- ...inistrator_role_assigned_to_okta_user.toml | 4 +- ...ence_attempt_to_create_okta_api_token.toml | 4 +- ..._deactivate_mfa_for_okta_user_account.toml | 4 +- ...set_mfa_factors_for_okta_user_account.toml | 4 +- rules/promotions/elastic_endpoint.toml | 4 +- .../endpoint_adversary_behavior_detected.toml | 4 +- .../endpoint_cred_dumping_detected.toml | 4 +- .../endpoint_cred_dumping_prevented.toml | 4 +- .../endpoint_cred_manipulation_detected.toml | 4 +- .../endpoint_cred_manipulation_prevented.toml | 4 +- .../promotions/endpoint_exploit_detected.toml | 4 +- .../endpoint_exploit_prevented.toml | 4 +- .../promotions/endpoint_malware_detected.toml | 4 +- .../endpoint_malware_prevented.toml | 4 +- .../endpoint_permission_theft_detected.toml | 4 +- .../endpoint_permission_theft_prevented.toml | 4 +- .../endpoint_process_injection_detected.toml | 4 +- .../endpoint_process_injection_prevented.toml | 4 +- .../endpoint_ransomware_detected.toml | 4 +- .../endpoint_ransomware_prevented.toml | 4 +- rules/promotions/external_alerts.toml | 5 +- ...ion_email_powershell_exchange_mailbox.toml | 4 +- ...ll_exch_mailbox_activesync_add_device.toml | 4 +- .../windows/collection_winrar_encryption.toml | 4 +- ...d_control_certutil_network_connection.toml | 4 +- ...ommand_and_control_common_webservices.toml | 4 +- ...nd_and_control_dns_tunneling_nslookup.toml | 4 +- ...control_encrypted_channel_freesslcert.toml | 4 +- .../command_and_control_iexplore_via_com.toml | 5 +- ...ol_remote_file_copy_desktopimgdownldr.toml | 4 +- ...and_control_remote_file_copy_mpcmdrun.toml | 4 +- ...d_control_remote_file_copy_powershell.toml | 4 +- ..._and_control_remote_file_copy_scripts.toml | 4 +- ...control_sunburst_c2_activity_detected.toml | 4 +- ...d_control_teamviewer_remote_file_copy.toml | 4 +- .../credential_access_cmdline_dump_tool.toml | 4 +- ...ess_copy_ntds_sam_volshadowcp_cmdline.toml | 4 +- ...ial_access_credential_dumping_msbuild.toml | 4 +- ...cess_domain_backup_dpapi_private_keys.toml | 4 +- ...credential_access_dump_registry_hives.toml | 4 +- ...ntial_access_iis_apppoolsa_pwd_appcmd.toml | 4 +- ..._access_iis_connectionstrings_dumping.toml | 4 +- ..._access_kerberoasting_unusual_process.toml | 4 +- ...ial_access_lsass_memdump_file_created.toml | 4 +- ...l_access_mimikatz_memssp_default_logs.toml | 4 +- ...ial_access_mimikatz_powershell_module.toml | 4 +- ..._access_mod_wdigest_security_provider.toml | 4 +- ...redential_access_saved_creds_vaultcmd.toml | 4 +- ...den_file_attribute_with_via_attribexe.toml | 4 +- ...e_evasion_clearing_windows_event_logs.toml | 4 +- ...vasion_clearing_windows_security_logs.toml | 4 +- ...efense_evasion_code_injection_conhost.toml | 5 +- ...e_evasion_create_mod_root_certificate.toml | 4 +- .../defense_evasion_cve_2020_0601.toml | 4 +- ...vasion_defender_disabled_via_registry.toml | 4 +- ...delete_volume_usn_journal_with_fsutil.toml | 4 +- ...deleting_backup_catalogs_with_wbadmin.toml | 4 +- ...ble_windows_firewall_rules_with_netsh.toml | 4 +- ...vasion_dotnet_compiler_parent_process.toml | 4 +- ...evasion_enable_inbound_rdp_with_netsh.toml | 4 +- ...coding_or_decoding_files_via_certutil.toml | 4 +- ...ense_evasion_execution_lolbas_wuauclt.toml | 4 +- ...ecution_msbuild_started_by_office_app.toml | 4 +- ...n_execution_msbuild_started_by_script.toml | 4 +- ...ion_msbuild_started_by_system_process.toml | 4 +- ...ion_execution_msbuild_started_renamed.toml | 4 +- ...cution_msbuild_started_unusal_process.toml | 4 +- ...execution_suspicious_explorer_winword.toml | 4 +- ...ution_via_trusted_developer_utilities.toml | 4 +- ..._evasion_file_creation_mult_extension.toml | 4 +- ...sion_hide_encoded_executable_registry.toml | 4 +- ...ense_evasion_iis_httplogging_disabled.toml | 4 +- .../defense_evasion_injection_msbuild.toml | 4 +- .../defense_evasion_installutil_beacon.toml | 4 +- ...querading_as_elastic_endpoint_process.toml | 4 +- ...e_evasion_masquerading_renamed_autoit.toml | 4 +- ...erading_suspicious_werfault_childproc.toml | 4 +- ...vasion_masquerading_trusted_directory.toml | 4 +- ...defense_evasion_masquerading_werfault.toml | 4 +- ...isc_lolbin_connecting_to_the_internet.toml | 4 +- ...e_evasion_modification_of_boot_config.toml | 4 +- ...fense_evasion_msbuild_beacon_sequence.toml | 4 +- ...on_msbuild_making_network_connections.toml | 4 +- .../windows/defense_evasion_mshta_beacon.toml | 4 +- ...sion_mshta_making_network_connections.toml | 4 +- .../windows/defense_evasion_msxsl_beacon.toml | 4 +- .../defense_evasion_msxsl_network.toml | 4 +- ...etwork_connection_from_windows_binary.toml | 4 +- ...vasion_port_forwarding_added_registry.toml | 4 +- ...evasion_potential_processherpaderping.toml | 4 +- ...cess_termination_followed_by_deletion.toml | 12 +- rules/windows/defense_evasion_reg_beacon.toml | 4 +- ...defense_evasion_rundll32_no_arguments.toml | 4 +- ...ion_scheduledjobs_at_protocol_enabled.toml | 4 +- ..._evasion_sdelete_like_filename_rename.toml | 5 +- .../defense_evasion_sip_provider_mod.toml | 4 +- ...ackdoor_service_disabled_via_registry.toml | 4 +- ...vasion_stop_process_service_threshold.toml | 4 +- ...n_suspicious_managedcode_host_process.toml | 4 +- ...efense_evasion_suspicious_scrobj_load.toml | 4 +- ...defense_evasion_suspicious_wmi_script.toml | 5 +- ...evasion_suspicious_zoom_child_process.toml | 4 +- ..._critical_proc_abnormal_file_activity.toml | 4 +- ...nse_evasion_unusual_ads_file_creation.toml | 4 +- .../defense_evasion_unusual_dir_ads.toml | 4 +- ...usual_network_connection_via_rundll32.toml | 4 +- ...on_unusual_process_network_connection.toml | 4 +- ...asion_unusual_system_vp_child_program.toml | 4 +- .../defense_evasion_via_filter_manager.toml | 4 +- ..._volume_shadow_copy_deletion_via_wmic.toml | 4 +- .../discovery_adfind_command_activity.toml | 4 +- rules/windows/discovery_admin_recon.toml | 4 +- .../windows/discovery_file_dir_discovery.toml | 4 +- .../discovery_net_command_system_account.toml | 4 +- rules/windows/discovery_net_view.toml | 4 +- .../windows/discovery_peripheral_device.toml | 4 +- ...rocess_discovery_via_tasklist_command.toml | 4 +- .../discovery_query_registry_via_reg.toml | 4 +- ...ote_system_discovery_commands_windows.toml | 4 +- .../discovery_security_software_wmic.toml | 4 +- .../discovery_whoami_command_activity.toml | 4 +- ...arwinds_backdoor_child_cmd_powershell.toml | 4 +- ...inds_backdoor_unusual_child_processes.toml | 4 +- .../windows/execution_com_object_xwizard.toml | 4 +- ...and_prompt_connecting_to_the_internet.toml | 4 +- ...n_command_shell_started_by_powershell.toml | 4 +- ...tion_command_shell_started_by_svchost.toml | 4 +- ...mand_shell_started_by_unusual_process.toml | 4 +- .../execution_command_shell_via_rundll32.toml | 4 +- .../execution_downloaded_shortcut_files.toml | 4 +- .../execution_downloaded_url_file.toml | 4 +- .../execution_enumeration_via_wmiprvse.toml | 4 +- .../execution_from_unusual_directory.toml | 4 +- .../execution_from_unusual_path_cmdline.toml | 4 +- ...le_program_connecting_to_the_internet.toml | 4 +- .../execution_ms_office_written_file.toml | 4 +- rules/windows/execution_pdf_written_file.toml | 4 +- ...ution_psexec_lateral_movement_command.toml | 4 +- ...er_program_connecting_to_the_internet.toml | 4 +- ...tion_scheduled_task_powershell_source.toml | 4 +- ...xecution_shared_modules_local_sxs_dll.toml | 4 +- .../windows/execution_suspicious_cmd_wmi.toml | 5 +- ...n_suspicious_image_load_wmi_ms_office.toml | 4 +- .../execution_suspicious_pdf_reader.toml | 4 +- ...ecution_suspicious_powershell_imgload.toml | 5 +- .../execution_suspicious_psexesvc.toml | 4 +- ...ecution_suspicious_short_program_name.toml | 4 +- .../execution_via_compiled_html_file.toml | 4 +- .../execution_via_hidden_shell_conhost.toml | 4 +- .../execution_via_net_com_assemblies.toml | 4 +- ...ia_xp_cmdshell_mssql_stored_procedure.toml | 4 +- ...ume_shadow_copy_deletion_via_vssadmin.toml | 4 +- ...al_access_script_executing_powershell.toml | 4 +- ...ccess_scripts_process_started_via_wmi.toml | 4 +- ...ss_suspicious_ms_office_child_process.toml | 4 +- ...s_suspicious_ms_outlook_child_process.toml | 4 +- ...l_access_unusual_dns_service_children.toml | 4 +- ...ccess_unusual_dns_service_file_writes.toml | 4 +- ...explorer_suspicious_child_parent_args.toml | 4 +- .../windows/lateral_movement_cmd_service.toml | 4 +- rules/windows/lateral_movement_dcom_hta.toml | 4 +- .../windows/lateral_movement_dcom_mmc20.toml | 4 +- ...t_dcom_shellwindow_shellbrowserwindow.toml | 4 +- ...vement_direct_outbound_smb_connection.toml | 4 +- .../lateral_movement_dns_server_overflow.toml | 4 +- ...movement_executable_tool_transfer_smb.toml | 4 +- ..._movement_execution_from_tsclient_mup.toml | 4 +- ...nt_execution_via_file_shares_sequence.toml | 4 +- ...vement_incoming_winrm_shell_execution.toml | 4 +- .../lateral_movement_incoming_wmi.toml | 4 +- ...teral_movement_local_service_commands.toml | 4 +- ...ment_mount_hidden_or_webdav_share_net.toml | 4 +- ...l_movement_powershell_remoting_target.toml | 4 +- ...lateral_movement_rdp_enabled_registry.toml | 4 +- .../lateral_movement_rdp_sharprdp_target.toml | 4 +- .../lateral_movement_rdp_tunnel_plink.toml | 5 +- ...ovement_remote_file_copy_hidden_share.toml | 4 +- .../lateral_movement_remote_services.toml | 4 +- ...ateral_movement_scheduled_task_target.toml | 4 +- ...ement_suspicious_rdp_client_imageload.toml | 4 +- ...l_movement_via_startup_folder_rdp_smb.toml | 4 +- .../persistence_adobe_hijack_persistence.toml | 4 +- .../windows/persistence_app_compat_shim.toml | 4 +- .../persistence_appcertdlls_registry.toml | 4 +- .../persistence_appinitdlls_registry.toml | 4 +- ...evasion_hidden_local_account_creation.toml | 4 +- ...tence_evasion_registry_ifeo_injection.toml | 4 +- ...sistence_gpo_schtask_service_creation.toml | 4 +- ...istence_local_scheduled_task_commands.toml | 4 +- ...stence_local_scheduled_task_scripting.toml | 4 +- .../persistence_ms_office_addins_file.toml | 4 +- .../persistence_ms_outlook_vba_template.toml | 4 +- ...escalation_via_accessibility_features.toml | 4 +- .../persistence_registry_uncommon.toml | 4 +- ...persistence_run_key_and_startup_broad.toml | 4 +- ...ce_runtime_run_key_startup_susp_procs.toml | 4 +- .../persistence_services_registry.toml | 4 +- ...er_file_written_by_suspicious_process.toml | 4 +- ...lder_file_written_by_unsigned_process.toml | 4 +- .../persistence_startup_folder_scripts.toml | 4 +- ...stence_suspicious_com_hijack_registry.toml | 4 +- ...s_image_load_scheduled_task_ms_office.toml | 4 +- ...nce_suspicious_scheduled_task_runtime.toml | 4 +- ...e_suspicious_service_created_registry.toml | 4 +- ...ersistence_system_shells_via_services.toml | 4 +- .../persistence_time_provider_mod.toml | 4 +- ..._account_added_to_privileged_group_ad.toml | 4 +- .../persistence_user_account_creation.toml | 4 +- ...ence_user_account_creation_event_logs.toml | 4 +- .../persistence_via_application_shimming.toml | 4 +- ...sistence_via_hidden_run_key_valuename.toml | 4 +- ...sa_security_support_provider_registry.toml | 4 +- ...emetrycontroller_scheduledtask_hijack.toml | 4 +- ...ia_update_orchestrator_service_hijack.toml | 5 +- ...nt_instrumentation_event_subscription.toml | 4 +- ...ilege_escalation_disable_uac_registry.toml | 4 +- ...privilege_escalation_lsa_auth_package.toml | 4 +- ...e_escalation_named_pipe_impersonation.toml | 4 +- ...ge_escalation_persistence_phantom_dll.toml | 4 +- ...ion_port_monitor_print_pocessor_abuse.toml | 4 +- ...ation_printspooler_registry_copyfiles.toml | 4 +- ..._printspooler_service_suspicious_file.toml | 4 +- ...tion_printspooler_suspicious_spl_file.toml | 4 +- ...calation_rogue_windir_environment_var.toml | 4 +- ...lege_escalation_uac_bypass_com_clipup.toml | 5 +- ...ge_escalation_uac_bypass_com_ieinstal.toml | 5 +- ...n_uac_bypass_com_interface_icmluautil.toml | 4 +- ...alation_uac_bypass_diskcleanup_hijack.toml | 4 +- ...escalation_uac_bypass_dll_sideloading.toml | 4 +- ...ge_escalation_uac_bypass_event_viewer.toml | 4 +- ...ege_escalation_uac_bypass_mock_windir.toml | 4 +- ...scalation_uac_bypass_winfw_mmc_hijack.toml | 4 +- .../privilege_escalation_uac_sdclt.toml | 4 +- ...tion_unusual_parentchild_relationship.toml | 4 +- ...n_unusual_svchost_childproc_childless.toml | 4 +- ...rivilege_escalation_wpad_exploitation.toml | 5 +- tests/__init__.py | 5 +- tests/kuery/__init__.py | 5 +- tests/kuery/test_dsl.py | 5 +- tests/kuery/test_eql2kql.py | 5 +- tests/kuery/test_evaluator.py | 5 +- tests/kuery/test_kql2eql.py | 5 +- tests/kuery/test_lint.py | 5 +- tests/kuery/test_parser.py | 5 +- tests/test_all_rules.py | 5 +- tests/test_mappings.py | 5 +- tests/test_packages.py | 7 +- tests/test_schemas.py | 11 +- tests/test_toml_formatter.py | 5 +- tests/test_utils.py | 5 +- 692 files changed, 1697 insertions(+), 1645 deletions(-) create mode 100644 detection_rules/schemas/v7_12.py diff --git a/LICENSE.txt b/LICENSE.txt index 7376ffc3ff1..809108b857f 100644 --- a/LICENSE.txt +++ b/LICENSE.txt @@ -1,223 +1,93 @@ -ELASTIC LICENSE AGREEMENT - -PLEASE READ CAREFULLY THIS ELASTIC LICENSE AGREEMENT (THIS "AGREEMENT"), WHICH -CONSTITUTES A LEGALLY BINDING AGREEMENT AND GOVERNS ALL OF YOUR USE OF ALL OF -THE ELASTIC SOFTWARE WITH WHICH THIS AGREEMENT IS INCLUDED ("ELASTIC SOFTWARE") -THAT IS PROVIDED IN OBJECT CODE FORMAT, AND, IN ACCORDANCE WITH SECTION 2 BELOW, -CERTAIN OF THE ELASTIC SOFTWARE THAT IS PROVIDED IN SOURCE CODE FORMAT. BY -INSTALLING OR USING ANY OF THE ELASTIC SOFTWARE GOVERNED BY THIS AGREEMENT, YOU -ARE ASSENTING TO THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU DO NOT AGREE -WITH SUCH TERMS AND CONDITIONS, YOU MAY NOT INSTALL OR USE THE ELASTIC SOFTWARE -GOVERNED BY THIS AGREEMENT. IF YOU ARE INSTALLING OR USING THE SOFTWARE ON -BEHALF OF A LEGAL ENTITY, YOU REPRESENT AND WARRANT THAT YOU HAVE THE ACTUAL -AUTHORITY TO AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT ON BEHALF OF -SUCH ENTITY. - -Posted Date: April 20, 2018 - -This Agreement is entered into by and between Elasticsearch BV ("Elastic") and -You, or the legal entity on behalf of whom You are acting (as applicable, -"You"). - -1. OBJECT CODE END USER LICENSES, RESTRICTIONS AND THIRD PARTY OPEN SOURCE -SOFTWARE - - 1.1 Object Code End User License. Subject to the terms and conditions of - Section 1.2 of this Agreement, Elastic hereby grants to You, AT NO CHARGE and - for so long as you are not in breach of any provision of this Agreement, a - License to the Basic Features and Functions of the Elastic Software. - - 1.2 Reservation of Rights; Restrictions. As between Elastic and You, Elastic - and its licensors own all right, title and interest in and to the Elastic - Software, and except as expressly set forth in Sections 1.1, and 2.1 of this - Agreement, no other license to the Elastic Software is granted to You under - this Agreement, by implication, estoppel or otherwise. You agree not to: (i) - reverse engineer or decompile, decrypt, disassemble or otherwise reduce any - Elastic Software provided to You in Object Code, or any portion thereof, to - Source Code, except and only to the extent any such restriction is prohibited - by applicable law, (ii) except as expressly permitted in this Agreement, - prepare derivative works from, modify, copy or use the Elastic Software Object - Code or the Commercial Software Source Code in any manner; (iii) except as - expressly permitted in Section 1.1 above, transfer, sell, rent, lease, - distribute, sublicense, loan or otherwise transfer, Elastic Software Object - Code, in whole or in part, to any third party; (iv) use Elastic Software - Object Code for providing time-sharing services, any software-as-a-service, - service bureau services or as part of an application services provider or - other service offering (collectively, "SaaS Offering") where obtaining access - to the Elastic Software or the features and functions of the Elastic Software - is a primary reason or substantial motivation for users of the SaaS Offering - to access and/or use the SaaS Offering ("Prohibited SaaS Offering"); (v) - circumvent the limitations on use of Elastic Software provided to You in - Object Code format that are imposed or preserved by any License Key, or (vi) - alter or remove any Marks and Notices in the Elastic Software. If You have any - question as to whether a specific SaaS Offering constitutes a Prohibited SaaS - Offering, or are interested in obtaining Elastic's permission to engage in - commercial or non-commercial distribution of the Elastic Software, please - contact elastic_license@elastic.co. - - 1.3 Third Party Open Source Software. The Commercial Software may contain or - be provided with third party open source libraries, components, utilities and - other open source software (collectively, "Open Source Software"), which Open - Source Software may have applicable license terms as identified on a website - designated by Elastic. Notwithstanding anything to the contrary herein, use of - the Open Source Software shall be subject to the license terms and conditions - applicable to such Open Source Software, to the extent required by the - applicable licensor (which terms shall not restrict the license rights granted - to You hereunder, but may contain additional rights). To the extent any - condition of this Agreement conflicts with any license to the Open Source - Software, the Open Source Software license will govern with respect to such - Open Source Software only. Elastic may also separately provide you with - certain open source software that is licensed by Elastic. Your use of such - Elastic open source software will not be governed by this Agreement, but by - the applicable open source license terms. - -2. COMMERCIAL SOFTWARE SOURCE CODE - - 2.1 Limited License. Subject to the terms and conditions of Section 2.2 of - this Agreement, Elastic hereby grants to You, AT NO CHARGE and for so long as - you are not in breach of any provision of this Agreement, a limited, - non-exclusive, non-transferable, fully paid up royalty free right and license - to the Commercial Software in Source Code format, without the right to grant - or authorize sublicenses, to prepare Derivative Works of the Commercial - Software, provided You (i) do not hack the licensing mechanism, or otherwise - circumvent the intended limitations on the use of Elastic Software to enable - features other than Basic Features and Functions or those features You are - entitled to as part of a Subscription, and (ii) use the resulting object code - only for reasonable testing purposes. - - 2.2 Restrictions. Nothing in Section 2.1 grants You the right to (i) use the - Commercial Software Source Code other than in accordance with Section 2.1 - above, (ii) use a Derivative Work of the Commercial Software outside of a - Non-production Environment, in any production capacity, on a temporary or - permanent basis, or (iii) transfer, sell, rent, lease, distribute, sublicense, - loan or otherwise make available the Commercial Software Source Code, in whole - or in part, to any third party. Notwithstanding the foregoing, You may - maintain a copy of the repository in which the Source Code of the Commercial - Software resides and that copy may be publicly accessible, provided that you - include this Agreement with Your copy of the repository. - -3. TERMINATION - - 3.1 Termination. This Agreement will automatically terminate, whether or not - You receive notice of such Termination from Elastic, if You breach any of its - provisions. - - 3.2 Post Termination. Upon any termination of this Agreement, for any reason, - You shall promptly cease the use of the Elastic Software in Object Code format - and cease use of the Commercial Software in Source Code format. For the - avoidance of doubt, termination of this Agreement will not affect Your right - to use Elastic Software, in either Object Code or Source Code formats, made - available under the Apache License Version 2.0. - - 3.3 Survival. Sections 1.2, 2.2. 3.3, 4 and 5 shall survive any termination or - expiration of this Agreement. - -4. DISCLAIMER OF WARRANTIES AND LIMITATION OF LIABILITY - - 4.1 Disclaimer of Warranties. TO THE MAXIMUM EXTENT PERMITTED UNDER APPLICABLE - LAW, THE ELASTIC SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, - AND ELASTIC AND ITS LICENSORS MAKE NO WARRANTIES WHETHER EXPRESSED, IMPLIED OR - STATUTORY REGARDING OR RELATING TO THE ELASTIC SOFTWARE. TO THE MAXIMUM EXTENT - PERMITTED UNDER APPLICABLE LAW, ELASTIC AND ITS LICENSORS SPECIFICALLY - DISCLAIM ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR - PURPOSE AND NON-INFRINGEMENT WITH RESPECT TO THE ELASTIC SOFTWARE, AND WITH - RESPECT TO THE USE OF THE FOREGOING. FURTHER, ELASTIC DOES NOT WARRANT RESULTS - OF USE OR THAT THE ELASTIC SOFTWARE WILL BE ERROR FREE OR THAT THE USE OF THE - ELASTIC SOFTWARE WILL BE UNINTERRUPTED. - - 4.2 Limitation of Liability. IN NO EVENT SHALL ELASTIC OR ITS LICENSORS BE - LIABLE TO YOU OR ANY THIRD PARTY FOR ANY DIRECT OR INDIRECT DAMAGES, - INCLUDING, WITHOUT LIMITATION, FOR ANY LOSS OF PROFITS, LOSS OF USE, BUSINESS - INTERRUPTION, LOSS OF DATA, COST OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY - SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES OF ANY KIND, IN CONNECTION WITH - OR ARISING OUT OF THE USE OR INABILITY TO USE THE ELASTIC SOFTWARE, OR THE - PERFORMANCE OF OR FAILURE TO PERFORM THIS AGREEMENT, WHETHER ALLEGED AS A - BREACH OF CONTRACT OR TORTIOUS CONDUCT, INCLUDING NEGLIGENCE, EVEN IF ELASTIC - HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. - -5. MISCELLANEOUS - - This Agreement completely and exclusively states the entire agreement of the - parties regarding the subject matter herein, and it supersedes, and its terms - govern, all prior proposals, agreements, or other communications between the - parties, oral or written, regarding such subject matter. This Agreement may be - modified by Elastic from time to time, and any such modifications will be - effective upon the "Posted Date" set forth at the top of the modified - Agreement. If any provision hereof is held unenforceable, this Agreement will - continue without said provision and be interpreted to reflect the original - intent of the parties. This Agreement and any non-contractual obligation - arising out of or in connection with it, is governed exclusively by Dutch law. - This Agreement shall not be governed by the 1980 UN Convention on Contracts - for the International Sale of Goods. All disputes arising out of or in - connection with this Agreement, including its existence and validity, shall be - resolved by the courts with jurisdiction in Amsterdam, The Netherlands, except - where mandatory law provides for the courts at another location in The - Netherlands to have jurisdiction. The parties hereby irrevocably waive any and - all claims and defenses either might otherwise have in any such action or - proceeding in any of such courts based upon any alleged lack of personal - jurisdiction, improper venue, forum non conveniens or any similar claim or - defense. A breach or threatened breach, by You of Section 2 may cause - irreparable harm for which damages at law may not provide adequate relief, and - therefore Elastic shall be entitled to seek injunctive relief without being - required to post a bond. You may not assign this Agreement (including by - operation of law in connection with a merger or acquisition), in whole or in - part to any third party without the prior written consent of Elastic, which - may be withheld or granted by Elastic in its sole and absolute discretion. - Any assignment in violation of the preceding sentence is void. Notices to - Elastic may also be sent to legal@elastic.co. - -6. DEFINITIONS - - The following terms have the meanings ascribed: - - 6.1 "Affiliate" means, with respect to a party, any entity that controls, is - controlled by, or which is under common control with, such party, where - "control" means ownership of at least fifty percent (50%) of the outstanding - voting shares of the entity, or the contractual right to establish policy for, - and manage the operations of, the entity. - - 6.2 "Basic Features and Functions" means those features and functions of the - Elastic Software that are eligible for use under a Basic license, as set forth - at https://www.elastic.co/subscriptions, as may be modified by Elastic from - time to time. - - 6.3 "Commercial Software" means the Elastic Software Source Code in any file - containing a header stating the contents are subject to the Elastic License or - which is contained in the repository folder labeled "x-pack", unless a LICENSE - file present in the directory subtree declares a different license. - - 6.4 "Derivative Work of the Commercial Software" means, for purposes of this - Agreement, any modification(s) or enhancement(s) to the Commercial Software, - which represent, as a whole, an original work of authorship. - - 6.5 "License" means a limited, non-exclusive, non-transferable, fully paid up, - royalty free, right and license, without the right to grant or authorize - sublicenses, solely for Your internal business operations to (i) install and - use the applicable Features and Functions of the Elastic Software in Object - Code, and (ii) permit Contractors and Your Affiliates to use the Elastic - software as set forth in (i) above, provided that such use by Contractors must - be solely for Your benefit and/or the benefit of Your Affiliates, and You - shall be responsible for all acts and omissions of such Contractors and - Affiliates in connection with their use of the Elastic software that are - contrary to the terms and conditions of this Agreement. - - 6.6 "License Key" means a sequence of bytes, including but not limited to a - JSON blob, that is used to enable certain features and functions of the - Elastic Software. - - 6.7 "Marks and Notices" means all Elastic trademarks, trade names, logos and - notices present on the Documentation as originally provided by Elastic. - - 6.8 "Non-production Environment" means an environment for development, testing - or quality assurance, where software is not used for production purposes. - - 6.9 "Object Code" means any form resulting from mechanical transformation or - translation of Source Code form, including but not limited to compiled object - code, generated documentation, and conversions to other media types. - - 6.10 "Source Code" means the preferred form of computer software for making - modifications, including but not limited to software source code, - documentation source, and configuration files. - - 6.11 "Subscription" means the right to receive Support Services and a License - to the Commercial Software. +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/README.md b/README.md index 816f9d41b59..1f656341eb6 100644 --- a/README.md +++ b/README.md @@ -90,9 +90,9 @@ We welcome your contributions to Detection Rules! Before contributing, please fa ## Licensing -Everything in this repository — rules, code, RTA, etc. — is licensed under the [Elastic License](LICENSE.txt). These rules are designed to be used in the context of the Detection Engine within the Elastic Security application. If you’re using our [Elastic Cloud managed service](https://www.elastic.co/cloud/) or the default distribution of the Elastic Stack software that includes the [full set of free features](https://www.elastic.co/subscriptions), you’ll get the latest rules the first time you navigate to the detection engine. +Everything in this repository — rules, code, RTA, etc. — is licensed under the [Elastic License v2](LICENSE.txt). These rules are designed to be used in the context of the Detection Engine within the Elastic Security application. If you’re using our [Elastic Cloud managed service](https://www.elastic.co/cloud/) or the default distribution of the Elastic Stack software that includes the [full set of free features](https://www.elastic.co/subscriptions), you’ll get the latest rules the first time you navigate to the detection engine. -Occasionally, we may want to import rules from another repository that already have a license, such as MIT or Apache 2.0. This is welcome, as long as the license permits sublicensing under the Elastic License. We keep those license notices in `NOTICE.txt` and sublicense as the Elastic License with all other rules. We also require contributors to sign a [Contributor License Agreement](https://www.elastic.co/contributor-agreement) before contributing code to any Elastic repositories. +Occasionally, we may want to import rules from another repository that already have a license, such as MIT or Apache 2.0. This is welcome, as long as the license permits sublicensing under the Elastic License v2. We keep those license notices in `NOTICE.txt` and sublicense as the Elastic License v2 with all other rules. We also require contributors to sign a [Contributor License Agreement](https://www.elastic.co/contributor-agreement) before contributing code to any Elastic repositories. ## Questions? Problems? Suggestions? diff --git a/detection_rules/__init__.py b/detection_rules/__init__.py index e3d58b56def..aae5ac606a0 100644 --- a/detection_rules/__init__.py +++ b/detection_rules/__init__.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Detection rules.""" from . import devtools diff --git a/detection_rules/__main__.py b/detection_rules/__main__.py index 1aebdbc0f8a..0069aff3404 100644 --- a/detection_rules/__main__.py +++ b/detection_rules/__main__.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # coding=utf-8 """Shell for detection-rules.""" diff --git a/detection_rules/attack.py b/detection_rules/attack.py index e04e242f38e..70c3e217dcf 100644 --- a/detection_rules/attack.py +++ b/detection_rules/attack.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Mitre attack info.""" import os diff --git a/detection_rules/beats.py b/detection_rules/beats.py index 3ac8f082e3d..99f1108395d 100644 --- a/detection_rules/beats.py +++ b/detection_rules/beats.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """ECS Schemas management.""" import os diff --git a/detection_rules/devtools.py b/detection_rules/devtools.py index 7e3691519ec..8480a05931c 100644 --- a/detection_rules/devtools.py +++ b/detection_rules/devtools.py @@ -1,9 +1,9 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """CLI commands for internal detection_rules dev team.""" -import glob import hashlib import io import json @@ -191,31 +191,32 @@ def git(*args, show_output=False): @dev_group.command('license-check') +@click.option('--ignore-directory', '-i', multiple=True, help='Directories to skip (relative to base)') @click.pass_context -def license_check(ctx): +def license_check(ctx, ignore_directory): """Check that all code files contain a valid license.""" - + ignore_directory += ("env",) failed = False + base_path = Path(get_path()) - for path in glob.glob(get_path("**", "*.py"), recursive=True): - if path.startswith(get_path("env", "")): + for path in base_path.rglob('*.py'): + relative_path = path.relative_to(base_path) + if relative_path.parts[0] in ignore_directory: continue - relative_path = os.path.relpath(path) - with io.open(path, "rt", encoding="utf-8") as f: contents = f.read() - # skip over shebang lines - if contents.startswith("#!/"): - _, _, contents = contents.partition("\n") + # skip over shebang lines + if contents.startswith("#!/"): + _, _, contents = contents.partition("\n") - if not contents.lstrip("\r\n").startswith(PYTHON_LICENSE): - if not failed: - click.echo("Missing license headers for:", err=True) + if not contents.lstrip("\r\n").startswith(PYTHON_LICENSE): + if not failed: + click.echo("Missing license headers for:", err=True) - failed = True - click.echo(relative_path, err=True) + failed = True + click.echo(relative_path, err=True) ctx.exit(int(failed)) diff --git a/detection_rules/docs.py b/detection_rules/docs.py index 45a433630f4..8efda477919 100644 --- a/detection_rules/docs.py +++ b/detection_rules/docs.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Create summary documents for a rule package.""" from collections import defaultdict diff --git a/detection_rules/ecs.py b/detection_rules/ecs.py index 7c901ff677b..dd4a67b9bd5 100644 --- a/detection_rules/ecs.py +++ b/detection_rules/ecs.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """ECS Schemas management.""" import copy diff --git a/detection_rules/eswrap.py b/detection_rules/eswrap.py index 672fd696091..743ed3b18bb 100644 --- a/detection_rules/eswrap.py +++ b/detection_rules/eswrap.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Elasticsearch cli commands.""" import json diff --git a/detection_rules/kbwrap.py b/detection_rules/kbwrap.py index 3b1e83ad769..7501dce552f 100644 --- a/detection_rules/kbwrap.py +++ b/detection_rules/kbwrap.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Kibana cli commands.""" import click diff --git a/detection_rules/main.py b/detection_rules/main.py index 1ff414d4cdc..7209b6eca20 100644 --- a/detection_rules/main.py +++ b/detection_rules/main.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """CLI commands for detection_rules.""" import glob diff --git a/detection_rules/mappings.py b/detection_rules/mappings.py index 8feb32080e2..a13138fce60 100644 --- a/detection_rules/mappings.py +++ b/detection_rules/mappings.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """RTA to rule mappings.""" import os diff --git a/detection_rules/misc.py b/detection_rules/misc.py index c78bf65e639..e75bb00b242 100644 --- a/detection_rules/misc.py +++ b/detection_rules/misc.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Misc support.""" import hashlib @@ -42,8 +43,9 @@ LICENSE_HEADER = """ Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -or more contributor license agreements. Licensed under the Elastic License; -you may not use this file except in compliance with the Elastic License. +or more contributor license agreements. Licensed under the Elastic License +2.0; you may not use this file except in compliance with the Elastic License +2.0. """.strip() LICENSE_LINES = LICENSE_HEADER.splitlines() diff --git a/detection_rules/packaging.py b/detection_rules/packaging.py index 63fe1e4b321..10823e47f94 100644 --- a/detection_rules/packaging.py +++ b/detection_rules/packaging.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Packaging and preparation for releases.""" import base64 diff --git a/detection_rules/rule.py b/detection_rules/rule.py index 8e247317869..dfcca19d524 100644 --- a/detection_rules/rule.py +++ b/detection_rules/rule.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Rule object.""" import base64 import copy diff --git a/detection_rules/rule_formatter.py b/detection_rules/rule_formatter.py index 83a8bd63d2b..859178842fb 100644 --- a/detection_rules/rule_formatter.py +++ b/detection_rules/rule_formatter.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Helper functions for managing rules in the repository.""" import copy diff --git a/detection_rules/rule_loader.py b/detection_rules/rule_loader.py index 5abe09a8eff..5dfe891ba42 100644 --- a/detection_rules/rule_loader.py +++ b/detection_rules/rule_loader.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Load rule metadata transform between rule and api formats.""" import functools diff --git a/detection_rules/schemas/__init__.py b/detection_rules/schemas/__init__.py index e80fd8c7d9a..58ef7de5961 100644 --- a/detection_rules/schemas/__init__.py +++ b/detection_rules/schemas/__init__.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. from .base import TomlMetadata from .rta_schema import validate_rta_mapping @@ -11,6 +12,7 @@ from .v7_9 import ApiSchema79 from .v7_10 import ApiSchema710 from .v7_11 import ApiSchema711 +from .v7_12 import ApiSchema712 __all__ = ( "all_schemas", @@ -26,6 +28,7 @@ ApiSchema79, ApiSchema710, ApiSchema711, + ApiSchema712, ] CurrentSchema = all_schemas[-1] available_versions = [cls.STACK_VERSION for cls in all_schemas] diff --git a/detection_rules/schemas/base.py b/detection_rules/schemas/base.py index d44840f389a..1df4696f3c6 100644 --- a/detection_rules/schemas/base.py +++ b/detection_rules/schemas/base.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Definitions for rule metadata and schemas.""" diff --git a/detection_rules/schemas/rta_schema.py b/detection_rules/schemas/rta_schema.py index 8dc5ca0f5a2..f86bcd9f2ec 100644 --- a/detection_rules/schemas/rta_schema.py +++ b/detection_rules/schemas/rta_schema.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import jsl import jsonschema diff --git a/detection_rules/schemas/v7_10.py b/detection_rules/schemas/v7_10.py index c2bc2c1372f..3d99ba64b9d 100644 --- a/detection_rules/schemas/v7_10.py +++ b/detection_rules/schemas/v7_10.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Definitions for rule metadata and schemas.""" diff --git a/detection_rules/schemas/v7_11.py b/detection_rules/schemas/v7_11.py index f0a5d51f173..d13c419bc2d 100644 --- a/detection_rules/schemas/v7_11.py +++ b/detection_rules/schemas/v7_11.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Definitions for rule metadata and schemas.""" diff --git a/detection_rules/schemas/v7_12.py b/detection_rules/schemas/v7_12.py new file mode 100644 index 00000000000..8a6b84a3ce0 --- /dev/null +++ b/detection_rules/schemas/v7_12.py @@ -0,0 +1,14 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +"""Definitions for rule metadata and schemas.""" + +from .v7_11 import ApiSchema711 + + +class ApiSchema712(ApiSchema711): + """Schema for siem rule in API format.""" + + STACK_VERSION = "7.12" diff --git a/detection_rules/schemas/v7_8.py b/detection_rules/schemas/v7_8.py index 36f80515475..74e1c339052 100644 --- a/detection_rules/schemas/v7_8.py +++ b/detection_rules/schemas/v7_8.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Definitions for rule metadata and schemas.""" diff --git a/detection_rules/schemas/v7_9.py b/detection_rules/schemas/v7_9.py index 87a2b2d0532..f0ab9b60f3c 100644 --- a/detection_rules/schemas/v7_9.py +++ b/detection_rules/schemas/v7_9.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Definitions for rule metadata and schemas.""" @@ -50,7 +51,7 @@ class ApiSchema79(ApiSchema78): author = jsl.ArrayField(jsl.StringField(default="Elastic"), required=True, min_items=1) building_block_type = jsl.StringField(required=False) exceptions_list = jsl.ArrayField(required=False) - license = jsl.StringField(required=True, default="Elastic License") + license = jsl.StringField(required=True, default="Elastic License v2") risk_score_mapping = jsl.ArrayField(jsl.DocumentField(RiskScoreMapping), required=False, min_items=1) rule_name_override = jsl.StringField(required=False) severity_mapping = jsl.ArrayField(jsl.DocumentField(SeverityMapping), required=False, min_items=1) diff --git a/detection_rules/semver.py b/detection_rules/semver.py index 1cc9ea3e70c..fe8d35fa985 100644 --- a/detection_rules/semver.py +++ b/detection_rules/semver.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Helper functionality for comparing semantic versions.""" import re diff --git a/detection_rules/utils.py b/detection_rules/utils.py index b461b7f9d1f..0507d3c9e03 100644 --- a/detection_rules/utils.py +++ b/detection_rules/utils.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Util functions.""" import contextlib diff --git a/kibana/__init__.py b/kibana/__init__.py index ed1f5ed71bb..2e174fa04e4 100644 --- a/kibana/__init__.py +++ b/kibana/__init__.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Wrapper around Kibana APIs for the Security Application.""" diff --git a/kibana/connector.py b/kibana/connector.py index f4f6cbb42aa..b8c5e7d6110 100644 --- a/kibana/connector.py +++ b/kibana/connector.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Wrapper around requests.Session for HTTP requests to Kibana.""" import json diff --git a/kibana/resources.py b/kibana/resources.py index eded7f159aa..8ec45cf19ef 100644 --- a/kibana/resources.py +++ b/kibana/resources.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import datetime from typing import List, Type diff --git a/kql/__init__.py b/kql/__init__.py index 9469b172cda..e0889d40d8b 100644 --- a/kql/__init__.py +++ b/kql/__init__.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import eql diff --git a/kql/ast.py b/kql/ast.py index 33d35ddce40..e6c7de11b18 100644 --- a/kql/ast.py +++ b/kql/ast.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import re from string import Template diff --git a/kql/dsl.py b/kql/dsl.py index 2edc48adbf0..d9df95c7d1b 100644 --- a/kql/dsl.py +++ b/kql/dsl.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. from collections import defaultdict from eql import Walker diff --git a/kql/eql2kql.py b/kql/eql2kql.py index 9d139fc6f12..68faf4a836a 100755 --- a/kql/eql2kql.py +++ b/kql/eql2kql.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. #!/usr/bin/env python import eql diff --git a/kql/errors.py b/kql/errors.py index 8530c810996..eff0b9797a4 100644 --- a/kql/errors.py +++ b/kql/errors.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. from eql import EqlError, EqlParseError, EqlCompileError diff --git a/kql/evaluator.py b/kql/evaluator.py index 649c565f469..0a7eaa181c1 100644 --- a/kql/evaluator.py +++ b/kql/evaluator.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import operator import re diff --git a/kql/kql2eql.py b/kql/kql2eql.py index 0bab5d741b9..cca3e362f3d 100755 --- a/kql/kql2eql.py +++ b/kql/kql2eql.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import eql diff --git a/kql/optimizer.py b/kql/optimizer.py index 0612a488876..9893f431de0 100644 --- a/kql/optimizer.py +++ b/kql/optimizer.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import functools diff --git a/kql/parser.py b/kql/parser.py index b8e770a0097..058dfcfae87 100644 --- a/kql/parser.py +++ b/kql/parser.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import contextlib import os diff --git a/rta/__init__.py b/rta/__init__.py index aa71197acf3..08e649e33b6 100644 --- a/rta/__init__.py +++ b/rta/__init__.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import glob import importlib diff --git a/rta/__main__.py b/rta/__main__.py index a5173ca2f77..b57d7db3763 100644 --- a/rta/__main__.py +++ b/rta/__main__.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import argparse import importlib diff --git a/rta/adobe_hijack.py b/rta/adobe_hijack.py index e58c788ae7c..f1732716406 100644 --- a/rta/adobe_hijack.py +++ b/rta/adobe_hijack.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Adobe Hijack Persistence # RTA: adobe_hijack.py diff --git a/rta/appcompat_shim.py b/rta/appcompat_shim.py index 93c8ad2a242..71dcabc8708 100644 --- a/rta/appcompat_shim.py +++ b/rta/appcompat_shim.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Application Compatibility Shims # RTA: appcompat_shim.py diff --git a/rta/at_command.py b/rta/at_command.py index d82a523da7c..083ad1bc715 100644 --- a/rta/at_command.py +++ b/rta/at_command.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: AT Command Lateral Movement # RTA: at_command.py diff --git a/rta/bin/__init__.py b/rta/bin/__init__.py index 7f7806bc82c..e56d619096b 100644 --- a/rta/bin/__init__.py +++ b/rta/bin/__init__.py @@ -1,4 +1,5 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. diff --git a/rta/bitsadmin_download.py b/rta/bitsadmin_download.py index b7ad524cfa9..39c7c6a7fe3 100644 --- a/rta/bitsadmin_download.py +++ b/rta/bitsadmin_download.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Suspicious BitsAdmin Download File # RTA: bitsadmin_download.py diff --git a/rta/brute_force_login.py b/rta/brute_force_login.py index 5c57fc3a5c2..00b4a768432 100644 --- a/rta/brute_force_login.py +++ b/rta/brute_force_login.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Brute Force Login Attempts # RTA: brute_force_login.py diff --git a/rta/certutil_file_obfuscation.py b/rta/certutil_file_obfuscation.py index 84e7ccfd90a..ed1e2806e91 100644 --- a/rta/certutil_file_obfuscation.py +++ b/rta/certutil_file_obfuscation.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Certutil Encode / Decode # RTA: certutil_file_obfuscation.py diff --git a/rta/certutil_webrequest.py b/rta/certutil_webrequest.py index ea1c105243d..c76f4a2e36c 100644 --- a/rta/certutil_webrequest.py +++ b/rta/certutil_webrequest.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Downloading Files With Certutil # RTA: certutil_webrequest.py diff --git a/rta/common.py b/rta/common.py index ad6a634b9a2..c7a4d06a144 100644 --- a/rta/common.py +++ b/rta/common.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. from __future__ import unicode_literals, print_function diff --git a/rta/comsvcs_dump.py b/rta/comsvcs_dump.py index b14903cbd2a..0fe256d9141 100644 --- a/rta/comsvcs_dump.py +++ b/rta/comsvcs_dump.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Memory Dump via Comsvcs # RTA: comsvcs_dump.py diff --git a/rta/dcom_lateral_movement_with_mmc.py b/rta/dcom_lateral_movement_with_mmc.py index 4ebdf59314e..14574823cbc 100644 --- a/rta/dcom_lateral_movement_with_mmc.py +++ b/rta/dcom_lateral_movement_with_mmc.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: DCOM Lateral Movement with MMC # RTA: dcom_lateral_movement_with_mmc.py diff --git a/rta/delete_bootconf.py b/rta/delete_bootconf.py index c68505027ed..39509056a6a 100644 --- a/rta/delete_bootconf.py +++ b/rta/delete_bootconf.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Boot Config Deletion With bcdedit # RTA: delete_bootconf.py diff --git a/rta/delete_catalogs.py b/rta/delete_catalogs.py index 4fac92e73f8..954b26f6d23 100644 --- a/rta/delete_catalogs.py +++ b/rta/delete_catalogs.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Catalog Deletion with wbadmin.exe # RTA: delete_catalogs.py diff --git a/rta/delete_usnjrnl.py b/rta/delete_usnjrnl.py index 6b401ffb5f9..4e571a669c7 100644 --- a/rta/delete_usnjrnl.py +++ b/rta/delete_usnjrnl.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: USN Journal Deletion with fsutil.exe # RTA: delete_usnjrnl.py diff --git a/rta/delete_volume_shadows.py b/rta/delete_volume_shadows.py index 85e27b825a1..b8264a55117 100644 --- a/rta/delete_volume_shadows.py +++ b/rta/delete_volume_shadows.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Volume Shadow Copy Deletion with vssadmin and wmic # RTA: delete_volume_shadow.py diff --git a/rta/disable_windows_fw.py b/rta/disable_windows_fw.py index 69765df82cc..df0cf752dc7 100644 --- a/rta/disable_windows_fw.py +++ b/rta/disable_windows_fw.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Disable Windows Firewall # RTA: disable_windows_fw.py diff --git a/rta/enum_commands.py b/rta/enum_commands.py index 21127d36f38..585eb49cc6a 100644 --- a/rta/enum_commands.py +++ b/rta/enum_commands.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Common Enumeration Commands # RTA: enum_commands.py diff --git a/rta/findstr_pw_search.py b/rta/findstr_pw_search.py index a2137a01c8f..84b14859fb2 100644 --- a/rta/findstr_pw_search.py +++ b/rta/findstr_pw_search.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Recursive Password Search # RTA: findstr_pw_search.py diff --git a/rta/globalflags.py b/rta/globalflags.py index 639d5ae5a89..8bb9d1f22ec 100644 --- a/rta/globalflags.py +++ b/rta/globalflags.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Persistence using GlobalFlags # RTA: globalflags.py diff --git a/rta/hosts_file_modify.py b/rta/hosts_file_modify.py index 79fb121bdb6..56778dcc14c 100644 --- a/rta/hosts_file_modify.py +++ b/rta/hosts_file_modify.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Hosts File Modified # RTA: hosts_file_modify.py diff --git a/rta/installutil_network.py b/rta/installutil_network.py index 36426b05775..717c1d0366f 100644 --- a/rta/installutil_network.py +++ b/rta/installutil_network.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Network Traffic from InstallUtil # RTA: installutil_network.py diff --git a/rta/iqy_file_writes.py b/rta/iqy_file_writes.py index 7860b0d1b1e..a12a495f4e2 100644 --- a/rta/iqy_file_writes.py +++ b/rta/iqy_file_writes.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Suspicious IQY/PUB File Writes # RTA: iqy_file_writes.py diff --git a/rta/lateral_command_psexec.py b/rta/lateral_command_psexec.py index f03ddbad786..11bf562fbf9 100755 --- a/rta/lateral_command_psexec.py +++ b/rta/lateral_command_psexec.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: PsExec Lateral Movement # RTA: lateral_command_psexec.py diff --git a/rta/lateral_commands.py b/rta/lateral_commands.py index 6148bb3567c..69c054f3e29 100644 --- a/rta/lateral_commands.py +++ b/rta/lateral_commands.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Lateral Movement Commands # RTA: lateral_commands.py diff --git a/rta/linux_compress_sensitive_files.py b/rta/linux_compress_sensitive_files.py index 171743e9c93..7b210481862 100644 --- a/rta/linux_compress_sensitive_files.py +++ b/rta/linux_compress_sensitive_files.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Compression of sensitive files # RTA: linux_compress_sensitive_files.py diff --git a/rta/linux_discovery_sensitive_files.py b/rta/linux_discovery_sensitive_files.py index 328f96295c3..b8561a5f5be 100644 --- a/rta/linux_discovery_sensitive_files.py +++ b/rta/linux_discovery_sensitive_files.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Reading sensitive files # RTA: linux_discovery_sensitive_files.py diff --git a/rta/mac_office_descendant.py b/rta/mac_office_descendant.py index cbb1c640bcf..a9e51584cff 100644 --- a/rta/mac_office_descendant.py +++ b/rta/mac_office_descendant.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Mac Descendant of an Office Application # RTA: mac_office_descendant.py diff --git a/rta/modification_of_wdigest_security_provider.py b/rta/modification_of_wdigest_security_provider.py index 0ac0d9cc62e..f3e7212308d 100644 --- a/rta/modification_of_wdigest_security_provider.py +++ b/rta/modification_of_wdigest_security_provider.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Modification of WDigest Security Provider # RTA: modification_of_wdigest_security_provider.py diff --git a/rta/ms_office_drop_exe.py b/rta/ms_office_drop_exe.py index 085f5900977..ecce23f1bea 100644 --- a/rta/ms_office_drop_exe.py +++ b/rta/ms_office_drop_exe.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Emulate MS Office Dropping an executable file to disk # RTA: ms_office_drop_exe.py diff --git a/rta/msbuild_network.py b/rta/msbuild_network.py index ff80e00b48d..36d21532575 100644 --- a/rta/msbuild_network.py +++ b/rta/msbuild_network.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: MsBuild with Network Activity # RTA: msbuild_network.py diff --git a/rta/mshta_network.py b/rta/mshta_network.py index 65977f9bcdf..f2148012969 100644 --- a/rta/mshta_network.py +++ b/rta/mshta_network.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Microsoft HTA tool (mshta.exe) with Network Callback # RTA: mshta_network.py diff --git a/rta/msiexec_http_installer.py b/rta/msiexec_http_installer.py index e999809d2de..402b903010d 100644 --- a/rta/msiexec_http_installer.py +++ b/rta/msiexec_http_installer.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: MsiExec with HTTP Installer # RTA: msiexec_http_installer.py diff --git a/rta/msxsl_network.py b/rta/msxsl_network.py index 015c377f994..a7e063f46f1 100644 --- a/rta/msxsl_network.py +++ b/rta/msxsl_network.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: msxsl.exe Network # RTA: msxsl_network.py diff --git a/rta/net_user_add.py b/rta/net_user_add.py index 12f57eedee7..e0e64257955 100644 --- a/rta/net_user_add.py +++ b/rta/net_user_add.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Create User with net.exe # RTA: net_user_add.py diff --git a/rta/obfuscated_cmd_commands.py b/rta/obfuscated_cmd_commands.py index bd3fa8c6463..312912d0752 100644 --- a/rta/obfuscated_cmd_commands.py +++ b/rta/obfuscated_cmd_commands.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Emulate Obfuscated cmd Commands # RTA: obfuscated_cmd_commands.py diff --git a/rta/obfuscated_powershell.py b/rta/obfuscated_powershell.py index 417beb4221d..180ed7b34a3 100644 --- a/rta/obfuscated_powershell.py +++ b/rta/obfuscated_powershell.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Obfuscated PowerShell Commands # RTA: obfuscated_powershell.py diff --git a/rta/office_application_startup.py b/rta/office_application_startup.py index 3c262da5433..607e184659d 100644 --- a/rta/office_application_startup.py +++ b/rta/office_application_startup.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Office Application Startup # RTA: office_application_startup.py diff --git a/rta/persistent_scripts.py b/rta/persistent_scripts.py index 059a904514f..4b8d4607466 100644 --- a/rta/persistent_scripts.py +++ b/rta/persistent_scripts.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Persistent Scripts # RTA: persistent_scripts.py diff --git a/rta/port_monitor.py b/rta/port_monitor.py index fbb8230ab2c..1d0d2ac90a8 100644 --- a/rta/port_monitor.py +++ b/rta/port_monitor.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Privilege Escalation via Port Monitor Registration # RTA: port_monitor.py diff --git a/rta/powershell_args.py b/rta/powershell_args.py index 9c5cdfd0d37..abaaeda161b 100644 --- a/rta/powershell_args.py +++ b/rta/powershell_args.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Powershell with Suspicious Arguments # RTA: powershell_args.py diff --git a/rta/powershell_base64_gzip.py b/rta/powershell_base64_gzip.py index 955404dc3ad..c64de3ca5a3 100644 --- a/rta/powershell_base64_gzip.py +++ b/rta/powershell_base64_gzip.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: PowerShell with base64/gzip # RTA: powershell_base64_gzip.py diff --git a/rta/powershell_from_script.py b/rta/powershell_from_script.py index bfa4ac6208d..9e82b408f81 100644 --- a/rta/powershell_from_script.py +++ b/rta/powershell_from_script.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: PowerShell Launched from Script # RTA: powershell_from_script.py diff --git a/rta/process_double_extension.py b/rta/process_double_extension.py index 962cda58e84..22c7727a1a6 100644 --- a/rta/process_double_extension.py +++ b/rta/process_double_extension.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Double Process Extension # RTA: process_double_extension.py diff --git a/rta/process_extension_anomalies.py b/rta/process_extension_anomalies.py index 8eb5dbb5298..5618df1d847 100644 --- a/rta/process_extension_anomalies.py +++ b/rta/process_extension_anomalies.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Executable with Unusual Extensions # RTA: process_extension_anomalies.py diff --git a/rta/process_name_masquerade.py b/rta/process_name_masquerade.py index 4549bd981f1..2cfd6503925 100644 --- a/rta/process_name_masquerade.py +++ b/rta/process_name_masquerade.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Windows Core Process Masquerade # RTA: process_name_masquerade.py diff --git a/rta/recycle_bin_process.py b/rta/recycle_bin_process.py index 9d114172a59..656f13a2bd8 100644 --- a/rta/recycle_bin_process.py +++ b/rta/recycle_bin_process.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Run Process from the Recycle Bin # RTA: recycle_bin_process.py diff --git a/rta/registry_hive_export.py b/rta/registry_hive_export.py index 358894ebd33..2a8505b6284 100644 --- a/rta/registry_hive_export.py +++ b/rta/registry_hive_export.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Export Registry Hives # RTA: registry_hive_export.py diff --git a/rta/registry_persistence_create.py b/rta/registry_persistence_create.py index db9ea3bad29..96a6e967ba9 100644 --- a/rta/registry_persistence_create.py +++ b/rta/registry_persistence_create.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Registry persistence creation # RTA: registry_persistence_create.py diff --git a/rta/registry_rdp_enable.py b/rta/registry_rdp_enable.py index 34f14447fa9..5731e0d876f 100644 --- a/rta/registry_rdp_enable.py +++ b/rta/registry_rdp_enable.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Enable RDP Through Registry # RTA: registry_rdp_enable.py diff --git a/rta/regsvr32_scrobj.py b/rta/regsvr32_scrobj.py index 35dc00c6772..ba1e035cf3b 100644 --- a/rta/regsvr32_scrobj.py +++ b/rta/regsvr32_scrobj.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: RegSvr32 Backdoor with .sct Files # RTA: regsvr32_scrobj.py diff --git a/rta/rundll32_inf_callback.py b/rta/rundll32_inf_callback.py index 6a0a28bdfa2..91f266b1327 100644 --- a/rta/rundll32_inf_callback.py +++ b/rta/rundll32_inf_callback.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: RunDll32 with .inf Callback # RTA: rundll32_inf_callback.py diff --git a/rta/rundll32_javascript_callback.py b/rta/rundll32_javascript_callback.py index 1b03be4eef7..71bc347fb27 100644 --- a/rta/rundll32_javascript_callback.py +++ b/rta/rundll32_javascript_callback.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: RunDLL32 Javascript Callback # RTA: rundll32_javascript_callback.py diff --git a/rta/schtask_escalation.py b/rta/schtask_escalation.py index 0d7fb3e246c..0d5fbe7a87f 100644 --- a/rta/schtask_escalation.py +++ b/rta/schtask_escalation.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Scheduled Task Privilege Escalation # RTA: schtask_escalation.py diff --git a/rta/scrobj_com_hijack.py b/rta/scrobj_com_hijack.py index f195b2851d5..7dd0d7b5f25 100644 --- a/rta/scrobj_com_hijack.py +++ b/rta/scrobj_com_hijack.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: COM Hijack via Script Object # RTA: scrobj_com_hijack.py diff --git a/rta/secure_file_deletion.py b/rta/secure_file_deletion.py index 3de40b15f04..adc65709698 100644 --- a/rta/secure_file_deletion.py +++ b/rta/secure_file_deletion.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import os import subprocess diff --git a/rta/settingcontentms_files.py b/rta/settingcontentms_files.py index e037aa8b67a..fe71224a022 100644 --- a/rta/settingcontentms_files.py +++ b/rta/settingcontentms_files.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Abusing SettingContent-ms Files # RTA: settingcontentms_files.py diff --git a/rta/sevenzip_encrypted.py b/rta/sevenzip_encrypted.py index 455000fb59d..58db5413059 100644 --- a/rta/sevenzip_encrypted.py +++ b/rta/sevenzip_encrypted.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Encrypting files with 7zip # RTA: sevenzip_encrypted.py diff --git a/rta/shortcut_file_suspicious_process.py b/rta/shortcut_file_suspicious_process.py index e75c28cc991..7ba2e7aff8a 100644 --- a/rta/shortcut_file_suspicious_process.py +++ b/rta/shortcut_file_suspicious_process.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Shortcut File Suspicious Process # RTA: shortcut_file_suspicious_process.py diff --git a/rta/sip_provider.py b/rta/sip_provider.py index 56a1987fcdb..607896f4488 100644 --- a/rta/sip_provider.py +++ b/rta/sip_provider.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: SIP Provider Modification # RTA: sip_provider.py diff --git a/rta/smb_connection.py b/rta/smb_connection.py index b4024b33702..e0be24b3471 100644 --- a/rta/smb_connection.py +++ b/rta/smb_connection.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Outbound SMB from a User Process # RTA: smb_connection.py diff --git a/rta/sticky_keys_write_execute.py b/rta/sticky_keys_write_execute.py index 847928cb698..f64b023768a 100644 --- a/rta/sticky_keys_write_execute.py +++ b/rta/sticky_keys_write_execute.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Overwrite Accessibiity Binaries # RTA: sticky_keys_write_execute.py diff --git a/rta/suspicious_dll_registration_regsvr32.py b/rta/suspicious_dll_registration_regsvr32.py index 6f9a453d9c5..3dde49affb5 100644 --- a/rta/suspicious_dll_registration_regsvr32.py +++ b/rta/suspicious_dll_registration_regsvr32.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Suspicious DLL Registration by Regsvr32 # RTA: suspicious_dll_registration_regsvr32.py diff --git a/rta/suspicious_office_children.py b/rta/suspicious_office_children.py index 0aedecbe67e..aae249c38bd 100644 --- a/rta/suspicious_office_children.py +++ b/rta/suspicious_office_children.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Emulate Suspect MS Office Child Processes # RTA: suspect_office_children.py diff --git a/rta/suspicious_office_descendant_fp.py b/rta/suspicious_office_descendant_fp.py index 3d36eac728a..f95a84a5103 100644 --- a/rta/suspicious_office_descendant_fp.py +++ b/rta/suspicious_office_descendant_fp.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Emulate Suspect MS Office Child Processes # RTA: suspect_office_children.py diff --git a/rta/suspicious_powershell_download.py b/rta/suspicious_powershell_download.py index b5aae55f027..f0471a4f30a 100644 --- a/rta/suspicious_powershell_download.py +++ b/rta/suspicious_powershell_download.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Suspicious PowerShell Download # RTA: suspicious_powershell_download.py diff --git a/rta/suspicious_wmic_script.py b/rta/suspicious_wmic_script.py index 2b021535ada..d743943f06b 100644 --- a/rta/suspicious_wmic_script.py +++ b/rta/suspicious_wmic_script.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Suspicious WMIC script execution # RTA: suspicious_wmic_script.py diff --git a/rta/suspicious_wscript_parent.py b/rta/suspicious_wscript_parent.py index 29684421d1c..d8e7d7b413b 100644 --- a/rta/suspicious_wscript_parent.py +++ b/rta/suspicious_wscript_parent.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Suspicious WScript parent # RTA: suspicious_wscript_parent.py diff --git a/rta/system_restore_process.py b/rta/system_restore_process.py index 1316b5e4d6d..bdf523253c9 100644 --- a/rta/system_restore_process.py +++ b/rta/system_restore_process.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Process Execution in System Restore # RTA: system_restore_process.py diff --git a/rta/trust_provider.py b/rta/trust_provider.py index 99ef62a6cb4..d7e51f13045 100644 --- a/rta/trust_provider.py +++ b/rta/trust_provider.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Trust Provider Modification # RTA: trust_provider.py diff --git a/rta/uac_eventviewer.py b/rta/uac_eventviewer.py index 7dacc5f54cb..51cc81e03b5 100644 --- a/rta/uac_eventviewer.py +++ b/rta/uac_eventviewer.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Bypass UAC via Event Viewer # RTA: uac_eventviewer.py diff --git a/rta/uac_sdclt.py b/rta/uac_sdclt.py index e397007d613..02360aa67cc 100644 --- a/rta/uac_sdclt.py +++ b/rta/uac_sdclt.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Bypass UAC via Sdclt # RTA: uac_sdclt.py diff --git a/rta/uac_sysprep.py b/rta/uac_sysprep.py index 0c49c374f9d..5a47848806a 100644 --- a/rta/uac_sysprep.py +++ b/rta/uac_sysprep.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Bypass UAC via Sysprep # RTA: uac_sysprep.py diff --git a/rta/uncommon_persistence.py b/rta/uncommon_persistence.py index 34915d2bd2d..6d48c1592df 100644 --- a/rta/uncommon_persistence.py +++ b/rta/uncommon_persistence.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Uncommon Registry Persistence Change # RTA: uncommon_persistence.py diff --git a/rta/unusual_ms_tool_network.py b/rta/unusual_ms_tool_network.py index a26303573a0..3c28d424273 100644 --- a/rta/unusual_ms_tool_network.py +++ b/rta/unusual_ms_tool_network.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Unexpected Network Activity from Microsoft Tools # RTA: unusual_ms_tool_network.py diff --git a/rta/unusual_parent_child.py b/rta/unusual_parent_child.py index e1a5fe6d1c3..187f20022f6 100644 --- a/rta/unusual_parent_child.py +++ b/rta/unusual_parent_child.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Invalid Process Trees in Windows # RTA: unusual_parent_child.py diff --git a/rta/user_dir_escalation.py b/rta/user_dir_escalation.py index f1884cfa3ed..0516c7199f8 100644 --- a/rta/user_dir_escalation.py +++ b/rta/user_dir_escalation.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: SYSTEM Escalation from User Directory # RTA: user_dir_escalation.py diff --git a/rta/vaultcmd_commands.py b/rta/vaultcmd_commands.py index 76df13584bc..7159ff57cb8 100644 --- a/rta/vaultcmd_commands.py +++ b/rta/vaultcmd_commands.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Searching Credential Vaults via VaultCmd # RTA: vaultcmd_commands.py diff --git a/rta/werfault_persistence.py b/rta/werfault_persistence.py index 563a9934b48..499e014e133 100644 --- a/rta/werfault_persistence.py +++ b/rta/werfault_persistence.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: WerFault.exe Persistence # RTA: werfault_persistence.py diff --git a/rta/wevtutil_log_clear.py b/rta/wevtutil_log_clear.py index d1fbdf337ef..ac7a0662abd 100644 --- a/rta/wevtutil_log_clear.py +++ b/rta/wevtutil_log_clear.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Clearing Windows Event Logs # RTA: wevutil_log_clear.py diff --git a/rta/winrar_encrypted.py b/rta/winrar_encrypted.py index b7ec300a650..790d5198cd3 100644 --- a/rta/winrar_encrypted.py +++ b/rta/winrar_encrypted.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Encrypting files with WinRAR # RTA: winrar_encrypted.py diff --git a/rta/winrar_startup_folder.py b/rta/winrar_startup_folder.py index 48c41ba5e60..3e60a5a4a68 100644 --- a/rta/winrar_startup_folder.py +++ b/rta/winrar_startup_folder.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: WinRAR Startup Folder # RTA: winrar_startup_folder.py diff --git a/rta/wmi_incoming_logon.py b/rta/wmi_incoming_logon.py index e3cf71e77e8..d9db0f8e43a 100644 --- a/rta/wmi_incoming_logon.py +++ b/rta/wmi_incoming_logon.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: WMI Incoming Lateral Movement # RTA: wmi_incoming_logon.py diff --git a/rules/apm/apm_403_response_to_a_post.toml b/rules/apm/apm_403_response_to_a_post.toml index 2f7ee47e6d9..ad1f77c66f6 100644 --- a/rules/apm/apm_403_response_to_a_post.toml +++ b/rules/apm/apm_403_response_to_a_post.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["apm-*-transaction*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Web Application Suspicious Activity: POST Request Declined" references = ["https://en.wikipedia.org/wiki/HTTP_403"] risk_score = 47 diff --git a/rules/apm/apm_405_response_method_not_allowed.toml b/rules/apm/apm_405_response_method_not_allowed.toml index d5e62fbc427..3308ffe19a0 100644 --- a/rules/apm/apm_405_response_method_not_allowed.toml +++ b/rules/apm/apm_405_response_method_not_allowed.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["apm-*-transaction*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Web Application Suspicious Activity: Unauthorized Method" references = ["https://en.wikipedia.org/wiki/HTTP_405"] risk_score = 47 diff --git a/rules/apm/apm_null_user_agent.toml b/rules/apm/apm_null_user_agent.toml index 8afec818866..6751cb4f97c 100644 --- a/rules/apm/apm_null_user_agent.toml +++ b/rules/apm/apm_null_user_agent.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ ] index = ["apm-*-transaction*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Web Application Suspicious Activity: No User Agent" references = ["https://en.wikipedia.org/wiki/User_agent"] risk_score = 47 diff --git a/rules/apm/apm_sqlmap_user_agent.toml b/rules/apm/apm_sqlmap_user_agent.toml index 63017852210..4706ed1b433 100644 --- a/rules/apm/apm_sqlmap_user_agent.toml +++ b/rules/apm/apm_sqlmap_user_agent.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["apm-*-transaction*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Web Application Suspicious Activity: sqlmap User Agent" references = ["http://sqlmap.org/"] risk_score = 47 diff --git a/rules/aws/collection_cloudtrail_logging_created.toml b/rules/aws/collection_cloudtrail_logging_created.toml index 9da2ea84f6f..2da21d22ed3 100644 --- a/rules/aws/collection_cloudtrail_logging_created.toml +++ b/rules/aws/collection_cloudtrail_logging_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/10" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS CloudTrail Log Created" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml b/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml index d9e48e41bef..d1e5ee76b2f 100644 --- a/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml +++ b/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ role exists before attempting to assume or hijack the discovered role. from = "now-20m" index = ["filebeat-*", "logs-aws*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS IAM Brute Force of Assume Role Policy" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/credential_access_iam_user_addition_to_group.toml b/rules/aws/credential_access_iam_user_addition_to_group.toml index f74b6b52a87..180bdd6ce68 100644 --- a/rules/aws/credential_access_iam_user_addition_to_group.toml +++ b/rules/aws/credential_access_iam_user_addition_to_group.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/04" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS IAM User Addition to Group" note = "The AWS Filebeat module must be enabled to use this rule." references = ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html"] diff --git a/rules/aws/credential_access_root_console_failure_brute_force.toml b/rules/aws/credential_access_root_console_failure_brute_force.toml index d1e6a4e85e8..6778ab6fd52 100644 --- a/rules/aws/credential_access_root_console_failure_brute_force.toml +++ b/rules/aws/credential_access_root_console_failure_brute_force.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/21" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-20m" index = ["filebeat-*", "logs-aws*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS Management Console Brute Force of Root User Identity" note = "The AWS Filebeat module must be enabled to use this rule." references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"] diff --git a/rules/aws/credential_access_secretsmanager_getsecretvalue.toml b/rules/aws/credential_access_secretsmanager_getsecretvalue.toml index 36af18b95d8..638fa6b0609 100644 --- a/rules/aws/credential_access_secretsmanager_getsecretvalue.toml +++ b/rules/aws/credential_access_secretsmanager_getsecretvalue.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Nick Jones", "Elastic"] @@ -19,7 +19,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS Access Secret in Secrets Manager" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml index b23e79319e0..80496832112 100644 --- a/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/26" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS CloudTrail Log Deleted" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml index 9d9591d6811..c47283cdd45 100644 --- a/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml +++ b/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/10" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS CloudTrail Log Suspended" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml index 6f909426e9a..cd761d270bd 100644 --- a/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml +++ b/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/15" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS CloudWatch Alarm Deletion" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/defense_evasion_config_service_rule_deletion.toml b/rules/aws/defense_evasion_config_service_rule_deletion.toml index c78159701b1..37661fd8885 100644 --- a/rules/aws/defense_evasion_config_service_rule_deletion.toml +++ b/rules/aws/defense_evasion_config_service_rule_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/26" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS Config Service Tampering" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/aws/defense_evasion_configuration_recorder_stopped.toml index 88a52712342..3cd46cd4cd8 100644 --- a/rules/aws/defense_evasion_configuration_recorder_stopped.toml +++ b/rules/aws/defense_evasion_configuration_recorder_stopped.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/16" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS Configuration Recorder Stopped" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/defense_evasion_ec2_flow_log_deletion.toml b/rules/aws/defense_evasion_ec2_flow_log_deletion.toml index eb68d0a9533..b30044f83c2 100644 --- a/rules/aws/defense_evasion_ec2_flow_log_deletion.toml +++ b/rules/aws/defense_evasion_ec2_flow_log_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/15" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS EC2 Flow Log Deletion" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/defense_evasion_ec2_network_acl_deletion.toml b/rules/aws/defense_evasion_ec2_network_acl_deletion.toml index 3e6e714ee08..4edf8c09f9c 100644 --- a/rules/aws/defense_evasion_ec2_network_acl_deletion.toml +++ b/rules/aws/defense_evasion_ec2_network_acl_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/26" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS EC2 Network Access Control List Deletion" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/defense_evasion_guardduty_detector_deletion.toml b/rules/aws/defense_evasion_guardduty_detector_deletion.toml index eef34987562..7ec7b11b407 100644 --- a/rules/aws/defense_evasion_guardduty_detector_deletion.toml +++ b/rules/aws/defense_evasion_guardduty_detector_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/28" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS GuardDuty Detector Deletion" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml index 272b3735fe8..e73d8b6a7f3 100644 --- a/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml +++ b/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/27" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS S3 Bucket Configuration Deletion" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/defense_evasion_waf_acl_deletion.toml b/rules/aws/defense_evasion_waf_acl_deletion.toml index 67022ac203c..6e64e4d8e6f 100644 --- a/rules/aws/defense_evasion_waf_acl_deletion.toml +++ b/rules/aws/defense_evasion_waf_acl_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS WAF Access Control List Deletion" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml b/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml index 377e8d44517..abfcc098bc0 100644 --- a/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml +++ b/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/09" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS WAF Rule or Rule Group Deletion" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/exfiltration_ec2_snapshot_change_activity.toml b/rules/aws/exfiltration_ec2_snapshot_change_activity.toml index 9065017eb88..a7b1daf29dd 100644 --- a/rules/aws/exfiltration_ec2_snapshot_change_activity.toml +++ b/rules/aws/exfiltration_ec2_snapshot_change_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/24" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS EC2 Snapshot Activity" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/impact_cloudtrail_logging_updated.toml b/rules/aws/impact_cloudtrail_logging_updated.toml index ef5749fa5b1..c4d15ec7fab 100644 --- a/rules/aws/impact_cloudtrail_logging_updated.toml +++ b/rules/aws/impact_cloudtrail_logging_updated.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/10" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS CloudTrail Log Updated" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/impact_cloudwatch_log_group_deletion.toml b/rules/aws/impact_cloudwatch_log_group_deletion.toml index 76b3849c2dc..488d7b386f7 100644 --- a/rules/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/aws/impact_cloudwatch_log_group_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS CloudWatch Log Group Deletion" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/aws/impact_cloudwatch_log_stream_deletion.toml index 3e04875463a..42af3b058d9 100644 --- a/rules/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/aws/impact_cloudwatch_log_stream_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/20" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS CloudWatch Log Stream Deletion" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/impact_ec2_disable_ebs_encryption.toml b/rules/aws/impact_ec2_disable_ebs_encryption.toml index 164d65f0761..adf42490472 100644 --- a/rules/aws/impact_ec2_disable_ebs_encryption.toml +++ b/rules/aws/impact_ec2_disable_ebs_encryption.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/05" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS EC2 Encryption Disabled" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/impact_iam_deactivate_mfa_device.toml b/rules/aws/impact_iam_deactivate_mfa_device.toml index 120912365f4..8b1d451fc58 100644 --- a/rules/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/aws/impact_iam_deactivate_mfa_device.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/26" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS IAM Deactivation of MFA Device" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/impact_iam_group_deletion.toml b/rules/aws/impact_iam_group_deletion.toml index 86ead91d754..0d64969c679 100644 --- a/rules/aws/impact_iam_group_deletion.toml +++ b/rules/aws/impact_iam_group_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS IAM Group Deletion" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/impact_rds_cluster_deletion.toml b/rules/aws/impact_rds_cluster_deletion.toml index a70f3c5f8dc..91d201627c6 100644 --- a/rules/aws/impact_rds_cluster_deletion.toml +++ b/rules/aws/impact_rds_cluster_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS RDS Cluster Deletion" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/impact_rds_instance_cluster_stoppage.toml b/rules/aws/impact_rds_instance_cluster_stoppage.toml index 35ecad5ca99..d3e2a5a8435 100644 --- a/rules/aws/impact_rds_instance_cluster_stoppage.toml +++ b/rules/aws/impact_rds_instance_cluster_stoppage.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/20" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS RDS Instance/Cluster Stoppage" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/initial_access_console_login_root.toml b/rules/aws/initial_access_console_login_root.toml index b7be52fbfc4..9369c6b2a45 100644 --- a/rules/aws/initial_access_console_login_root.toml +++ b/rules/aws/initial_access_console_login_root.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/11" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS Management Console Root Login" note = "The AWS Filebeat module must be enabled to use this rule." references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"] diff --git a/rules/aws/initial_access_password_recovery.toml b/rules/aws/initial_access_password_recovery.toml index 4132af1c9d5..34f7e81dcb2 100644 --- a/rules/aws/initial_access_password_recovery.toml +++ b/rules/aws/initial_access_password_recovery.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/02" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS IAM Password Recovery Requested" note = "The AWS Filebeat module must be enabled to use this rule." references = ["https://www.cadosecurity.com/2020/06/11/an-ongoing-aws-phishing-campaign/"] diff --git a/rules/aws/initial_access_via_system_manager.toml b/rules/aws/initial_access_via_system_manager.toml index 234c296d028..9202b992170 100644 --- a/rules/aws/initial_access_via_system_manager.toml +++ b/rules/aws/initial_access_via_system_manager.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS Execution via System Manager" note = "The AWS Filebeat module must be enabled to use this rule." references = ["https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html"] diff --git a/rules/aws/persistence_ec2_network_acl_creation.toml b/rules/aws/persistence_ec2_network_acl_creation.toml index b04207e3697..2c60125d691 100644 --- a/rules/aws/persistence_ec2_network_acl_creation.toml +++ b/rules/aws/persistence_ec2_network_acl_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/04" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS EC2 Network Access Control List Creation" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/persistence_iam_group_creation.toml b/rules/aws/persistence_iam_group_creation.toml index ad208b8a524..fca4018060e 100644 --- a/rules/aws/persistence_iam_group_creation.toml +++ b/rules/aws/persistence_iam_group_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/05" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS IAM Group Creation" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/persistence_rds_cluster_creation.toml b/rules/aws/persistence_rds_cluster_creation.toml index 65c70ecbef3..dff2bddb0c9 100644 --- a/rules/aws/persistence_rds_cluster_creation.toml +++ b/rules/aws/persistence_rds_cluster_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/20" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS RDS Cluster Creation" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/privilege_escalation_root_login_without_mfa.toml b/rules/aws/privilege_escalation_root_login_without_mfa.toml index 9343b0a201b..a366cd7ef7f 100644 --- a/rules/aws/privilege_escalation_root_login_without_mfa.toml +++ b/rules/aws/privilege_escalation_root_login_without_mfa.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS Root Login Without MFA" note = "The AWS Filebeat module must be enabled to use this rule." references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"] diff --git a/rules/aws/privilege_escalation_updateassumerolepolicy.toml b/rules/aws/privilege_escalation_updateassumerolepolicy.toml index 15fc1884425..acb113033c5 100644 --- a/rules/aws/privilege_escalation_updateassumerolepolicy.toml +++ b/rules/aws/privilege_escalation_updateassumerolepolicy.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS IAM Assume Role Policy Update" note = "The AWS Filebeat module must be enabled to use this rule." references = ["https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws"] diff --git a/rules/azure/collection_update_event_hub_auth_rule.toml b/rules/azure/collection_update_event_hub_auth_rule.toml index eb12e6dd934..a4827df9399 100644 --- a/rules/azure/collection_update_event_hub_auth_rule.toml +++ b/rules/azure/collection_update_event_hub_auth_rule.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ false_positives = [ from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Event Hub Authorization Rule Created or Updated" note = "The Azure Filebeat module must be enabled to use this rule." references = ["https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature"] diff --git a/rules/azure/credential_access_key_vault_modified.toml b/rules/azure/credential_access_key_vault_modified.toml index a7158fa7e90..29fc658b726 100644 --- a/rules/azure/credential_access_key_vault_modified.toml +++ b/rules/azure/credential_access_key_vault_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/31" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Key Vault Modified" note = "The Azure Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/azure/credential_access_storage_account_key_regenerated.toml b/rules/azure/credential_access_storage_account_key_regenerated.toml index 56d9f7e3033..11c8026ac21 100644 --- a/rules/azure/credential_access_storage_account_key_regenerated.toml +++ b/rules/azure/credential_access_storage_account_key_regenerated.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Storage Account Key Regenerated" note = "The Azure Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/azure/defense_evasion_azure_application_credential_modification.toml b/rules/azure/defense_evasion_azure_application_credential_modification.toml index 8dff11176b3..f834d36caf8 100644 --- a/rules/azure/defense_evasion_azure_application_credential_modification.toml +++ b/rules/azure/defense_evasion_azure_application_credential_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ false_positives = [ from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Application Credential Modification" note = "The Azure Fleet Integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/azure/defense_evasion_azure_diagnostic_settings_deletion.toml b/rules/azure/defense_evasion_azure_diagnostic_settings_deletion.toml index b4721e635c0..f018a52149c 100644 --- a/rules/azure/defense_evasion_azure_diagnostic_settings_deletion.toml +++ b/rules/azure/defense_evasion_azure_diagnostic_settings_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Diagnostic Settings Deletion" note = "The Azure Filebeat module must be enabled to use this rule." references = ["https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings"] diff --git a/rules/azure/defense_evasion_azure_service_principal_addition.toml b/rules/azure/defense_evasion_azure_service_principal_addition.toml index 300e0837884..b7c0c8c4215 100644 --- a/rules/azure/defense_evasion_azure_service_principal_addition.toml +++ b/rules/azure/defense_evasion_azure_service_principal_addition.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Service Principal Addition" note = "The Azure Fleet Integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/azure/defense_evasion_event_hub_deletion.toml b/rules/azure/defense_evasion_event_hub_deletion.toml index 54748824601..263fb8acdbe 100644 --- a/rules/azure/defense_evasion_event_hub_deletion.toml +++ b/rules/azure/defense_evasion_event_hub_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Event Hub Deletion" note = "The Azure Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/azure/defense_evasion_firewall_policy_deletion.toml b/rules/azure/defense_evasion_firewall_policy_deletion.toml index 463316d1052..c4bf8cb2dee 100644 --- a/rules/azure/defense_evasion_firewall_policy_deletion.toml +++ b/rules/azure/defense_evasion_firewall_policy_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Firewall Policy Deletion" note = "The Azure Filebeat module must be enabled to use this rule." references = ["https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview"] diff --git a/rules/azure/defense_evasion_network_watcher_deletion.toml b/rules/azure/defense_evasion_network_watcher_deletion.toml index 400802c6862..262b45fb385 100644 --- a/rules/azure/defense_evasion_network_watcher_deletion.toml +++ b/rules/azure/defense_evasion_network_watcher_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/31" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Network Watcher Deletion" note = "The Azure Filebeat module must be enabled to use this rule." references = ["https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview"] diff --git a/rules/azure/discovery_blob_container_access_mod.toml b/rules/azure/discovery_blob_container_access_mod.toml index dd998550646..5ac49a4a0ea 100644 --- a/rules/azure/discovery_blob_container_access_mod.toml +++ b/rules/azure/discovery_blob_container_access_mod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/20" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Blob Container Access Level Modification" note = "The Azure Filebeat module must be enabled to use this rule." references = ["https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent"] diff --git a/rules/azure/execution_command_virtual_machine.toml b/rules/azure/execution_command_virtual_machine.toml index 880e0176017..98d4af502f5 100644 --- a/rules/azure/execution_command_virtual_machine.toml +++ b/rules/azure/execution_command_virtual_machine.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ false_positives = [ from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Command Execution on Virtual Machine" note = "The Azure Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/azure/impact_azure_automation_runbook_deleted.toml b/rules/azure/impact_azure_automation_runbook_deleted.toml index 75c0859d1e5..3faa1b71e33 100644 --- a/rules/azure/impact_azure_automation_runbook_deleted.toml +++ b/rules/azure/impact_azure_automation_runbook_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ disrupt their target's automated business operations or to remove a malicious ru from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Automation Runbook Deleted" note = "The Azure Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/azure/impact_resource_group_deletion.toml b/rules/azure/impact_resource_group_deletion.toml index 716d04e2a59..10d6ac2fbd7 100644 --- a/rules/azure/impact_resource_group_deletion.toml +++ b/rules/azure/impact_resource_group_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Resource Group Deletion" note = "The Azure Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/azure/initial_access_azure_active_directory_high_risk_signin.toml b/rules/azure/initial_access_azure_active_directory_high_risk_signin.toml index 07898d58084..a7cae357ce8 100644 --- a/rules/azure/initial_access_azure_active_directory_high_risk_signin.toml +++ b/rules/azure/initial_access_azure_active_directory_high_risk_signin.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/04" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic", "Willem D'Haese"] @@ -14,7 +14,7 @@ compromised. from = "now-25m" index = ["filebeat-*", "logs-azure.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Active Directory High Risk Sign-in" note = "The Azure Fleet Integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/azure/initial_access_azure_active_directory_powershell_signin.toml b/rules/azure/initial_access_azure_active_directory_powershell_signin.toml index 8afbbc0f1e1..fb3a78d6e17 100644 --- a/rules/azure/initial_access_azure_active_directory_powershell_signin.toml +++ b/rules/azure/initial_access_azure_active_directory_powershell_signin.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Active Directory PowerShell Sign-in" note = "The Azure Fleet Integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml b/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml index 745d27ec3fd..e2c02c756af 100644 --- a/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml +++ b/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ as contact information, email, or documents. from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Possible Consent Grant Attack via Azure-Registered Application" note = """- The Azure Filebeat module must be enabled to use this rule. - In a consent grant attack, an attacker tricks an end user into granting a malicious application consent to access their data, usually via a phishing attack. After the malicious application has been granted consent, it has account-level access to data without the need for an organizational account. diff --git a/rules/azure/initial_access_external_guest_user_invite.toml b/rules/azure/initial_access_external_guest_user_invite.toml index 24d24224989..ed5cbbdb2c4 100644 --- a/rules/azure/initial_access_external_guest_user_invite.toml +++ b/rules/azure/initial_access_external_guest_user_invite.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/31" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure External Guest User Invitation" note = "The Azure Filebeat module must be enabled to use this rule." references = ["https://docs.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0"] diff --git a/rules/azure/persistence_azure_automation_account_created.toml b/rules/azure/persistence_azure_automation_account_created.toml index 97c63859418..b92d24b5c39 100644 --- a/rules/azure/persistence_azure_automation_account_created.toml +++ b/rules/azure/persistence_azure_automation_account_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ persistence in their target's environment. from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Automation Account Created" note = "The Azure Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/azure/persistence_azure_automation_runbook_created_or_modified.toml b/rules/azure/persistence_azure_automation_runbook_created_or_modified.toml index 2e53389f19c..c15293fff00 100644 --- a/rules/azure/persistence_azure_automation_runbook_created_or_modified.toml +++ b/rules/azure/persistence_azure_automation_runbook_created_or_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Automation runbook to execute malicious code and maintain persistence in their t from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Automation Runbook Created or Modified" note = "The Azure Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/azure/persistence_azure_automation_webhook_created.toml b/rules/azure/persistence_azure_automation_webhook_created.toml index 3245d127bd8..897559caa27 100644 --- a/rules/azure/persistence_azure_automation_webhook_created.toml +++ b/rules/azure/persistence_azure_automation_webhook_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ adversary may create a webhook in order to trigger a runbook that contains malic from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Automation Webhook Created" note = "The Azure Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/azure/persistence_azure_conditional_access_policy_modified.toml b/rules/azure/persistence_azure_conditional_access_policy_modified.toml index 5b0770938d7..424f6682c0e 100644 --- a/rules/azure/persistence_azure_conditional_access_policy_modified.toml +++ b/rules/azure/persistence_azure_conditional_access_policy_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ weaken their target's security controls. from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Conditional Access Policy Modified" note = "The Azure Filebeat module must be enabled to use this rule." references = ["https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview"] diff --git a/rules/azure/persistence_azure_pim_user_added_global_admin.toml b/rules/azure/persistence_azure_pim_user_added_global_admin.toml index 2c001fdbf9c..69602dc43ce 100644 --- a/rules/azure/persistence_azure_pim_user_added_global_admin.toml +++ b/rules/azure/persistence_azure_pim_user_added_global_admin.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/24" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Global Administrator Role Addition to PIM User" note = "The Azure Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/azure/persistence_azure_privileged_identity_management_role_modified.toml b/rules/azure/persistence_azure_privileged_identity_management_role_modified.toml index 8db1b6a44e0..8e52d790855 100644 --- a/rules/azure/persistence_azure_privileged_identity_management_role_modified.toml +++ b/rules/azure/persistence_azure_privileged_identity_management_role_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ maintain persistence in their target's environment or modify a PIM role to weake from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Privilege Identity Management Role Modified" note = "The Azure Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/azure/persistence_mfa_disabled_for_azure_user.toml b/rules/azure/persistence_mfa_disabled_for_azure_user.toml index 6f1049aa938..c0a0ffdc17b 100644 --- a/rules/azure/persistence_mfa_disabled_for_azure_user.toml +++ b/rules/azure/persistence_mfa_disabled_for_azure_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/20" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ for a user account in order to weaken the authentication requirements for the ac from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Multi-Factor Authentication Disabled for an Azure User" note = "The Azure Filebeat module must be enabled to use this rule." risk_score = 47 diff --git a/rules/azure/persistence_user_added_as_owner_for_azure_application.toml b/rules/azure/persistence_user_added_as_owner_for_azure_application.toml index 515db430c76..8b88fe34b87 100644 --- a/rules/azure/persistence_user_added_as_owner_for_azure_application.toml +++ b/rules/azure/persistence_user_added_as_owner_for_azure_application.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/20" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ another account. from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "User Added as Owner for Azure Application" note = "The Azure Filebeat module must be enabled to use this rule." risk_score = 21 diff --git a/rules/azure/persistence_user_added_as_owner_for_azure_service_principal.toml b/rules/azure/persistence_user_added_as_owner_for_azure_service_principal.toml index 5924e456944..c19d8716514 100644 --- a/rules/azure/persistence_user_added_as_owner_for_azure_service_principal.toml +++ b/rules/azure/persistence_user_added_as_owner_for_azure_service_principal.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/20" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ application can do in the Azure AD tenant. from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "User Added as Owner for Azure Service Principal" note = "The Azure Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml index f1c2408adc2..28a57eb6420 100644 --- a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml +++ b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/21" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ false_positives = ["Developers performing browsers plugin or extension debugging from = "now-9m" index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" max_signals = 33 name = "Potential Cookies Theft via Browser Debugging" references = [ diff --git a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml index c4b3b134ead..b0f7f6259d4 100644 --- a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml +++ b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ evidence on a system. from = "now-9m" index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "WebServer Access Logs Deleted" risk_score = 47 rule_id = "665e7a4f-c58e-4fc6-bc83-87a7572670ac" diff --git a/rules/cross-platform/discovery_security_software_grep.toml b/rules/cross-platform/discovery_security_software_grep.toml index 7018a7450e5..9c770314462 100644 --- a/rules/cross-platform/discovery_security_software_grep.toml +++ b/rules/cross-platform/discovery_security_software_grep.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/20" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ or Host Firewall details. from = "now-9m" index = ["logs-endpoint.events.*", "auditbeat-*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Security Software Discovery via Grep" risk_score = 47 rule_id = "870aecc0-cea4-4110-af3f-e02e9b373655" diff --git a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml index a976c90d9c3..82bbbe81614 100644 --- a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml +++ b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/12" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies the execution of and EggShell Backdoor. EggShell is a from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "EggShell Backdoor Execution" references = ["https://github.com/neoneggplant/EggShell"] risk_score = 73 diff --git a/rules/cross-platform/execution_python_script_in_cmdline.toml b/rules/cross-platform/execution_python_script_in_cmdline.toml index 47a901e434a..23f4b3843f6 100644 --- a/rules/cross-platform/execution_python_script_in_cmdline.toml +++ b/rules/cross-platform/execution_python_script_in_cmdline.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/13" maturity = "development" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = ["Legitimate Python scripting activity."] from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Python Script Execution via Command Line" risk_score = 47 rule_id = "ee9f08dc-cf80-4124-94ae-08c405f059ae" diff --git a/rules/cross-platform/execution_revershell_via_shell_cmd.toml b/rules/cross-platform/execution_revershell_via_shell_cmd.toml index 48b8e24960e..39bbe820775 100644 --- a/rules/cross-platform/execution_revershell_via_shell_cmd.toml +++ b/rules/cross-platform/execution_revershell_via_shell_cmd.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/07" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies the execution of a shell process with suspicious argum from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Reverse Shell Activity via Terminal" references = [ "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", diff --git a/rules/cross-platform/execution_suspicious_jar_child_process.toml b/rules/cross-platform/execution_suspicious_jar_child_process.toml index 4dc89b60604..0cd63a9ac02 100644 --- a/rules/cross-platform/execution_suspicious_jar_child_process.toml +++ b/rules/cross-platform/execution_suspicious_jar_child_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ evade detection. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious JAR Child Process" risk_score = 47 rule_id = "8acb7614-1d92-4359-bfcf-478b6d9de150" diff --git a/rules/cross-platform/impact_hosts_file_modified.toml b/rules/cross-platform/impact_hosts_file_modified.toml index 90ef323f088..b2d53923681 100644 --- a/rules/cross-platform/impact_hosts_file_modified.toml +++ b/rules/cross-platform/impact_hosts_file_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/07" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ RHEL) and macOS systems. from = "now-9m" index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Hosts File Modified" note = "For Windows systems using Auditbeat, this rule requires adding 'C:/Windows/System32/drivers/etc' as an additional path in the 'file_integrity' module of auditbeat.yml." references = ["https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html"] diff --git a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml index b3c4e9636b4..05ad411c912 100644 --- a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml +++ b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ that is lewd, obscene, racist, or antisemitic in nature, typically resulting of """ index = ["filebeat-*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Zoom Meeting with no Passcode" note = "This rule requires the Zoom Filebeat module." references = [ diff --git a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml index 239e46e6a78..a2e388b34b0 100644 --- a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml +++ b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/21" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Modification of Standard Authentication Module or Configuration" references = [ "https://github.com/zephrax/linux-pam-backdoor", diff --git a/rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml b/rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml index 55cd067197f..af7999c3356 100644 --- a/rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml +++ b/rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/15" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = ["Legitimate software or scripts using cron jobs for recurring from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Persistence via Cron Job" references = ["https://archive.f-secure.com/weblog/archives/00002576.html", "https://ss64.com/osx/crontab.html"] risk_score = 21 diff --git a/rules/cross-platform/persistence_shell_profile_modification.toml b/rules/cross-platform/persistence_shell_profile_modification.toml index f53706cd833..63547bdae97 100644 --- a/rules/cross-platform/persistence_shell_profile_modification.toml +++ b/rules/cross-platform/persistence_shell_profile_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = ["Changes to the Shell Profile tend to be noisy, a tuning per from = "now-9m" index = ["logs-endpoint.events.*", "auditbeat-*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Bash Shell Profile Modification" references = ["https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat"] risk_score = 47 diff --git a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml index 3c80c6ad1d5..2ea1bead4ca 100644 --- a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml +++ b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/22" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ authentication. Adversaries may modify it to maintain persistence on a victim ho from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "SSH Authorized Keys File Modification" risk_score = 47 rule_id = "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f" diff --git a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml index 7c66c244875..e0df3d8aa6d 100644 --- a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml +++ b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/26" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ of these configurations to execute commands as other users or spawn processes wi from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Privilege Escalation via Sudoers File Modification" risk_score = 73 rule_id = "76152ca1-71d0-4003-9e37-0983e12832da" diff --git a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml index 5c356b9bbc6..7b50951355a 100644 --- a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml +++ b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/23" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ future. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "lucene" -license = "Elastic License" +license = "Elastic License v2" max_signals = 33 name = "Setuid / Setgid Bit Set via chmod" risk_score = 21 diff --git a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml index 7232835e969..b104be2a709 100644 --- a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml +++ b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/02/03" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Sudo Heap-Based Buffer Overflow Attempt" references = [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156", diff --git a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml index f414d1289bb..ede884934ef 100644 --- a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml +++ b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/13" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ advantage of these configurations to execute commands as other users or spawn pr from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Sudoers File Modification" risk_score = 47 rule_id = "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4" diff --git a/rules/gcp/collection_gcp_pub_sub_subscription_creation.toml b/rules/gcp/collection_gcp_pub_sub_subscription_creation.toml index 364dc3446f1..97ec23ad88d 100644 --- a/rules/gcp/collection_gcp_pub_sub_subscription_creation.toml +++ b/rules/gcp/collection_gcp_pub_sub_subscription_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/23" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Pub/Sub Subscription Creation" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/pubsub/docs/overview"] diff --git a/rules/gcp/collection_gcp_pub_sub_topic_creation.toml b/rules/gcp/collection_gcp_pub_sub_topic_creation.toml index a578dcb7768..196be90b9f4 100644 --- a/rules/gcp/collection_gcp_pub_sub_topic_creation.toml +++ b/rules/gcp/collection_gcp_pub_sub_topic_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/23" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Pub/Sub Topic Creation" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/pubsub/docs/admin"] diff --git a/rules/gcp/defense_evasion_gcp_firewall_rule_created.toml b/rules/gcp/defense_evasion_gcp_firewall_rule_created.toml index 99f9ffda497..ce366416062 100644 --- a/rules/gcp/defense_evasion_gcp_firewall_rule_created.toml +++ b/rules/gcp/defense_evasion_gcp_firewall_rule_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Firewall Rule Creation" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/vpc/docs/firewalls"] diff --git a/rules/gcp/defense_evasion_gcp_firewall_rule_deleted.toml b/rules/gcp/defense_evasion_gcp_firewall_rule_deleted.toml index 42d2d7d55e6..082fc6af0f2 100644 --- a/rules/gcp/defense_evasion_gcp_firewall_rule_deleted.toml +++ b/rules/gcp/defense_evasion_gcp_firewall_rule_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Firewall Rule Deletion" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/vpc/docs/firewalls"] diff --git a/rules/gcp/defense_evasion_gcp_firewall_rule_modified.toml b/rules/gcp/defense_evasion_gcp_firewall_rule_modified.toml index cde5d9cc6a3..945eb96c87f 100644 --- a/rules/gcp/defense_evasion_gcp_firewall_rule_modified.toml +++ b/rules/gcp/defense_evasion_gcp_firewall_rule_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Firewall Rule Modification" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/vpc/docs/firewalls"] diff --git a/rules/gcp/defense_evasion_gcp_logging_bucket_deletion.toml b/rules/gcp/defense_evasion_gcp_logging_bucket_deletion.toml index a2e02e6cdb5..5ac477009d5 100644 --- a/rules/gcp/defense_evasion_gcp_logging_bucket_deletion.toml +++ b/rules/gcp/defense_evasion_gcp_logging_bucket_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Logging Bucket Deletion" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/logging/docs/buckets", "https://cloud.google.com/logging/docs/storage"] diff --git a/rules/gcp/defense_evasion_gcp_logging_sink_deletion.toml b/rules/gcp/defense_evasion_gcp_logging_sink_deletion.toml index c6f120c8c2a..17ebbe9709f 100644 --- a/rules/gcp/defense_evasion_gcp_logging_sink_deletion.toml +++ b/rules/gcp/defense_evasion_gcp_logging_sink_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Logging Sink Deletion" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/logging/docs/export"] diff --git a/rules/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml b/rules/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml index b17b0d5dcf5..0f9a6cdb67a 100644 --- a/rules/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml +++ b/rules/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/23" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Pub/Sub Subscription Deletion" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/pubsub/docs/overview"] diff --git a/rules/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml b/rules/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml index a66a0cf3b25..7a0bdaeb57e 100644 --- a/rules/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml +++ b/rules/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Pub/Sub Topic Deletion" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/pubsub/docs/overview"] diff --git a/rules/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml b/rules/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml index 4f020c77706..35decf433b9 100644 --- a/rules/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml +++ b/rules/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Storage Bucket Configuration Modification" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/storage/docs/key-terms#buckets"] diff --git a/rules/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml b/rules/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml index 25e101d640e..25d059aba7d 100644 --- a/rules/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml +++ b/rules/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Storage Bucket Permissions Modification" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/storage/docs/access-control/iam-permissions"] diff --git a/rules/gcp/exfiltration_gcp_logging_sink_modification.toml b/rules/gcp/exfiltration_gcp_logging_sink_modification.toml index 5cb16669b92..57ceaddd4c7 100644 --- a/rules/gcp/exfiltration_gcp_logging_sink_modification.toml +++ b/rules/gcp/exfiltration_gcp_logging_sink_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Logging Sink Modification" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/logging/docs/export#how_sinks_work"] diff --git a/rules/gcp/impact_gcp_iam_role_deletion.toml b/rules/gcp/impact_gcp_iam_role_deletion.toml index 287a46743d0..980f6432b47 100644 --- a/rules/gcp/impact_gcp_iam_role_deletion.toml +++ b/rules/gcp/impact_gcp_iam_role_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP IAM Role Deletion" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/iam/docs/understanding-roles"] diff --git a/rules/gcp/impact_gcp_service_account_deleted.toml b/rules/gcp/impact_gcp_service_account_deleted.toml index ad324d74519..ef5b9a3b6a2 100644 --- a/rules/gcp/impact_gcp_service_account_deleted.toml +++ b/rules/gcp/impact_gcp_service_account_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Service Account Deletion" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/iam/docs/service-accounts"] diff --git a/rules/gcp/impact_gcp_service_account_disabled.toml b/rules/gcp/impact_gcp_service_account_disabled.toml index 39e6ba0c063..24c6e4bb6f7 100644 --- a/rules/gcp/impact_gcp_service_account_disabled.toml +++ b/rules/gcp/impact_gcp_service_account_disabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Service Account Disabled" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/iam/docs/service-accounts"] diff --git a/rules/gcp/impact_gcp_storage_bucket_deleted.toml b/rules/gcp/impact_gcp_storage_bucket_deleted.toml index 4d592215191..58773704af6 100644 --- a/rules/gcp/impact_gcp_storage_bucket_deleted.toml +++ b/rules/gcp/impact_gcp_storage_bucket_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Storage Bucket Deletion" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/storage/docs/key-terms#buckets"] diff --git a/rules/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml b/rules/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml index f870cfd0ad7..053d2267b5c 100644 --- a/rules/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml +++ b/rules/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Virtual Private Cloud Network Deletion" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/vpc/docs/vpc"] diff --git a/rules/gcp/impact_gcp_virtual_private_cloud_route_created.toml b/rules/gcp/impact_gcp_virtual_private_cloud_route_created.toml index 5be9a2f5a08..f1a32ea3926 100644 --- a/rules/gcp/impact_gcp_virtual_private_cloud_route_created.toml +++ b/rules/gcp/impact_gcp_virtual_private_cloud_route_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Virtual Private Cloud Route Creation" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google.com/vpc/docs/using-routes"] diff --git a/rules/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml b/rules/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml index b53d0fdd669..2d2dfb7ebed 100644 --- a/rules/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml +++ b/rules/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Virtual Private Cloud Route Deletion" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google.com/vpc/docs/using-routes"] diff --git a/rules/gcp/initial_access_gcp_iam_custom_role_creation.toml b/rules/gcp/initial_access_gcp_iam_custom_role_creation.toml index 5f0f07f4e53..c17077902d7 100644 --- a/rules/gcp/initial_access_gcp_iam_custom_role_creation.toml +++ b/rules/gcp/initial_access_gcp_iam_custom_role_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP IAM Custom Role Creation" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/iam/docs/understanding-custom-roles"] diff --git a/rules/gcp/persistence_gcp_iam_service_account_key_deletion.toml b/rules/gcp/persistence_gcp_iam_service_account_key_deletion.toml index 0ed1ab4f052..669ec924917 100644 --- a/rules/gcp/persistence_gcp_iam_service_account_key_deletion.toml +++ b/rules/gcp/persistence_gcp_iam_service_account_key_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP IAM Service Account Key Deletion" note = "The GCP Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/gcp/persistence_gcp_key_created_for_service_account.toml b/rules/gcp/persistence_gcp_key_created_for_service_account.toml index 5354563bdfd..b0e053784f9 100644 --- a/rules/gcp/persistence_gcp_key_created_for_service_account.toml +++ b/rules/gcp/persistence_gcp_key_created_for_service_account.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Service Account Key Creation" note = "The GCP Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/gcp/persistence_gcp_service_account_created.toml b/rules/gcp/persistence_gcp_service_account_created.toml index 70e43f6eb03..39b4155f896 100644 --- a/rules/gcp/persistence_gcp_service_account_created.toml +++ b/rules/gcp/persistence_gcp_service_account_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Service Account Creation" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/iam/docs/service-accounts"] diff --git a/rules/google-workspace/application_added_to_google_workspace_domain.toml b/rules/google-workspace/application_added_to_google_workspace_domain.toml index b54283e68f0..fc6a78204b2 100644 --- a/rules/google-workspace/application_added_to_google_workspace_domain.toml +++ b/rules/google-workspace/application_added_to_google_workspace_domain.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ from = "now-130m" index = ["filebeat-*", "logs-google_workspace*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Application Added to Google Workspace Domain" note = """### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. diff --git a/rules/google-workspace/domain_added_to_google_workspace_trusted_domains.toml b/rules/google-workspace/domain_added_to_google_workspace_trusted_domains.toml index c7463ee8c5d..2b19c8998a4 100644 --- a/rules/google-workspace/domain_added_to_google_workspace_trusted_domains.toml +++ b/rules/google-workspace/domain_added_to_google_workspace_trusted_domains.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ from = "now-130m" index = ["filebeat-*", "logs-google_workspace*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Domain Added to Google Workspace Trusted Domains" note = """### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. diff --git a/rules/google-workspace/google_workspace_admin_role_deletion.toml b/rules/google-workspace/google_workspace_admin_role_deletion.toml index 16c71a40b2d..e73d06a8b99 100644 --- a/rules/google-workspace/google_workspace_admin_role_deletion.toml +++ b/rules/google-workspace/google_workspace_admin_role_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ from = "now-130m" index = ["filebeat-*", "logs-google_workspace*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Google Workspace Admin Role Deletion" note = """### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. diff --git a/rules/google-workspace/google_workspace_mfa_enforcement_disabled.toml b/rules/google-workspace/google_workspace_mfa_enforcement_disabled.toml index acbb3e38167..9b004a6602a 100644 --- a/rules/google-workspace/google_workspace_mfa_enforcement_disabled.toml +++ b/rules/google-workspace/google_workspace_mfa_enforcement_disabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ from = "now-130m" index = ["filebeat-*", "logs-google_workspace*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Google Workspace MFA Enforcement Disabled" note = """### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. diff --git a/rules/google-workspace/google_workspace_policy_modified.toml b/rules/google-workspace/google_workspace_policy_modified.toml index c2280b2e0e7..a822c3bb7e4 100644 --- a/rules/google-workspace/google_workspace_policy_modified.toml +++ b/rules/google-workspace/google_workspace_policy_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ from = "now-130m" index = ["filebeat-*", "logs-google_workspace*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Google Workspace Password Policy Modified" note = """### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. diff --git a/rules/google-workspace/mfa_disabled_for_google_workspace_organization.toml b/rules/google-workspace/mfa_disabled_for_google_workspace_organization.toml index 361857dd7fa..109d2549ec4 100644 --- a/rules/google-workspace/mfa_disabled_for_google_workspace_organization.toml +++ b/rules/google-workspace/mfa_disabled_for_google_workspace_organization.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ from = "now-130m" index = ["filebeat-*", "logs-google_workspace*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "MFA Disabled for Google Workspace Organization" note = """### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. diff --git a/rules/google-workspace/persistence_google_workspace_admin_role_assigned_to_user.toml b/rules/google-workspace/persistence_google_workspace_admin_role_assigned_to_user.toml index e9ed12fdcf0..109659514ca 100644 --- a/rules/google-workspace/persistence_google_workspace_admin_role_assigned_to_user.toml +++ b/rules/google-workspace/persistence_google_workspace_admin_role_assigned_to_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ from = "now-130m" index = ["filebeat-*", "logs-google_workspace*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Google Workspace Admin Role Assigned to a User" note = """### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. diff --git a/rules/google-workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml b/rules/google-workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml index 7833e15d082..e620c2bdeb3 100644 --- a/rules/google-workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml +++ b/rules/google-workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/12" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ from = "now-130m" index = ["filebeat-*", "logs-google_workspace*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Google Workspace API Access Granted via Domain-Wide Delegation of Authority" note = """### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. diff --git a/rules/google-workspace/persistence_google_workspace_custom_admin_role_created.toml b/rules/google-workspace/persistence_google_workspace_custom_admin_role_created.toml index 35f937b5ad9..92d427563d7 100644 --- a/rules/google-workspace/persistence_google_workspace_custom_admin_role_created.toml +++ b/rules/google-workspace/persistence_google_workspace_custom_admin_role_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ from = "now-130m" index = ["filebeat-*", "logs-google_workspace*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Google Workspace Custom Admin Role Created" note = """### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. diff --git a/rules/google-workspace/persistence_google_workspace_role_modified.toml b/rules/google-workspace/persistence_google_workspace_role_modified.toml index 2799f51b401..e612b0955f1 100644 --- a/rules/google-workspace/persistence_google_workspace_role_modified.toml +++ b/rules/google-workspace/persistence_google_workspace_role_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ from = "now-130m" index = ["filebeat-*", "logs-google_workspace*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Google Workspace Role Modified" note = """### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. diff --git a/rules/linux/credential_access_collection_sensitive_files.toml b/rules/linux/credential_access_collection_sensitive_files.toml index 84de80a3608..974b60247cb 100644 --- a/rules/linux/credential_access_collection_sensitive_files.toml +++ b/rules/linux/credential_access_collection_sensitive_files.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/22" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ and system configurations. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Sensitive Files Compression" references = [ "https://www.trendmicro.com/en_ca/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html", diff --git a/rules/linux/credential_access_ssh_backdoor_log.toml b/rules/linux/credential_access_ssh_backdoor_log.toml index 2cc053e8b50..524cf72bdff 100644 --- a/rules/linux/credential_access_ssh_backdoor_log.toml +++ b/rules/linux/credential_access_ssh_backdoor_log.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/21" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ false_positives = ["Updates to approved and trusted SSH executables can trigger from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Potential OpenSSH Backdoor Logging Activity" references = [ "https://github.com/eset/malware-ioc/tree/master/sshdoor", diff --git a/rules/linux/credential_access_tcpdump_activity.toml b/rules/linux/credential_access_tcpdump_activity.toml index 849e7741259..cbe991846c8 100644 --- a/rules/linux/credential_access_tcpdump_activity.toml +++ b/rules/linux/credential_access_tcpdump_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Network Sniffing via Tcpdump" risk_score = 21 rule_id = "7a137d76-ce3d-48e2-947d-2747796a78c0" diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml index 3c9ff0c9d24..9b063893132 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/24" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ receive or send network traffic. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Disable IPTables or Firewall" risk_score = 47 rule_id = "125417b8-d3df-479f-8418-12d7e034fee3" diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index 8db4eb60022..6fbe0d37916 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/27" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ detection by security controls. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Disable Syslog Service" risk_score = 47 rule_id = "2f8a1226-5720-437d-9c20-e0029deb6194" diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index 649422604c7..b5e5cf34af3 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Base16 or Base32 Encoding/Decoding Activity" risk_score = 21 rule_id = "debff20a-46bc-4a4d-bae5-5cdd14222795" diff --git a/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml index 0c582b4b308..a05793044b1 100644 --- a/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Base64 Encoding/Decoding Activity" risk_score = 21 rule_id = "97f22dab-84e8-409d-955e-dacd1d31670b" diff --git a/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml index a260a2cfb63..d6298a19804 100644 --- a/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml +++ b/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/04" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ investigations. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Tampering of Bash Command-Line History" risk_score = 47 rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba" @@ -50,3 +50,4 @@ reference = "https://attack.mitre.org/techniques/T1070/003/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index ee9317630e1..e712df9eb30 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/22" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ activities. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Disabling of SELinux" risk_score = 47 rule_id = "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e" diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index bf92a747d50..13c7192ca38 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/27" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ remove them at the end as part of the post-intrusion cleanup process. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "File Deletion via Shred" risk_score = 21 rule_id = "a1329140-8de3-4445-9f87-908fb6d824f4" diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index c989352835d..fd9012555a1 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "File Permission Modification in Writable Directory" risk_score = 21 rule_id = "9f9a2a82-93a8-4b1a-8778-1780895626d4" diff --git a/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml index eb15faa327f..b0ff5b3de7b 100644 --- a/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Hex Encoding/Decoding Activity" risk_score = 21 rule_id = "a9198571-b135-4a76-b055-e3e5a476fd83" diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index f4511a806c6..41c6a9f72b5 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/29" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "lucene" -license = "Elastic License" +license = "Elastic License v2" max_signals = 33 name = "Creation of Hidden Files and Directories" risk_score = 47 diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index 779693daf74..da385d91cd2 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/24" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Kernel Module Removal" references = ["http://man7.org/linux/man-pages/man8/modprobe.8.html"] risk_score = 73 diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml index 2d655265e7d..86b49de39cf 100644 --- a/rules/linux/defense_evasion_log_files_deleted.toml +++ b/rules/linux/defense_evasion_log_files_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ forensic evidence on a system. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "System Log File Deletion" references = [ "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html", diff --git a/rules/linux/defense_evasion_timestomp_touch.toml b/rules/linux/defense_evasion_timestomp_touch.toml index ebdf4c185bd..80c4b29dca9 100644 --- a/rules/linux/defense_evasion_timestomp_touch.toml +++ b/rules/linux/defense_evasion_timestomp_touch.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ are in the same folder. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" max_signals = 33 name = "Timestomping using Touch Command" risk_score = 47 @@ -45,3 +45,4 @@ reference = "https://attack.mitre.org/techniques/T1070/006/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index 5ca7bea94a4..732997b8efd 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/23" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Enumeration of Kernel Modules" risk_score = 47 rule_id = "2d8043ed-5bda-4caf-801c-c1feb7410504" diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml index dc447b0caf5..044841ca27e 100644 --- a/rules/linux/discovery_virtual_machine_fingerprinting.toml +++ b/rules/linux/discovery_virtual_machine_fingerprinting.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/27" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Virtual Machine Fingerprinting" risk_score = 73 rule_id = "5b03c9fb-9945-4d2f-9568-fd690fee3fba" diff --git a/rules/linux/discovery_whoami_commmand.toml b/rules/linux/discovery_whoami_commmand.toml index ff2d9ab2de3..26219cd15bc 100644 --- a/rules/linux/discovery_whoami_commmand.toml +++ b/rules/linux/discovery_whoami_commmand.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "User Discovery via Whoami" risk_score = 21 rule_id = "120559c6-5e24-49f4-9e30-8ffe697df6b9" diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml index 9d3516c5a52..baf9c43239c 100644 --- a/rules/linux/execution_perl_tty_shell.toml +++ b/rules/linux/execution_perl_tty_shell.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/16" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ interactive tty after obtaining initial access to a host. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Interactive Terminal Spawned via Perl" risk_score = 73 rule_id = "05e5a668-7b51-4a67-93ab-e9af405c9ef3" diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index ba16bcb0e46..ebef8d6188f 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/15" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ interactive tty after obtaining initial access to a host. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Interactive Terminal Spawned via Python" risk_score = 73 rule_id = "d76b02ef-fc95-4001-9297-01cb7412232f" diff --git a/rules/linux/initial_access_login_failures.toml b/rules/linux/initial_access_login_failures.toml index f093c08b422..6f1f569b909 100644 --- a/rules/linux/initial_access_login_failures.toml +++ b/rules/linux/initial_access_login_failures.toml @@ -1,14 +1,14 @@ [metadata] creation_date = "2020/07/08" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] description = "Identifies that the maximum number of failed login attempts has been reached for a user." index = ["auditbeat-*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Auditd Max Failed Login Attempts" references = [ "https://github.com/linux-pam/linux-pam/blob/0adbaeb273da1d45213134aa271e95987103281c/modules/pam_faillock/pam_faillock.c#L574", diff --git a/rules/linux/initial_access_login_location.toml b/rules/linux/initial_access_login_location.toml index c19fc1b03d8..a617d471965 100644 --- a/rules/linux/initial_access_login_location.toml +++ b/rules/linux/initial_access_login_location.toml @@ -1,14 +1,14 @@ [metadata] creation_date = "2020/07/08" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] description = "Identifies that a login attempt has happened from a forbidden location." index = ["auditbeat-*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Auditd Login from Forbidden Location" references = [ "https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_access/pam_access.c#L412", diff --git a/rules/linux/initial_access_login_sessions.toml b/rules/linux/initial_access_login_sessions.toml index 21b868c4b24..4016c276d02 100644 --- a/rules/linux/initial_access_login_sessions.toml +++ b/rules/linux/initial_access_login_sessions.toml @@ -1,14 +1,14 @@ [metadata] creation_date = "2020/07/08" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] description = "Identifies that the maximum number login sessions has been reached for a user." index = ["auditbeat-*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Auditd Max Login Sessions" references = [ "https://github.com/linux-pam/linux-pam/blob/70c32cc6fca51338f92afa58eb75b1107a5c2430/modules/pam_limits/pam_limits.c#L1007", diff --git a/rules/linux/initial_access_login_time.toml b/rules/linux/initial_access_login_time.toml index 143a01bd6f4..7e2696c9350 100644 --- a/rules/linux/initial_access_login_time.toml +++ b/rules/linux/initial_access_login_time.toml @@ -1,14 +1,14 @@ [metadata] creation_date = "2020/07/08" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] description = "Identifies that a login attempt occurred at a forbidden time." index = ["auditbeat-*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Auditd Login Attempt at Forbidden Time" references = [ "https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_time/pam_time.c#L666", diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index 6393305d701..2e152039ed6 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/23" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Connection to External Network via Telnet" risk_score = 47 rule_id = "e19e64ee-130e-4c07-961f-8a339f0b8362" diff --git a/rules/linux/lateral_movement_telnet_network_activity_internal.toml b/rules/linux/lateral_movement_telnet_network_activity_internal.toml index 6238d0741fa..620fc0f5949 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_internal.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_internal.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/23" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Connection to Internal Network via Telnet" risk_score = 47 rule_id = "1b21abcc-4d9f-4b08-a7f5-316f5f94b973" diff --git a/rules/linux/linux_hping_activity.toml b/rules/linux/linux_hping_activity.toml index 456cc65ebe1..429d1a38b28 100644 --- a/rules/linux/linux_hping_activity.toml +++ b/rules/linux/linux_hping_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Hping Process Activity" references = ["https://en.wikipedia.org/wiki/Hping"] risk_score = 73 diff --git a/rules/linux/linux_iodine_activity.toml b/rules/linux/linux_iodine_activity.toml index f4a4639fee8..9ba5ba03203 100644 --- a/rules/linux/linux_iodine_activity.toml +++ b/rules/linux/linux_iodine_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential DNS Tunneling via Iodine" references = ["https://code.kryo.se/iodine/"] risk_score = 73 diff --git a/rules/linux/linux_mknod_activity.toml b/rules/linux/linux_mknod_activity.toml index 048758f4bae..8ab0a9e5c26 100644 --- a/rules/linux/linux_mknod_activity.toml +++ b/rules/linux/linux_mknod_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Mknod Process Activity" references = [ "https://web.archive.org/web/20191218024607/https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem/", diff --git a/rules/linux/linux_netcat_network_connection.toml b/rules/linux/linux_netcat_network_connection.toml index 821a7d577db..66b6bc7743e 100644 --- a/rules/linux/linux_netcat_network_connection.toml +++ b/rules/linux/linux_netcat_network_connection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Netcat Network Activity" references = [ "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", diff --git a/rules/linux/linux_nmap_activity.toml b/rules/linux/linux_nmap_activity.toml index e52019b8c72..d6bdcab1a80 100644 --- a/rules/linux/linux_nmap_activity.toml +++ b/rules/linux/linux_nmap_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Nmap Process Activity" references = ["https://en.wikipedia.org/wiki/Nmap"] risk_score = 21 diff --git a/rules/linux/linux_nping_activity.toml b/rules/linux/linux_nping_activity.toml index a1e6ac148c1..aec8fb736c5 100644 --- a/rules/linux/linux_nping_activity.toml +++ b/rules/linux/linux_nping_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Nping Process Activity" references = ["https://en.wikipedia.org/wiki/Nmap"] risk_score = 47 diff --git a/rules/linux/linux_process_started_in_temp_directory.toml b/rules/linux/linux_process_started_in_temp_directory.toml index 6e2aac593b4..f619b4c630b 100644 --- a/rules/linux/linux_process_started_in_temp_directory.toml +++ b/rules/linux/linux_process_started_in_temp_directory.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Unusual Process Execution - Temp" risk_score = 47 rule_id = "df959768-b0c9-4d45-988c-5606a2be8e5a" diff --git a/rules/linux/linux_socat_activity.toml b/rules/linux/linux_socat_activity.toml index 71a024ac606..4cb73f1ba4c 100644 --- a/rules/linux/linux_socat_activity.toml +++ b/rules/linux/linux_socat_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Socat Process Activity" references = ["https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/#method-2-using-socat"] risk_score = 47 diff --git a/rules/linux/linux_strace_activity.toml b/rules/linux/linux_strace_activity.toml index 80afb10b0f7..ad7333bd5a1 100644 --- a/rules/linux/linux_strace_activity.toml +++ b/rules/linux/linux_strace_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Strace Process Activity" references = ["https://en.wikipedia.org/wiki/Strace"] risk_score = 21 diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml index 15f10dd84e9..a5aa08cf8f9 100644 --- a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml +++ b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/21" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Modification of OpenSSH Binaries" references = ["https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html"] risk_score = 47 diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index bfd990d737e..42942c51601 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/06" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ execute upon each user logon. Adversaries may abuse this method for persistence. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Persistence via KDE AutoStart Script or Desktop File Modification" references = [ "https://userbase.kde.org/System_Settings/Autostart", diff --git a/rules/linux/persistence_kernel_module_activity.toml b/rules/linux/persistence_kernel_module_activity.toml index 1e7dcb1fc30..ced0ec3ee1c 100644 --- a/rules/linux/persistence_kernel_module_activity.toml +++ b/rules/linux/persistence_kernel_module_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Persistence via Kernel Module Modification" references = [ "https://www.hackers-arise.com/single-post/2017/11/03/Linux-for-Hackers-Part-10-Loadable-Kernel-Modules-LKM", diff --git a/rules/linux/persistence_shell_activity_by_web_server.toml b/rules/linux/persistence_shell_activity_by_web_server.toml index 28efd18730d..221bc3becf0 100644 --- a/rules/linux/persistence_shell_activity_by_web_server.toml +++ b/rules/linux/persistence_shell_activity_by_web_server.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Shell via Web Server" references = ["https://pentestlab.blog/tag/web-shell/"] risk_score = 47 diff --git a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml index f3676097a87..2b2c84c31ed 100644 --- a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml +++ b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/27" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ payloads by hijacking the dynamic linker used to load libraries. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Modification of Dynamic Linker Preload Shared Object" references = [ "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang", diff --git a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml index 9e98af23ec9..f8595b3b25c 100644 --- a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml +++ b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/04" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Adversaries may acquire credentials from web browsers by reading files specific from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Access of Stored Browser Credentials" references = ["https://securelist.com/calisto-trojan-for-macos/86543/"] risk_score = 73 diff --git a/rules/macos/credential_access_credentials_keychains.toml b/rules/macos/credential_access_credentials_keychains.toml index 009616ca00b..5592924d5fd 100644 --- a/rules/macos/credential_access_credentials_keychains.toml +++ b/rules/macos/credential_access_credentials_keychains.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ websites, secure notes and certificates. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Access to Keychain Credentials Directories" references = [ "https://objective-see.com/blog/blog_0x25.html", @@ -57,3 +57,4 @@ reference = "https://attack.mitre.org/techniques/T1555/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml index 82a5e907ea4..a70a2b68d06 100644 --- a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml +++ b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/25" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ lateral movement. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Dumping Account Hashes via Built-In Commands" references = [ "https://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored", diff --git a/rules/macos/credential_access_dumping_keychain_security.toml b/rules/macos/credential_access_dumping_keychain_security.toml index 51fc2ac5802..84dbc603881 100644 --- a/rules/macos/credential_access_dumping_keychain_security.toml +++ b/rules/macos/credential_access_dumping_keychain_security.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/04" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ and website passwords, secure notes, certificates, and Kerberos. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Dumping of Keychain Content via Security Command" references = ["https://ss64.com/osx/security.html"] risk_score = 73 diff --git a/rules/macos/credential_access_kerberosdump_kcc.toml b/rules/macos/credential_access_kerberosdump_kcc.toml index 5c7959c5a6e..d8d1841ff3e 100644 --- a/rules/macos/credential_access_kerberosdump_kcc.toml +++ b/rules/macos/credential_access_kerberosdump_kcc.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies the use of the Kerberos credential cache (kcc) utility from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Kerberos Cached Credentials Dumping" references = [ "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/kerberosdump.py", diff --git a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml index 901b9f3c7ff..5e6de5b52a2 100644 --- a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml +++ b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/06" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ false_positives = ["Trusted parent processes accessing their respective applicat from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Keychain Password Retrieval via Command Line" references = [ "https://www.netmeister.org/blog/keychain-passwords.html", diff --git a/rules/macos/credential_access_mitm_localhost_webproxy.toml b/rules/macos/credential_access_mitm_localhost_webproxy.toml index b23906bbc26..1dd3b704541 100644 --- a/rules/macos/credential_access_mitm_localhost_webproxy.toml +++ b/rules/macos/credential_access_mitm_localhost_webproxy.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/05" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = ["Legitimate WebProxy Settings Modification"] from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "WebProxy Settings Modification" references = [ "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", diff --git a/rules/macos/credential_access_potential_ssh_bruteforce.toml b/rules/macos/credential_access_potential_ssh_bruteforce.toml index 7de09f52331..6ea7cc8754f 100644 --- a/rules/macos/credential_access_potential_ssh_bruteforce.toml +++ b/rules/macos/credential_access_potential_ssh_bruteforce.toml @@ -1,18 +1,18 @@ [metadata] creation_date = "2020/11/16" maturity = "production" -updated_date = "2020/11/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] description = """ -Identifies a high number (20) of macOS SSH KeyGen process executions from the same host. An adversary may attempt a brute -force attack to obtain unauthorized access to user accounts. +Identifies a high number (20) of macOS SSH KeyGen process executions from the same host. An adversary may attempt a +brute force attack to obtain unauthorized access to user accounts. """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential SSH Brute Force Detected" references = ["https://themittenmac.com/detecting-ssh-activity-via-process-monitoring/"] risk_score = 47 @@ -42,3 +42,4 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [rule.threshold] field = "host.id" value = 20 + diff --git a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml index 109e13f56d1..994a99d21ae 100644 --- a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml +++ b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/16" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ credentials. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Prompt for Credentials with OSASCRIPT" references = [ "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py", @@ -48,3 +48,4 @@ reference = "https://attack.mitre.org/techniques/T1056/002/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/macos/credential_access_systemkey_dumping.toml b/rules/macos/credential_access_systemkey_dumping.toml index d8166c7ddce..7dc0ab8e197 100644 --- a/rules/macos/credential_access_systemkey_dumping.toml +++ b/rules/macos/credential_access_systemkey_dumping.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/07" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ keychain storage data from a system to acquire credentials. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "SystemKey Access via Command Line" references = ["https://github.com/AlessandroZ/LaZagne/blob/master/Mac/lazagne/softwares/system/chainbreaker.py"] risk_score = 73 diff --git a/rules/macos/defense_evasion_apple_softupdates_modification.toml b/rules/macos/defense_evasion_apple_softupdates_modification.toml index b2a715b7749..9d1d262aa39 100644 --- a/rules/macos/defense_evasion_apple_softupdates_modification.toml +++ b/rules/macos/defense_evasion_apple_softupdates_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/15" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = ["Authorized SoftwareUpdate Settings Changes"] from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "SoftwareUpdate Preferences Modification" references = ["https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/"] risk_score = 47 diff --git a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml index 3a9d3fb1ae8..8fc3008eda0 100644 --- a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml +++ b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ time. An adversary may disable this attribute to evade defenses. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Remove File Quarantine Attribute" references = [ "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", diff --git a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml index 4a6b8bded93..6eacbcd676c 100644 --- a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml +++ b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/11" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ trusted software is run. Adversaries may attempt to disable Gatekeeper before ex from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Disable Gatekeeper" references = [ "https://support.apple.com/en-us/HT202491", diff --git a/rules/macos/defense_evasion_install_root_certificate.toml b/rules/macos/defense_evasion_install_root_certificate.toml index d125e9cc8d4..fae68587e7a 100644 --- a/rules/macos/defense_evasion_install_root_certificate.toml +++ b/rules/macos/defense_evasion_install_root_certificate.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/13" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = ["Certain applications may install root certificates for the p from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Install Root Certificate" references = ["https://ss64.com/osx/security-cert.html"] risk_score = 47 diff --git a/rules/macos/defense_evasion_modify_environment_launchctl.toml b/rules/macos/defense_evasion_modify_environment_launchctl.toml index f2b64d94135..053efdd88a8 100644 --- a/rules/macos/defense_evasion_modify_environment_launchctl.toml +++ b/rules/macos/defense_evasion_modify_environment_launchctl.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/14" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ restrictions. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Modification of Environment Variable via Launchctl" references = [ "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/osx/escalate/tccbypass.rb", diff --git a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml index bfcfba7ba2c..452ae6d73fb 100644 --- a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml +++ b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/23" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ microphone, address book, and calendar. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Privacy Control Bypass via TCCDB Modification" references = [ "https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/", diff --git a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml index e104f972a97..a145e387c1a 100644 --- a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml +++ b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/11" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ privacy controls to access sensitive files. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Privacy Control Bypass via Localhost Secure Copy" references = [ "https://blog.trendmicro.com/trendlabs-security-intelligence/xcsset-mac-malware-infects-xcode-projects-performs-uxss-attack-on-safari-other-browsers-leverages-zero-day-exploits/", diff --git a/rules/macos/defense_evasion_safari_config_change.toml b/rules/macos/defense_evasion_safari_config_change.toml index b5022cef6b4..268fe3771b1 100644 --- a/rules/macos/defense_evasion_safari_config_change.toml +++ b/rules/macos/defense_evasion_safari_config_change.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/14" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ browser. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Modification of Safari Settings via Defaults Command" references = ["https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf"] risk_score = 47 diff --git a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml index 23fa1cf2d34..16e134cef57 100644 --- a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml +++ b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/11" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ AutoStart location to achieve sandbox evasion. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Microsoft Office Sandbox Evasion" references = [ "https://i.blackhat.com/USA-20/Wednesday/us-20-Wardle-Office-Drama-On-macOS.pdf", diff --git a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml index a06ef6bae0d..38ef18992b5 100644 --- a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml +++ b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/04" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ system, including all user data and files protected by Apple’s privacy framewo from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "TCC Bypass via Mounted APFS Snapshot Access" references = ["https://theevilbit.github.io/posts/cve_2020_9771/"] risk_score = 73 diff --git a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml index ff25023b032..7d4fe892b76 100644 --- a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml +++ b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/05" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies attempts to unload the Elastic Endpoint Security kerne from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Unload Elastic Endpoint Security Kernel Extension" risk_score = 73 rule_id = "70fa1af4-27fd-4f26-bd03-50b6af6b9e24" diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index e25336cd891..364134791b8 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/12" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies the execution of macOS built-in commands related to ac from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Enumeration of Users or Groups via Built-in Commands" risk_score = 21 rule_id = "6e9b351e-a531-4bdc-b73e-7034d6eed7ff" diff --git a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml index 5d2d74362ef..cbff611403f 100644 --- a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml +++ b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/07" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ child_process Node.js module. Adversaries may abuse this technique to inherit pe from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Execution via Electron Child Process Node.js Module" references = [ "https://www.matthewslipper.com/2019/09/22/everything-you-wanted-electron-child-process.html", diff --git a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml index 5dd6f2ff0df..87dde1bde51 100644 --- a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml +++ b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/23" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ for exploitation. from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Browser Child Process" references = [ "https://objective-see.com/blog/blog_0x43.html", diff --git a/rules/macos/execution_installer_spawned_network_event.toml b/rules/macos/execution_installer_spawned_network_event.toml index 51c8c38487e..b291a6c5906 100644 --- a/rules/macos/execution_installer_spawned_network_event.toml +++ b/rules/macos/execution_installer_spawned_network_event.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/02/23" maturity = "production" -updated_date = "2021/02/23" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "macOS Installer Spawns Network Event" references = ["https://redcanary.com/blog/clipping-silver-sparrows-wings"] risk_score = 47 @@ -79,3 +79,4 @@ reference = "https://attack.mitre.org/techniques/T1071/001/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/macos/execution_script_via_automator_workflows.toml b/rules/macos/execution_script_via_automator_workflows.toml index d81c79851fa..4636116f405 100644 --- a/rules/macos/execution_script_via_automator_workflows.toml +++ b/rules/macos/execution_script_via_automator_workflows.toml @@ -1,18 +1,19 @@ [metadata] creation_date = "2020/12/23" maturity = "production" -updated_date = "2020/12/23" +updated_date = "2021/03/03" [rule] author = ["Elastic"] description = """ -Identifies the execution of the Automator Workflows process followed by a network connection from it's XPC service. Adversaries may drop a custom workflow template that hosts -malicious JavaScript for Automation (JXA) code as an alternative to using osascript. +Identifies the execution of the Automator Workflows process followed by a network connection from it's XPC service. +Adversaries may drop a custom workflow template that hosts malicious JavaScript for Automation (JXA) code as an +alternative to using osascript. """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Automator Workflows Execution" references = ["https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"] risk_score = 47 @@ -40,3 +41,4 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml index 8bc3db0a12c..6882fe89d5d 100644 --- a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml +++ b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml @@ -1,19 +1,18 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2020/12/07" +updated_date = "2021/03/03" [rule] author = ["Elastic"] description = """ -Detects execution via the Apple script interpreter (osascript) followed by a network connection from -the same process within a short time period. Adversaries may use malicious scripts for execution and command and -control. +Detects execution via the Apple script interpreter (osascript) followed by a network connection from the same process +within a short time period. Adversaries may use malicious scripts for execution and command and control. """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Apple Script Execution followed by Network Connection" references = [ "https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html", @@ -64,3 +63,4 @@ reference = "https://attack.mitre.org/techniques/T1105/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/macos/execution_shell_execution_via_apple_scripting.toml b/rules/macos/execution_shell_execution_via_apple_scripting.toml index 6ab51104877..8e784e97551 100644 --- a/rules/macos/execution_shell_execution_via_apple_scripting.toml +++ b/rules/macos/execution_shell_execution_via_apple_scripting.toml @@ -1,18 +1,18 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2020/12/07" +updated_date = "2021/03/03" [rule] author = ["Elastic"] description = """ -Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use -the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands. +Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the +doShellScript functionality in JXA or do shell script in AppleScript to execute system commands. """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Shell Execution via Apple Scripting" references = [ "https://developer.apple.com/library/archive/technotes/tn2065/_index.html", @@ -43,3 +43,4 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml index 5fe8f6d413b..ff5e6a505e2 100644 --- a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml +++ b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/04" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ malicious macros. from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious macOS MS Office Child Process" references = ["https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office-macro-malware-targets-macs/"] risk_score = 47 diff --git a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml index fc395a6f948..c2a4bb4118b 100644 --- a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml +++ b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/12" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ attempt unauthorized authentication techniques such as pass-the-ticket/hash and from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Kerberos Attack via Bifrost" references = ["https://github.com/its-a-feature/bifrost"] risk_score = 73 diff --git a/rules/macos/lateral_movement_mounting_smb_share.toml b/rules/macos/lateral_movement_mounting_smb_share.toml index 16e12c4b23b..e1cad6ddf5b 100644 --- a/rules/macos/lateral_movement_mounting_smb_share.toml +++ b/rules/macos/lateral_movement_mounting_smb_share.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/25" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ use valid accounts to interact with a remote network share using SMB. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Mount SMB Share via Command Line" references = ["https://www.freebsd.org/cgi/man.cgi?mount_smbfs", "https://ss64.com/osx/mount.html"] risk_score = 21 diff --git a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml index 83b755ff8ee..1054f67db83 100644 --- a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml +++ b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Detects use of the systemsetup command to enable remote SSH Login from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Remote SSH Login Enabled via systemsetup Command" references = [ "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf", diff --git a/rules/macos/lateral_movement_vpn_connection_attempt.toml b/rules/macos/lateral_movement_vpn_connection_attempt.toml index c04b40b9043..272c11a46b2 100644 --- a/rules/macos/lateral_movement_vpn_connection_attempt.toml +++ b/rules/macos/lateral_movement_vpn_connection_attempt.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/25" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies the execution of macOS built-in commands to connect to from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Virtual Private Network Connection Attempt" references = [ "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/manage/vpn.rb", diff --git a/rules/macos/persistence_account_creation_hide_at_logon.toml b/rules/macos/persistence_account_creation_hide_at_logon.toml index 868bbd57591..31cc60b977c 100644 --- a/rules/macos/persistence_account_creation_hide_at_logon.toml +++ b/rules/macos/persistence_account_creation_hide_at_logon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/05" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ attempt to evade user attention while maintaining persistence using a separate l from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Hidden Local User Account Creation" references = ["https://support.apple.com/en-us/HT203998"] risk_score = 47 diff --git a/rules/macos/persistence_creation_change_launch_agents_file.toml b/rules/macos/persistence_creation_change_launch_agents_file.toml index 2aec84b0fc6..f67eea22750 100644 --- a/rules/macos/persistence_creation_change_launch_agents_file.toml +++ b/rules/macos/persistence_creation_change_launch_agents_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = ["Trusted applications persisting via LaunchAgent"] from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Launch Agent Creation or Modification and Immediate Loading" references = [ "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html", @@ -45,6 +45,7 @@ name = "Launch Agent" reference = "https://attack.mitre.org/techniques/T1543/001/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/macos/persistence_creation_hidden_login_item_osascript.toml b/rules/macos/persistence_creation_hidden_login_item_osascript.toml index bd2f77cdbb2..b6b13172dcc 100644 --- a/rules/macos/persistence_creation_hidden_login_item_osascript.toml +++ b/rules/macos/persistence_creation_hidden_login_item_osascript.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/05" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ program while concealing its presence. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Creation of Hidden Login Item via Apple Script" risk_score = 47 rule_id = "f24bcae1-8980-4b30-b5dd-f851b055c9e7" diff --git a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml index d0718b13729..9a48875c1fb 100644 --- a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml +++ b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2020/12/07" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ false_positives = ["Trusted applications persisting via LaunchDaemons"] from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "LaunchDaemon Creation or Modification and Immediate Loading" references = [ "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html", @@ -40,3 +40,4 @@ reference = "https://attack.mitre.org/techniques/T1543/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml index c4e5f27bd24..126b9c945cc 100644 --- a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml +++ b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/13" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ to persist and/or collect clear text credentials as they traverse the registered from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Authorization Plugin Modification" references = [ "https://developer.apple.com/documentation/security/authorization_plug-ins", diff --git a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml index af7609ea5ac..fce77f91fae 100644 --- a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml +++ b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/07" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ installing a new logon item, launch agent, or daemon that executes upon login. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Hidden Child Process of Launchd" references = [ "https://objective-see.com/blog/blog_0x61.html", diff --git a/rules/macos/persistence_directory_services_plugins_modification.toml b/rules/macos/persistence_directory_services_plugins_modification.toml index 375dcbc31cc..33cd6f1da5c 100644 --- a/rules/macos/persistence_directory_services_plugins_modification.toml +++ b/rules/macos/persistence_directory_services_plugins_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/13" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ DirectoryServices PlugIns folder and can be abused by adversaries to maintain pe from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Persistence via DirectoryService Plugin Modification" references = ["https://blog.chichou.me/2019/11/21/two-macos-persistence-tricks-abusing-plugins/"] risk_score = 47 diff --git a/rules/macos/persistence_docker_shortcuts_plist_modification.toml b/rules/macos/persistence_docker_shortcuts_plist_modification.toml index 2b44e9b29e6..5f3c0098242 100644 --- a/rules/macos/persistence_docker_shortcuts_plist_modification.toml +++ b/rules/macos/persistence_docker_shortcuts_plist_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/18" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ application instead of the intended one when invoked. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Persistence via Docker Shortcut Modification" references = [ """ diff --git a/rules/macos/persistence_emond_rules_file_creation.toml b/rules/macos/persistence_emond_rules_file_creation.toml index 414c4f70096..cdf4702a1d9 100644 --- a/rules/macos/persistence_emond_rules_file_creation.toml +++ b/rules/macos/persistence_emond_rules_file_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/11" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ writing a rule to execute commands when a defined event occurs, such as system s from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Emond Rules Creation or Modification" references = ["https://www.xorrior.com/emond-persistence/"] risk_score = 47 diff --git a/rules/macos/persistence_emond_rules_process_execution.toml b/rules/macos/persistence_emond_rules_process_execution.toml index bc883ce9a4c..d48776e7613 100644 --- a/rules/macos/persistence_emond_rules_process_execution.toml +++ b/rules/macos/persistence_emond_rules_process_execution.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/11" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ authentication. from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Emond Child Process" references = ["https://www.xorrior.com/emond-persistence/"] risk_score = 47 diff --git a/rules/macos/persistence_enable_root_account.toml b/rules/macos/persistence_enable_root_account.toml index 62052f91c89..f760c40ac62 100644 --- a/rules/macos/persistence_enable_root_account.toml +++ b/rules/macos/persistence_enable_root_account.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/04" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ for persistence, as the root account is disabled by default. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Enable the Root Account" references = ["https://ss64.com/osx/dsenableroot.html"] risk_score = 47 diff --git a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml index b3fa8a5fd9b..7f09fce054c 100644 --- a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml +++ b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/05" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ launch agent or daemon which executes at login. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Creation of Hidden Launch Agent or Daemon" references = [ "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html", diff --git a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml index 6a42e079cc4..d3e8050fd92 100644 --- a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml +++ b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml @@ -1,22 +1,25 @@ [metadata] creation_date = "2020/12/18" maturity = "production" -updated_date = "2020/12/18" +updated_date = "2021/03/03" [rule] author = ["Elastic"] description = """ -Finder Sync plugins enable users to extend Finder’s functionality by modifying the user interface. Adversaries may -abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence. +Finder Sync plugins enable users to extend Finder’s functionality by modifying the user interface. Adversaries may abuse +this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence. """ false_positives = ["Trusted Finder Sync Plugins"] from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Finder Sync Plugin Registered and Enabled" references = [ - "https://github.com/specterops/presentations/raw/master/Leo Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf", + """ + https://github.com/specterops/presentations/raw/master/Leo + Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf + """, ] risk_score = 47 rule_id = "37f638ea-909d-4f94-9248-edd21e4a9906" @@ -55,3 +58,4 @@ reference = "https://attack.mitre.org/techniques/T1543/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/macos/persistence_folder_action_scripts_runtime.toml b/rules/macos/persistence_folder_action_scripts_runtime.toml index a2ee1da1939..98724350cb9 100644 --- a/rules/macos/persistence_folder_action_scripts_runtime.toml +++ b/rules/macos/persistence_folder_action_scripts_runtime.toml @@ -1,18 +1,19 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2020/12/07" +updated_date = "2021/03/03" [rule] author = ["Elastic"] description = """ A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its -window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script. +window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a +malicious script. """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Persistence via Folder Action Script" references = ["https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d"] risk_score = 47 @@ -52,3 +53,4 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/macos/persistence_login_logout_hooks_defaults.toml b/rules/macos/persistence_login_logout_hooks_defaults.toml index c81d3030cfe..33ab3f64483 100644 --- a/rules/macos/persistence_login_logout_hooks_defaults.toml +++ b/rules/macos/persistence_login_logout_hooks_defaults.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ capability to establish persistence in an environment by inserting code to be ex from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Persistence via Login or Logout Hook" references = [ "https://www.virusbulletin.com/uploads/pdf/conference_slides/2014/Wardle-VB2014.pdf", diff --git a/rules/macos/persistence_loginwindow_plist_modification.toml b/rules/macos/persistence_loginwindow_plist_modification.toml index 86d01d90855..ffa4efea42d 100644 --- a/rules/macos/persistence_loginwindow_plist_modification.toml +++ b/rules/macos/persistence_loginwindow_plist_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/21" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ run a program during system boot or user login for persistence. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Persistence via Login Hook" note = "Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system." references = ["https://github.com/D00MFist/PersistentJXA/blob/master/LoginScript.js"] diff --git a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml index 28b58049ddb..8dfde983390 100644 --- a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml +++ b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/23" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Sublime application is started. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Sublime Plugin or Application Script Modification" references = ["https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"] risk_score = 21 diff --git a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml index 21909f3f17f..70f528ef7a7 100644 --- a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml +++ b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/21" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ tasks to execute malicious code or maintain persistence. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Persistence via Periodic Tasks" references = [ "https://opensource.apple.com/source/crontabs/crontabs-13/private/etc/defaults/periodic.conf.auto.html", diff --git a/rules/macos/persistence_suspicious_calendar_modification.toml b/rules/macos/persistence_suspicious_calendar_modification.toml index 83ef049fdc7..5351f1fb9ae 100644 --- a/rules/macos/persistence_suspicious_calendar_modification.toml +++ b/rules/macos/persistence_suspicious_calendar_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = ["Trusted applications for managing calendars and reminders."] from = "now-9m" index = ["logs-endpoint.events.*", "auditbeat-*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Calendar File Modification" references = [ "https://labs.f-secure.com/blog/operationalising-calendar-alerts-persistence-on-macos", diff --git a/rules/macos/persistence_via_atom_init_file_modification.toml b/rules/macos/persistence_via_atom_init_file_modification.toml index 00cf2ad5218..2d620fcd62f 100644 --- a/rules/macos/persistence_via_atom_init_file_modification.toml +++ b/rules/macos/persistence_via_atom_init_file_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/21" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ init.coffee file that will be executed upon the Atom application opening. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Persistence via Atom Init Script Modification" references = [ "https://github.com/D00MFist/PersistentJXA/blob/master/AtomPersist.js", diff --git a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml index cc745a614f4..e0d64a96f8f 100644 --- a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml +++ b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/27" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ privileges. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Apple Scripting Execution with Administrator Privileges" references = ["https://discussions.apple.com/thread/2266150"] risk_score = 47 diff --git a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml index a810cde3c0b..2668ff790b0 100644 --- a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml +++ b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ not be run by itself, as this is a sign of execution with explicit logon credent from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Execution with Explicit Credentials via Scripting" references = [ "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf", diff --git a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml index 929abb69ab3..97f9cad83f4 100644 --- a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml +++ b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ false_positives = ["Trusted system or Adobe Acrobat Related processes."] from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Child Process of Adobe Acrobat Reader Update Service" references = [ "https://rekken.github.io/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/", diff --git a/rules/macos/privilege_escalation_local_user_added_to_admin.toml b/rules/macos/privilege_escalation_local_user_added_to_admin.toml index 182674e8c94..0f5514d0b0b 100644 --- a/rules/macos/privilege_escalation_local_user_added_to_admin.toml +++ b/rules/macos/privilege_escalation_local_user_added_to_admin.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/05" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ escalation activity. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Admin Group Account Addition" references = ["https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/"] risk_score = 47 diff --git a/rules/macos/privilege_escalation_root_crontab_filemod.toml b/rules/macos/privilege_escalation_root_crontab_filemod.toml index 87399c5f884..759156414c7 100644 --- a/rules/macos/privilege_escalation_root_crontab_filemod.toml +++ b/rules/macos/privilege_escalation_root_crontab_filemod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/27" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ privileges by exploiting privileged file write or move related vulnerabilities. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Privilege Escalation via Root Crontab File Modification" references = [ "https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc", diff --git a/rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml b/rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml index 1a84cc47381..e00eaf7e5a2 100644 --- a/rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml +++ b/rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2020/11/30" maturity = "production" -updated_date = "2020/12/15" +updated_date = "2021/03/03" [rule] author = ["Elastic"] description = """ -Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to -obtain unauthorized access to user accounts. +Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain +unauthorized access to user accounts. """ false_positives = [ """ @@ -18,7 +18,7 @@ false_positives = [ from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempts to Brute Force a Microsoft 365 User Account" note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." risk_score = 73 diff --git a/rules/microsoft-365/credential_access_microsoft_365_potential_password_spraying_attack.toml b/rules/microsoft-365/credential_access_microsoft_365_potential_password_spraying_attack.toml index 1e83ac28b65..95c525cbe5a 100644 --- a/rules/microsoft-365/credential_access_microsoft_365_potential_password_spraying_attack.toml +++ b/rules/microsoft-365/credential_access_microsoft_365_potential_password_spraying_attack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/01" maturity = "production" -updated_date = "2020/12/15" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Password Spraying of Microsoft 365 User Accounts" note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." risk_score = 73 diff --git a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml b/rules/microsoft-365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml index 4b53ebc2cbe..531c17f628f 100644 --- a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml +++ b/rules/microsoft-365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/20" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft 365 Exchange DLP Policy Removed" note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml b/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml index beaf581eb0a..5ceec6c5677 100644 --- a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml +++ b/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft 365 Exchange Malware Filter Policy Deletion" note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml b/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml index e8c5666d771..72d61960149 100644 --- a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml +++ b/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft 365 Exchange Malware Filter Rule Modification" note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml b/rules/microsoft-365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml index 09b0643ae0e..cb1ab8e6cbb 100644 --- a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml +++ b/rules/microsoft-365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft 365 Exchange Safe Attachment Rule Disabled" note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml b/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml index 5cbfe769c21..a154afe29d8 100644 --- a/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml +++ b/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft 365 Exchange Transport Rule Creation" note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml b/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml index d504712cc8e..eb090e627c1 100644 --- a/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml +++ b/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft 365 Exchange Transport Rule Modification" note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml b/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml index 95eafc5a20e..d08455f6660 100644 --- a/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml +++ b/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft 365 Exchange Anti-Phish Policy Deletion" note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml b/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml index 86237efb5a9..1b374938b0f 100644 --- a/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml +++ b/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft 365 Exchange Anti-Phish Rule Modification" note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/microsoft-365/initial_access_microsoft_365_exchange_safelinks_disabled.toml b/rules/microsoft-365/initial_access_microsoft_365_exchange_safelinks_disabled.toml index 7a4cac33f1e..a31bb3ad5b8 100644 --- a/rules/microsoft-365/initial_access_microsoft_365_exchange_safelinks_disabled.toml +++ b/rules/microsoft-365/initial_access_microsoft_365_exchange_safelinks_disabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft 365 Exchange Safe Link Policy Disabled" note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/microsoft-365/microsoft_365_exchange_dkim_signing_config_disabled.toml b/rules/microsoft-365/microsoft_365_exchange_dkim_signing_config_disabled.toml index d05a7aec379..53d340185cb 100644 --- a/rules/microsoft-365/microsoft_365_exchange_dkim_signing_config_disabled.toml +++ b/rules/microsoft-365/microsoft_365_exchange_dkim_signing_config_disabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft 365 Exchange DKIM Signing Configuration Disabled" note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/microsoft-365/microsoft_365_teams_custom_app_interaction_allowed.toml b/rules/microsoft-365/microsoft_365_teams_custom_app_interaction_allowed.toml index 6fe2b6ac7b5..b7be6ae9926 100644 --- a/rules/microsoft-365/microsoft_365_teams_custom_app_interaction_allowed.toml +++ b/rules/microsoft-365/microsoft_365_teams_custom_app_interaction_allowed.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/30" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft 365 Teams Custom Application Interaction Allowed" note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." references = ["https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload"] diff --git a/rules/microsoft-365/persistence_microsoft_365_exchange_management_role_assignment.toml b/rules/microsoft-365/persistence_microsoft_365_exchange_management_role_assignment.toml index 4a4ef521927..53c78b895a2 100644 --- a/rules/microsoft-365/persistence_microsoft_365_exchange_management_role_assignment.toml +++ b/rules/microsoft-365/persistence_microsoft_365_exchange_management_role_assignment.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/20" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft 365 Exchange Management Group Role Assignment" note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/microsoft-365/persistence_microsoft_365_teams_external_access_enabled.toml b/rules/microsoft-365/persistence_microsoft_365_teams_external_access_enabled.toml index 0478e322968..e870da0e4ef 100644 --- a/rules/microsoft-365/persistence_microsoft_365_teams_external_access_enabled.toml +++ b/rules/microsoft-365/persistence_microsoft_365_teams_external_access_enabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/30" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft 365 Teams External Access Enabled" note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." references = ["https://docs.microsoft.com/en-us/microsoftteams/manage-external-access"] diff --git a/rules/microsoft-365/persistence_microsoft_365_teams_guest_access_enabled.toml b/rules/microsoft-365/persistence_microsoft_365_teams_guest_access_enabled.toml index b9fa259214a..d319c93da2b 100644 --- a/rules/microsoft-365/persistence_microsoft_365_teams_guest_access_enabled.toml +++ b/rules/microsoft-365/persistence_microsoft_365_teams_guest_access_enabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/20" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft 365 Teams Guest Access Enabled" note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/ml/ml_cloudtrail_error_message_spike.toml b/rules/ml/ml_cloudtrail_error_message_spike.toml index 034eb6e89d7..1d8bce75e14 100644 --- a/rules/ml/ml_cloudtrail_error_message_spike.toml +++ b/rules/ml/ml_cloudtrail_error_message_spike.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -19,7 +19,7 @@ false_positives = [ ] from = "now-60m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "high_distinct_count_error_message" name = "Spike in AWS Error Messages" note = """### Investigating Spikes in CloudTrail Errors ### diff --git a/rules/ml/ml_cloudtrail_rare_error_code.toml b/rules/ml/ml_cloudtrail_rare_error_code.toml index e7ae7efad86..519eb51eb16 100644 --- a/rules/ml/ml_cloudtrail_rare_error_code.toml +++ b/rules/ml/ml_cloudtrail_rare_error_code.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -19,7 +19,7 @@ false_positives = [ ] from = "now-60m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "rare_error_code" name = "Rare AWS Error Code" note = """### Investigating Unusual CloudTrail Error Activity ### diff --git a/rules/ml/ml_cloudtrail_rare_method_by_city.toml b/rules/ml/ml_cloudtrail_rare_method_by_city.toml index 58ba0ee1c55..5f0dafe15d8 100644 --- a/rules/ml/ml_cloudtrail_rare_method_by_city.toml +++ b/rules/ml/ml_cloudtrail_rare_method_by_city.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -20,7 +20,7 @@ false_positives = [ ] from = "now-60m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "rare_method_for_a_city" name = "Unusual City For an AWS Command" note = """### Investigating an Unusual CloudTrail Event ### diff --git a/rules/ml/ml_cloudtrail_rare_method_by_country.toml b/rules/ml/ml_cloudtrail_rare_method_by_country.toml index f413033273f..febcfd51bdc 100644 --- a/rules/ml/ml_cloudtrail_rare_method_by_country.toml +++ b/rules/ml/ml_cloudtrail_rare_method_by_country.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -20,7 +20,7 @@ false_positives = [ ] from = "now-60m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "rare_method_for_a_country" name = "Unusual Country For an AWS Command" note = """### Investigating an Unusual CloudTrail Event ### diff --git a/rules/ml/ml_cloudtrail_rare_method_by_user.toml b/rules/ml/ml_cloudtrail_rare_method_by_user.toml index 07932103bab..d46edbdc179 100644 --- a/rules/ml/ml_cloudtrail_rare_method_by_user.toml +++ b/rules/ml/ml_cloudtrail_rare_method_by_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 75 @@ -19,7 +19,7 @@ false_positives = [ ] from = "now-60m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "rare_method_for_a_username" name = "Unusual AWS Command for a User" note = """### Investigating an Unusual CloudTrail Event ### diff --git a/rules/ml/ml_linux_anomalous_compiler_activity.toml b/rules/ml/ml_linux_anomalous_compiler_activity.toml index 8232423d54c..b2a246be123 100644 --- a/rules/ml/ml_linux_anomalous_compiler_activity.toml +++ b/rules/ml/ml_linux_anomalous_compiler_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -19,7 +19,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "linux_rare_user_compiler" name = "Anomalous Linux Compiler Activity" risk_score = 21 diff --git a/rules/ml/ml_linux_anomalous_kernel_module_arguments.toml b/rules/ml/ml_linux_anomalous_kernel_module_arguments.toml index 6422f870b8e..9f84e59b72c 100644 --- a/rules/ml/ml_linux_anomalous_kernel_module_arguments.toml +++ b/rules/ml/ml_linux_anomalous_kernel_module_arguments.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2021/03/03" [rule] anomaly_threshold = 25 @@ -18,7 +18,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "linux_rare_kernel_module_arguments" name = "Anomalous Kernel Module Activity" references = ["references"] @@ -27,8 +27,6 @@ rule_id = "37b0816d-af40-40b4-885f-bb162b3c88a9" severity = "low" tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML"] type = "machine_learning" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -41,6 +39,7 @@ name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/ml/ml_linux_anomalous_metadata_process.toml b/rules/ml/ml_linux_anomalous_metadata_process.toml index c1f7c0872e9..c75e4bdf5d9 100644 --- a/rules/ml/ml_linux_anomalous_metadata_process.toml +++ b/rules/ml/ml_linux_anomalous_metadata_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -18,7 +18,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "linux_rare_metadata_process" name = "Unusual Linux Process Calling the Metadata Service" risk_score = 21 diff --git a/rules/ml/ml_linux_anomalous_metadata_user.toml b/rules/ml/ml_linux_anomalous_metadata_user.toml index 2a23bf0e15d..cc7a11dac6e 100644 --- a/rules/ml/ml_linux_anomalous_metadata_user.toml +++ b/rules/ml/ml_linux_anomalous_metadata_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 75 @@ -18,7 +18,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "linux_rare_metadata_user" name = "Unusual Linux User Calling the Metadata Service" risk_score = 21 diff --git a/rules/ml/ml_linux_anomalous_network_activity.toml b/rules/ml/ml_linux_anomalous_network_activity.toml index 3128560cb6c..259b71c31bb 100644 --- a/rules/ml/ml_linux_anomalous_network_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -15,7 +15,7 @@ applications. """ from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "linux_anomalous_network_activity_ecs" name = "Unusual Linux Network Activity" note = """### Investigating Unusual Network Activity ### diff --git a/rules/ml/ml_linux_anomalous_network_port_activity.toml b/rules/ml/ml_linux_anomalous_network_port_activity.toml index 9143768cc35..cfad4e39ddd 100644 --- a/rules/ml/ml_linux_anomalous_network_port_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_port_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -14,7 +14,7 @@ unauthorized access or threat actor activity. false_positives = ["A newly installed program or one that rarely uses the network could trigger this alert."] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "linux_anomalous_network_port_activity_ecs" name = "Unusual Linux Network Port Activity" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] diff --git a/rules/ml/ml_linux_anomalous_network_service.toml b/rules/ml/ml_linux_anomalous_network_service.toml index c571550ff72..db8f67fced4 100644 --- a/rules/ml/ml_linux_anomalous_network_service.toml +++ b/rules/ml/ml_linux_anomalous_network_service.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -13,7 +13,7 @@ or persistence mechanisms. false_positives = ["A newly installed program or one that rarely uses the network could trigger this alert."] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "linux_anomalous_network_service" name = "Unusual Linux Network Service" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] diff --git a/rules/ml/ml_linux_anomalous_network_url_activity.toml b/rules/ml/ml_linux_anomalous_network_url_activity.toml index 1668bf33651..af83c72b81b 100644 --- a/rules/ml/ml_linux_anomalous_network_url_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_url_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -21,7 +21,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "linux_anomalous_network_url_activity_ecs" name = "Unusual Linux Web Activity" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] diff --git a/rules/ml/ml_linux_anomalous_process_all_hosts.toml b/rules/ml/ml_linux_anomalous_process_all_hosts.toml index 3abcce5aac7..3f880823eda 100644 --- a/rules/ml/ml_linux_anomalous_process_all_hosts.toml +++ b/rules/ml/ml_linux_anomalous_process_all_hosts.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -19,7 +19,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "linux_anomalous_process_all_hosts_ecs" name = "Anomalous Process For a Linux Population" note = """### Investigating an Unusual Linux Process ### diff --git a/rules/ml/ml_linux_anomalous_sudo_activity.toml b/rules/ml/ml_linux_anomalous_sudo_activity.toml index 01d70d74407..012cd899408 100644 --- a/rules/ml/ml_linux_anomalous_sudo_activity.toml +++ b/rules/ml/ml_linux_anomalous_sudo_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 75 @@ -18,7 +18,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "linux_rare_sudo_user" name = "Unusual Sudo Activity" risk_score = 21 diff --git a/rules/ml/ml_linux_anomalous_user_name.toml b/rules/ml/ml_linux_anomalous_user_name.toml index aeb59abdd6c..0d2fd1b3c49 100644 --- a/rules/ml/ml_linux_anomalous_user_name.toml +++ b/rules/ml/ml_linux_anomalous_user_name.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -24,7 +24,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "linux_anomalous_user_name_ecs" name = "Unusual Linux Username" note = """### Investigating an Unusual Linux User ### diff --git a/rules/ml/ml_linux_system_information_discovery.toml b/rules/ml/ml_linux_system_information_discovery.toml index 5277234f2b8..1d3b8d3010a 100644 --- a/rules/ml/ml_linux_system_information_discovery.toml +++ b/rules/ml/ml_linux_system_information_discovery.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 75 @@ -20,7 +20,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "linux_system_information_discovery" name = "Unusual Linux System Information Discovery Activity" risk_score = 21 diff --git a/rules/ml/ml_linux_system_network_configuration_discovery.toml b/rules/ml/ml_linux_system_network_configuration_discovery.toml index 4f0299a7781..2894a1f2413 100644 --- a/rules/ml/ml_linux_system_network_configuration_discovery.toml +++ b/rules/ml/ml_linux_system_network_configuration_discovery.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 25 @@ -20,7 +20,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "linux_network_configuration_discovery" name = "Unusual Linux System Network Configuration Discovery" risk_score = 21 diff --git a/rules/ml/ml_linux_system_network_connection_discovery.toml b/rules/ml/ml_linux_system_network_connection_discovery.toml index f1f5cc3ab94..40adf632316 100644 --- a/rules/ml/ml_linux_system_network_connection_discovery.toml +++ b/rules/ml/ml_linux_system_network_connection_discovery.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 25 @@ -20,7 +20,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "linux_network_connection_discovery" name = "Unusual Linux Network Connection Discovery" risk_score = 21 diff --git a/rules/ml/ml_linux_system_process_discovery.toml b/rules/ml/ml_linux_system_process_discovery.toml index 8d2f02aa5c8..d72c928e76e 100644 --- a/rules/ml/ml_linux_system_process_discovery.toml +++ b/rules/ml/ml_linux_system_process_discovery.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -20,7 +20,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "linux_system_process_discovery" name = "Unusual Linux Process Discovery Activity" risk_score = 21 diff --git a/rules/ml/ml_linux_system_user_discovery.toml b/rules/ml/ml_linux_system_user_discovery.toml index cd390b1a316..19b1e9e9121 100644 --- a/rules/ml/ml_linux_system_user_discovery.toml +++ b/rules/ml/ml_linux_system_user_discovery.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 75 @@ -20,7 +20,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "linux_system_user_discovery" name = "Unusual Linux System Owner or User Discovery Activity" risk_score = 21 diff --git a/rules/ml/ml_packetbeat_dns_tunneling.toml b/rules/ml/ml_packetbeat_dns_tunneling.toml index 9b83bd3ad00..be739fadb31 100644 --- a/rules/ml/ml_packetbeat_dns_tunneling.toml +++ b/rules/ml/ml_packetbeat_dns_tunneling.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -20,7 +20,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "packetbeat_dns_tunneling" name = "DNS Tunneling" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] diff --git a/rules/ml/ml_packetbeat_rare_dns_question.toml b/rules/ml/ml_packetbeat_rare_dns_question.toml index 41c4ba296db..1c168b91d45 100644 --- a/rules/ml/ml_packetbeat_rare_dns_question.toml +++ b/rules/ml/ml_packetbeat_rare_dns_question.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -23,7 +23,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "packetbeat_rare_dns_question" name = "Unusual DNS Activity" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] diff --git a/rules/ml/ml_packetbeat_rare_server_domain.toml b/rules/ml/ml_packetbeat_rare_server_domain.toml index 03057b251ff..3ff8f3b6529 100644 --- a/rules/ml/ml_packetbeat_rare_server_domain.toml +++ b/rules/ml/ml_packetbeat_rare_server_domain.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -23,7 +23,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "packetbeat_rare_server_domain" name = "Unusual Network Destination Domain Name" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] diff --git a/rules/ml/ml_packetbeat_rare_urls.toml b/rules/ml/ml_packetbeat_rare_urls.toml index 6ec58760293..b4f7fd6052e 100644 --- a/rules/ml/ml_packetbeat_rare_urls.toml +++ b/rules/ml/ml_packetbeat_rare_urls.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -26,7 +26,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "packetbeat_rare_urls" name = "Unusual Web Request" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] diff --git a/rules/ml/ml_packetbeat_rare_user_agent.toml b/rules/ml/ml_packetbeat_rare_user_agent.toml index 39cea0bfbdf..81a0a463d00 100644 --- a/rules/ml/ml_packetbeat_rare_user_agent.toml +++ b/rules/ml/ml_packetbeat_rare_user_agent.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -24,7 +24,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "packetbeat_rare_user_agent" name = "Unusual Web User Agent" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] diff --git a/rules/ml/ml_rare_process_by_host_linux.toml b/rules/ml/ml_rare_process_by_host_linux.toml index 92debf6ece6..c2d0d69558a 100644 --- a/rules/ml/ml_rare_process_by_host_linux.toml +++ b/rules/ml/ml_rare_process_by_host_linux.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -19,7 +19,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "rare_process_by_host_linux_ecs" name = "Unusual Process For a Linux Host" note = """### Investigating an Unusual Linux Process ### diff --git a/rules/ml/ml_rare_process_by_host_windows.toml b/rules/ml/ml_rare_process_by_host_windows.toml index 7b9625cb47d..d34815d0ec2 100644 --- a/rules/ml/ml_rare_process_by_host_windows.toml +++ b/rules/ml/ml_rare_process_by_host_windows.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -19,7 +19,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "rare_process_by_host_windows_ecs" name = "Unusual Process For a Windows Host" note = """### Investigating an Unusual Windows Process ### diff --git a/rules/ml/ml_suspicious_login_activity.toml b/rules/ml/ml_suspicious_login_activity.toml index e11074604de..f35e95e0652 100644 --- a/rules/ml/ml_suspicious_login_activity.toml +++ b/rules/ml/ml_suspicious_login_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -15,7 +15,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "suspicious_login_activity_ecs" name = "Unusual Login Activity" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] diff --git a/rules/ml/ml_windows_anomalous_metadata_process.toml b/rules/ml/ml_windows_anomalous_metadata_process.toml index 53417a7bb65..47ffc4c0bb6 100644 --- a/rules/ml/ml_windows_anomalous_metadata_process.toml +++ b/rules/ml/ml_windows_anomalous_metadata_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -18,7 +18,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "windows_rare_metadata_process" name = "Unusual Windows Process Calling the Metadata Service" risk_score = 21 diff --git a/rules/ml/ml_windows_anomalous_metadata_user.toml b/rules/ml/ml_windows_anomalous_metadata_user.toml index e95aa4001ca..7bf1ac580e9 100644 --- a/rules/ml/ml_windows_anomalous_metadata_user.toml +++ b/rules/ml/ml_windows_anomalous_metadata_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 75 @@ -18,7 +18,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "windows_rare_metadata_user" name = "Unusual Windows User Calling the Metadata Service" risk_score = 21 diff --git a/rules/ml/ml_windows_anomalous_network_activity.toml b/rules/ml/ml_windows_anomalous_network_activity.toml index 7c1b5633d9b..562e800c564 100644 --- a/rules/ml/ml_windows_anomalous_network_activity.toml +++ b/rules/ml/ml_windows_anomalous_network_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -16,7 +16,7 @@ network applications. false_positives = ["A newly installed program or one that rarely uses the network could trigger this alert."] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "windows_anomalous_network_activity_ecs" name = "Unusual Windows Network Activity" note = """### Investigating Unusual Network Activity ### diff --git a/rules/ml/ml_windows_anomalous_path_activity.toml b/rules/ml/ml_windows_anomalous_path_activity.toml index ee03eb45a63..45837776f7b 100644 --- a/rules/ml/ml_windows_anomalous_path_activity.toml +++ b/rules/ml/ml_windows_anomalous_path_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -21,7 +21,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "windows_anomalous_path_activity_ecs" name = "Unusual Windows Path Activity" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] diff --git a/rules/ml/ml_windows_anomalous_process_all_hosts.toml b/rules/ml/ml_windows_anomalous_process_all_hosts.toml index 25072ef534f..67b04d13a1b 100644 --- a/rules/ml/ml_windows_anomalous_process_all_hosts.toml +++ b/rules/ml/ml_windows_anomalous_process_all_hosts.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -19,7 +19,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "windows_anomalous_process_all_hosts_ecs" name = "Anomalous Process For a Windows Population" note = """### Investigating an Unusual Windows Process ### diff --git a/rules/ml/ml_windows_anomalous_process_creation.toml b/rules/ml/ml_windows_anomalous_process_creation.toml index 58340fe88c0..5b6cfb94522 100644 --- a/rules/ml/ml_windows_anomalous_process_creation.toml +++ b/rules/ml/ml_windows_anomalous_process_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -22,7 +22,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "windows_anomalous_process_creation" name = "Anomalous Windows Process Creation" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] diff --git a/rules/ml/ml_windows_anomalous_script.toml b/rules/ml/ml_windows_anomalous_script.toml index 6217eb4bac3..0764a3beda9 100644 --- a/rules/ml/ml_windows_anomalous_script.toml +++ b/rules/ml/ml_windows_anomalous_script.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -18,7 +18,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "windows_anomalous_script" name = "Suspicious Powershell Script" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] diff --git a/rules/ml/ml_windows_anomalous_service.toml b/rules/ml/ml_windows_anomalous_service.toml index 2d601168bb3..eef0e87ca98 100644 --- a/rules/ml/ml_windows_anomalous_service.toml +++ b/rules/ml/ml_windows_anomalous_service.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -19,7 +19,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "windows_anomalous_service" name = "Unusual Windows Service" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] diff --git a/rules/ml/ml_windows_anomalous_user_name.toml b/rules/ml/ml_windows_anomalous_user_name.toml index d92f8e6863f..8f9e00b2a3e 100644 --- a/rules/ml/ml_windows_anomalous_user_name.toml +++ b/rules/ml/ml_windows_anomalous_user_name.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -24,7 +24,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "windows_anomalous_user_name_ecs" name = "Unusual Windows Username" note = """### Investigating an Unusual Windows User ### diff --git a/rules/ml/ml_windows_rare_user_runas_event.toml b/rules/ml/ml_windows_rare_user_runas_event.toml index 5f72e30ea5b..ace03f9b6d4 100644 --- a/rules/ml/ml_windows_rare_user_runas_event.toml +++ b/rules/ml/ml_windows_rare_user_runas_event.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -19,7 +19,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "windows_rare_user_runas_event" name = "Unusual Windows User Privilege Elevation Activity" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] diff --git a/rules/ml/ml_windows_rare_user_type10_remote_login.toml b/rules/ml/ml_windows_rare_user_type10_remote_login.toml index c360737e5d0..7b949686232 100644 --- a/rules/ml/ml_windows_rare_user_type10_remote_login.toml +++ b/rules/ml/ml_windows_rare_user_type10_remote_login.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -19,7 +19,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "windows_rare_user_type10_remote_login" name = "Unusual Windows Remote User" note = """### Investigating an Unusual Windows User ### diff --git a/rules/network/command_and_control_cobalt_strike_beacon.toml b/rules/network/command_and_control_cobalt_strike_beacon.toml index 5ac3a029eee..098c5b163f6 100644 --- a/rules/network/command_and_control_cobalt_strike_beacon.toml +++ b/rules/network/command_and_control_cobalt_strike_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["packetbeat-*"] language = "lucene" -license = "Elastic License" +license = "Elastic License v2" name = "Cobalt Strike Command and Control Beacon" note = "This activity has been observed in FIN7 campaigns." references = [ diff --git a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml index 7521638a5a1..78564ea30c5 100644 --- a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml +++ b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/05" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ Reference section for additional information on module configuration. """ index = ["filebeat-*", "packetbeat-*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Default Cobalt Strike Team Server Certificate" note = "While Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, alerts should be investigated rapidly." references = [ diff --git a/rules/network/command_and_control_dns_directly_to_the_internet.toml b/rules/network/command_and_control_dns_directly_to_the_internet.toml index da3c6527ba5..15f4355ac35 100644 --- a/rules/network/command_and_control_dns_directly_to_the_internet.toml +++ b/rules/network/command_and_control_dns_directly_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ false_positives = [ ] index = ["filebeat-*", "packetbeat-*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "DNS Activity to the Internet" references = [ "https://www.us-cert.gov/ncas/alerts/TA15-240A", diff --git a/rules/network/command_and_control_download_rar_powershell_from_internet.toml b/rules/network/command_and_control_download_rar_powershell_from_internet.toml index 2036e1f54c3..651f9636246 100644 --- a/rules/network/command_and_control_download_rar_powershell_from_internet.toml +++ b/rules/network/command_and_control_download_rar_powershell_from_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/02" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ ] index = ["packetbeat-*"] language = "lucene" -license = "Elastic License" +license = "Elastic License v2" name = "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet" note = "This activity has been observed in FIN7 campaigns." references = [ diff --git a/rules/network/command_and_control_fin7_c2_behavior.toml b/rules/network/command_and_control_fin7_c2_behavior.toml index 93a8be9c168..997140ac306 100644 --- a/rules/network/command_and_control_fin7_c2_behavior.toml +++ b/rules/network/command_and_control_fin7_c2_behavior.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ ] index = ["packetbeat-*"] language = "lucene" -license = "Elastic License" +license = "Elastic License v2" name = "Possible FIN7 DGA Command and Control Behavior" note = "In the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`." references = [ diff --git a/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml b/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml index a8f599fd938..15b18227a9c 100644 --- a/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml +++ b/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "FTP (File Transfer Protocol) Activity to the Internet" risk_score = 21 rule_id = "87ec6396-9ac4-4706-bcf0-2ebb22002f43" diff --git a/rules/network/command_and_control_halfbaked_beacon.toml b/rules/network/command_and_control_halfbaked_beacon.toml index 582a6c300ef..ff1d311b05a 100644 --- a/rules/network/command_and_control_halfbaked_beacon.toml +++ b/rules/network/command_and_control_halfbaked_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ ] index = ["packetbeat-*"] language = "lucene" -license = "Elastic License" +license = "Elastic License v2" name = "Halfbaked Command and Control Beacon" note = "This activity has been observed in FIN7 campaigns." references = [ diff --git a/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml b/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml index 57d5d36f189..c41a8c35b6f 100644 --- a/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml +++ b/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "IRC (Internet Relay Chat) Protocol Activity to the Internet" risk_score = 47 rule_id = "c6474c34-4953-447a-903e-9fcb7b6661aa" diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml index 72bf51ec5aa..329ec5091e2 100644 --- a/rules/network/command_and_control_nat_traversal_port_activity.toml +++ b/rules/network/command_and_control_nat_traversal_port_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "IPSEC NAT Traversal Port Activity" risk_score = 21 rule_id = "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7" diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml index be3cf6d4d5f..e0c426a7a7f 100644 --- a/rules/network/command_and_control_port_26_activity.toml +++ b/rules/network/command_and_control_port_26_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "SMTP on Port 26/TCP" references = [ "https://unit42.paloaltonetworks.com/unit42-badpatch/", diff --git a/rules/network/command_and_control_port_8000_activity_to_the_internet.toml b/rules/network/command_and_control_port_8000_activity_to_the_internet.toml index 1511eb39495..1074e3b7b8a 100644 --- a/rules/network/command_and_control_port_8000_activity_to_the_internet.toml +++ b/rules/network/command_and_control_port_8000_activity_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "TCP Port 8000 Activity to the Internet" risk_score = 21 rule_id = "08d5d7e2-740f-44d8-aeda-e41f4263efaf" diff --git a/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml b/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml index 397691fac96..3ffacde82de 100644 --- a/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml +++ b/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "PPTP (Point to Point Tunneling Protocol) Activity" risk_score = 21 rule_id = "d2053495-8fe7-4168-b3df-dad844046be3" diff --git a/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml b/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml index 86851442084..68cadc7596b 100644 --- a/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml +++ b/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Proxy Port Activity to the Internet" risk_score = 47 rule_id = "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3" diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml index 8be8972b622..862783dfe90 100644 --- a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml +++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "RDP (Remote Desktop Protocol) from the Internet" risk_score = 47 rule_id = "8c1bdde8-4204-45c0-9e0c-c85ca3902488" diff --git a/rules/network/command_and_control_smtp_to_the_internet.toml b/rules/network/command_and_control_smtp_to_the_internet.toml index a9cccfa0379..d0371e4d95e 100644 --- a/rules/network/command_and_control_smtp_to_the_internet.toml +++ b/rules/network/command_and_control_smtp_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "SMTP to the Internet" risk_score = 21 rule_id = "67a9beba-830d-4035-bfe8-40b7e28f8ac4" diff --git a/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml b/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml index 519e60f9ad9..5e0ef1047b3 100644 --- a/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml +++ b/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "SQL Traffic to the Internet" risk_score = 47 rule_id = "139c7458-566a-410c-a5cd-f80238d6a5cd" diff --git a/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml b/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml index 00b44fd5954..6af72db8dcc 100644 --- a/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml +++ b/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "SSH (Secure Shell) from the Internet" risk_score = 47 rule_id = "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17" diff --git a/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml b/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml index d46b6d4f5e3..386ef584fab 100644 --- a/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml +++ b/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "SSH (Secure Shell) to the Internet" risk_score = 21 rule_id = "6f1500bc-62d7-4eb9-8601-7485e87da2f4" diff --git a/rules/network/command_and_control_telnet_port_activity.toml b/rules/network/command_and_control_telnet_port_activity.toml index 0dd4b0bc8af..c8450ea9ab8 100644 --- a/rules/network/command_and_control_telnet_port_activity.toml +++ b/rules/network/command_and_control_telnet_port_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Telnet Port Activity" risk_score = 47 rule_id = "34fde489-94b0-4500-a76f-b8a157cf9269" diff --git a/rules/network/command_and_control_tor_activity_to_the_internet.toml b/rules/network/command_and_control_tor_activity_to_the_internet.toml index f6e481d8ee5..71d212adbdd 100644 --- a/rules/network/command_and_control_tor_activity_to_the_internet.toml +++ b/rules/network/command_and_control_tor_activity_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Tor Activity to the Internet" risk_score = 47 rule_id = "7d2c38d7-ede7-4bdf-b140-445906e6c540" diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml index 6864a1c8f5c..a52dd0dfc53 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "VNC (Virtual Network Computing) from the Internet" risk_score = 73 rule_id = "5700cb81-df44-46aa-a5d7-337798f53eb8" diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml index 9d353f5959c..14bbac8e0e4 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "VNC (Virtual Network Computing) to the Internet" risk_score = 47 rule_id = "3ad49c61-7adc-42c1-b788-732eda2f5abf" diff --git a/rules/network/discovery_post_exploitation_public_ip_reconnaissance.toml b/rules/network/discovery_post_exploitation_public_ip_reconnaissance.toml index 982fe1863ce..04a51e82bb0 100644 --- a/rules/network/discovery_post_exploitation_public_ip_reconnaissance.toml +++ b/rules/network/discovery_post_exploitation_public_ip_reconnaissance.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/04" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["packetbeat-*"] language = "lucene" -license = "Elastic License" +license = "Elastic License v2" name = "Public IP Reconnaissance Activity" note = "This rule takes HTTP redirects and HTTP referrer's into account, however neither HTTP redirect status codes nor HTTP referrer's are visible with TLS traffic which can lead to multiple events per alert." references = [ diff --git a/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml b/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml index 380ff23b6e7..37ed5bfb004 100644 --- a/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml +++ b/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "RDP (Remote Desktop Protocol) to the Internet" risk_score = 21 rule_id = "e56993d2-759c-4120-984c-9ec9bb940fd5" diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml index 97e78c5acfa..977de584c1a 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ back-door vector. from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "RPC (Remote Procedure Call) from the Internet" risk_score = 73 rule_id = "143cb236-0956-4f42-a706-814bcaa0cf5a" diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml index 48095a8cc67..58dc07cc33d 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ back-door vector. from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "RPC (Remote Procedure Call) to the Internet" risk_score = 73 rule_id = "32923416-763a-4531-bb35-f33b9232ecdb" diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml index c3bb513fd79..578e7c930f9 100644 --- a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml +++ b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ threat actors as an initial access or back-door vector or for data exfiltration. from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "SMB (Windows File Sharing) Activity to the Internet" risk_score = 73 rule_id = "c82b2bd8-d701-420c-ba43-f11a155b681a" diff --git a/rules/network/initial_access_unsecure_elasticsearch_node.toml b/rules/network/initial_access_unsecure_elasticsearch_node.toml index dec1290f949..67add3a73b8 100644 --- a/rules/network/initial_access_unsecure_elasticsearch_node.toml +++ b/rules/network/initial_access_unsecure_elasticsearch_node.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/11" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ ] index = ["packetbeat-*"] language = "lucene" -license = "Elastic License" +license = "Elastic License v2" name = "Inbound Connection to an Unsecure Elasticsearch Node" note = "This rule requires the addition of port `9200` and `send_all_headers` to the `HTTP` protocol configuration in `packetbeat.yml`. See the References section for additional configuration documentation." references = [ diff --git a/rules/okta/attempt_to_deactivate_okta_network_zone.toml b/rules/okta/attempt_to_deactivate_okta_network_zone.toml index 3f340e3adb9..675fffccce4 100644 --- a/rules/okta/attempt_to_deactivate_okta_network_zone.toml +++ b/rules/okta/attempt_to_deactivate_okta_network_zone.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Deactivate an Okta Network Zone" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/attempt_to_delete_okta_network_zone.toml b/rules/okta/attempt_to_delete_okta_network_zone.toml index f23a34471c8..1eb72f549d6 100644 --- a/rules/okta/attempt_to_delete_okta_network_zone.toml +++ b/rules/okta/attempt_to_delete_okta_network_zone.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Delete an Okta Network Zone" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml index a92f495cad6..6335d9f64b7 100644 --- a/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ policies configured for an organization in order to obtain unauthorized access t """ index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempted Bypass of Okta MFA" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml index dcb1ea6d4bd..d54eba71b0d 100644 --- a/rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml +++ b/rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/19" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ ensures that a user account is locked out after 10 failed authentication attempt from = "now-180m" index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempts to Brute Force an Okta User Account" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/credential_access_okta_brute_force_or_password_spraying.toml b/rules/okta/credential_access_okta_brute_force_or_password_spraying.toml index 0d74b8f184f..bf60d812e7f 100644 --- a/rules/okta/credential_access_okta_brute_force_or_password_spraying.toml +++ b/rules/okta/credential_access_okta_brute_force_or_password_spraying.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Okta Brute Force or Password Spraying Attack" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml index 6bf94a6d510..bc60eab6009 100644 --- a/rules/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +++ b/rules/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/19" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ from = "now-60m" index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "High Number of Okta User Password Reset or Unlock Attempts" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/impact_attempt_to_revoke_okta_api_token.toml b/rules/okta/impact_attempt_to_revoke_okta_api_token.toml index dbb036655c0..ad3b9155d0f 100644 --- a/rules/okta/impact_attempt_to_revoke_okta_api_token.toml +++ b/rules/okta/impact_attempt_to_revoke_okta_api_token.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Revoke Okta API Token" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/impact_possible_okta_dos_attack.toml b/rules/okta/impact_possible_okta_dos_attack.toml index b96161cb541..5760c1db259 100644 --- a/rules/okta/impact_possible_okta_dos_attack.toml +++ b/rules/okta/impact_possible_okta_dos_attack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ organization's business operations by performing a DoS attack against its Okta s """ index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Possible Okta DoS Attack" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml b/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml index 7fdb055fb43..2915d5d30c8 100644 --- a/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml +++ b/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ help security teams identify when an adversary is attempting to gain access to t false_positives = ["A user may report suspicious activity on their Okta account in error."] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Activity Reported by Okta User" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/okta_attempt_to_deactivate_okta_application.toml b/rules/okta/okta_attempt_to_deactivate_okta_application.toml index 7a0e35e323e..f2696c83585 100644 --- a/rules/okta/okta_attempt_to_deactivate_okta_application.toml +++ b/rules/okta/okta_attempt_to_deactivate_okta_application.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Deactivate an Okta Application" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/okta_attempt_to_deactivate_okta_policy.toml b/rules/okta/okta_attempt_to_deactivate_okta_policy.toml index 37a76d8f847..75e8d58523a 100644 --- a/rules/okta/okta_attempt_to_deactivate_okta_policy.toml +++ b/rules/okta/okta_attempt_to_deactivate_okta_policy.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Deactivate an Okta Policy" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/okta_attempt_to_deactivate_okta_policy_rule.toml b/rules/okta/okta_attempt_to_deactivate_okta_policy_rule.toml index 7077082fb37..5df33d4c468 100644 --- a/rules/okta/okta_attempt_to_deactivate_okta_policy_rule.toml +++ b/rules/okta/okta_attempt_to_deactivate_okta_policy_rule.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Deactivate an Okta Policy Rule" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/okta_attempt_to_delete_okta_application.toml b/rules/okta/okta_attempt_to_delete_okta_application.toml index 4cbc570157b..767e6279091 100644 --- a/rules/okta/okta_attempt_to_delete_okta_application.toml +++ b/rules/okta/okta_attempt_to_delete_okta_application.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Delete an Okta Application" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/okta_attempt_to_delete_okta_policy.toml b/rules/okta/okta_attempt_to_delete_okta_policy.toml index 16d343e80f1..1a56d4a84b3 100644 --- a/rules/okta/okta_attempt_to_delete_okta_policy.toml +++ b/rules/okta/okta_attempt_to_delete_okta_policy.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/28" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Delete an Okta Policy" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/okta_attempt_to_delete_okta_policy_rule.toml b/rules/okta/okta_attempt_to_delete_okta_policy_rule.toml index c40b3315331..a955aaaab2b 100644 --- a/rules/okta/okta_attempt_to_delete_okta_policy_rule.toml +++ b/rules/okta/okta_attempt_to_delete_okta_policy_rule.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Delete an Okta Policy Rule" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/okta_attempt_to_modify_okta_application.toml b/rules/okta/okta_attempt_to_modify_okta_application.toml index e7d70d0d6ee..5833179a0ff 100644 --- a/rules/okta/okta_attempt_to_modify_okta_application.toml +++ b/rules/okta/okta_attempt_to_modify_okta_application.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Modify an Okta Application" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/okta_attempt_to_modify_okta_network_zone.toml b/rules/okta/okta_attempt_to_modify_okta_network_zone.toml index dcc290ac6ab..fe6b29d28e8 100644 --- a/rules/okta/okta_attempt_to_modify_okta_network_zone.toml +++ b/rules/okta/okta_attempt_to_modify_okta_network_zone.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Modify an Okta Network Zone" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/okta_attempt_to_modify_okta_policy.toml b/rules/okta/okta_attempt_to_modify_okta_policy.toml index ec4de2633c2..73f654a8caf 100644 --- a/rules/okta/okta_attempt_to_modify_okta_policy.toml +++ b/rules/okta/okta_attempt_to_modify_okta_policy.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Modify an Okta Policy" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/okta_attempt_to_modify_okta_policy_rule.toml b/rules/okta/okta_attempt_to_modify_okta_policy_rule.toml index b021a3017d4..f619a99a5b0 100644 --- a/rules/okta/okta_attempt_to_modify_okta_policy_rule.toml +++ b/rules/okta/okta_attempt_to_modify_okta_policy_rule.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Modify an Okta Policy Rule" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml index 21e0b11753c..d4f089170b0 100644 --- a/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml +++ b/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/01" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Modification or Removal of an Okta Application Sign-On Policy" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/okta_threat_detected_by_okta_threatinsight.toml b/rules/okta/okta_threat_detected_by_okta_threatinsight.toml index c1def11a9d6..6338b5f787e 100644 --- a/rules/okta/okta_threat_detected_by_okta_threatinsight.toml +++ b/rules/okta/okta_threat_detected_by_okta_threatinsight.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ based attacks against their organization, such as brute force and password spray """ index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Threat Detected by Okta ThreatInsight" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml b/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml index 1438589a674..d11f1905df5 100644 --- a/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml +++ b/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Administrator Privileges Assigned to an Okta Group" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/persistence_administrator_role_assigned_to_okta_user.toml b/rules/okta/persistence_administrator_role_assigned_to_okta_user.toml index 7ab0cbd18d7..3c08c10305f 100644 --- a/rules/okta/persistence_administrator_role_assigned_to_okta_user.toml +++ b/rules/okta/persistence_administrator_role_assigned_to_okta_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Administrator Role Assigned to an Okta User" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/persistence_attempt_to_create_okta_api_token.toml b/rules/okta/persistence_attempt_to_create_okta_api_token.toml index 0281e48ddf3..8443ad327cf 100644 --- a/rules/okta/persistence_attempt_to_create_okta_api_token.toml +++ b/rules/okta/persistence_attempt_to_create_okta_api_token.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Create Okta API Token" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml b/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml index fcb965d07d4..84c101c2c3d 100644 --- a/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml +++ b/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/20" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Deactivate MFA for an Okta User Account" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml b/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml index d3f397ea624..3ec7624a4d8 100644 --- a/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml +++ b/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Reset MFA Factors for an Okta User Account" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/promotions/elastic_endpoint.toml b/rules/promotions/elastic_endpoint.toml index d700822818f..bf13c9fdd20 100644 --- a/rules/promotions/elastic_endpoint.toml +++ b/rules/promotions/elastic_endpoint.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/08" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ enabled = true from = "now-10m" index = ["logs-endpoint.alerts-*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" max_signals = 10000 name = "Endpoint Security" risk_score = 47 diff --git a/rules/promotions/endpoint_adversary_behavior_detected.toml b/rules/promotions/endpoint_adversary_behavior_detected.toml index 02bdfd47959..c2d832b315d 100644 --- a/rules/promotions/endpoint_adversary_behavior_detected.toml +++ b/rules/promotions/endpoint_adversary_behavior_detected.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Adversary Behavior - Detected - Endpoint Security" risk_score = 47 rule_id = "77a3c3df-8ec4-4da4-b758-878f551dee69" diff --git a/rules/promotions/endpoint_cred_dumping_detected.toml b/rules/promotions/endpoint_cred_dumping_detected.toml index 387846c0131..68ecdc556a8 100644 --- a/rules/promotions/endpoint_cred_dumping_detected.toml +++ b/rules/promotions/endpoint_cred_dumping_detected.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Credential Dumping - Detected - Endpoint Security" risk_score = 73 rule_id = "571afc56-5ed9-465d-a2a9-045f099f6e7e" diff --git a/rules/promotions/endpoint_cred_dumping_prevented.toml b/rules/promotions/endpoint_cred_dumping_prevented.toml index 2e88be52ceb..174df2a6b5e 100644 --- a/rules/promotions/endpoint_cred_dumping_prevented.toml +++ b/rules/promotions/endpoint_cred_dumping_prevented.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Credential Dumping - Prevented - Endpoint Security" risk_score = 47 rule_id = "db8c33a8-03cd-4988-9e2c-d0a4863adb13" diff --git a/rules/promotions/endpoint_cred_manipulation_detected.toml b/rules/promotions/endpoint_cred_manipulation_detected.toml index 45cd5d2f60d..727012d8ebf 100644 --- a/rules/promotions/endpoint_cred_manipulation_detected.toml +++ b/rules/promotions/endpoint_cred_manipulation_detected.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Credential Manipulation - Detected - Endpoint Security" risk_score = 73 rule_id = "c0be5f31-e180-48ed-aa08-96b36899d48f" diff --git a/rules/promotions/endpoint_cred_manipulation_prevented.toml b/rules/promotions/endpoint_cred_manipulation_prevented.toml index a2fbe0f02be..f0d789eb7c8 100644 --- a/rules/promotions/endpoint_cred_manipulation_prevented.toml +++ b/rules/promotions/endpoint_cred_manipulation_prevented.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Credential Manipulation - Prevented - Endpoint Security" risk_score = 47 rule_id = "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa" diff --git a/rules/promotions/endpoint_exploit_detected.toml b/rules/promotions/endpoint_exploit_detected.toml index 4a8fb352176..ace67380b3a 100644 --- a/rules/promotions/endpoint_exploit_detected.toml +++ b/rules/promotions/endpoint_exploit_detected.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Exploit - Detected - Endpoint Security" risk_score = 73 rule_id = "2003cdc8-8d83-4aa5-b132-1f9a8eb48514" diff --git a/rules/promotions/endpoint_exploit_prevented.toml b/rules/promotions/endpoint_exploit_prevented.toml index 8db8a763618..ccf40946026 100644 --- a/rules/promotions/endpoint_exploit_prevented.toml +++ b/rules/promotions/endpoint_exploit_prevented.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Exploit - Prevented - Endpoint Security" risk_score = 47 rule_id = "2863ffeb-bf77-44dd-b7a5-93ef94b72036" diff --git a/rules/promotions/endpoint_malware_detected.toml b/rules/promotions/endpoint_malware_detected.toml index 09aa8feece8..c770d69dac8 100644 --- a/rules/promotions/endpoint_malware_detected.toml +++ b/rules/promotions/endpoint_malware_detected.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Malware - Detected - Endpoint Security" risk_score = 99 rule_id = "0a97b20f-4144-49ea-be32-b540ecc445de" diff --git a/rules/promotions/endpoint_malware_prevented.toml b/rules/promotions/endpoint_malware_prevented.toml index f879b6b5ff1..e2d35d6252e 100644 --- a/rules/promotions/endpoint_malware_prevented.toml +++ b/rules/promotions/endpoint_malware_prevented.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Malware - Prevented - Endpoint Security" risk_score = 73 rule_id = "3b382770-efbb-44f4-beed-f5e0a051b895" diff --git a/rules/promotions/endpoint_permission_theft_detected.toml b/rules/promotions/endpoint_permission_theft_detected.toml index 6e0de9d696e..cf4c81103f2 100644 --- a/rules/promotions/endpoint_permission_theft_detected.toml +++ b/rules/promotions/endpoint_permission_theft_detected.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Permission Theft - Detected - Endpoint Security" risk_score = 73 rule_id = "c3167e1b-f73c-41be-b60b-87f4df707fe3" diff --git a/rules/promotions/endpoint_permission_theft_prevented.toml b/rules/promotions/endpoint_permission_theft_prevented.toml index ddbd069f56a..21a64775b97 100644 --- a/rules/promotions/endpoint_permission_theft_prevented.toml +++ b/rules/promotions/endpoint_permission_theft_prevented.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Permission Theft - Prevented - Endpoint Security" risk_score = 47 rule_id = "453f659e-0429-40b1-bfdb-b6957286e04b" diff --git a/rules/promotions/endpoint_process_injection_detected.toml b/rules/promotions/endpoint_process_injection_detected.toml index df8336bbc56..f8128ed2820 100644 --- a/rules/promotions/endpoint_process_injection_detected.toml +++ b/rules/promotions/endpoint_process_injection_detected.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Process Injection - Detected - Endpoint Security" risk_score = 73 rule_id = "80c52164-c82a-402c-9964-852533d58be1" diff --git a/rules/promotions/endpoint_process_injection_prevented.toml b/rules/promotions/endpoint_process_injection_prevented.toml index 5d13e9090d3..5b17ce16079 100644 --- a/rules/promotions/endpoint_process_injection_prevented.toml +++ b/rules/promotions/endpoint_process_injection_prevented.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Process Injection - Prevented - Endpoint Security" risk_score = 47 rule_id = "990838aa-a953-4f3e-b3cb-6ddf7584de9e" diff --git a/rules/promotions/endpoint_ransomware_detected.toml b/rules/promotions/endpoint_ransomware_detected.toml index 22d2f088992..d540b172476 100644 --- a/rules/promotions/endpoint_ransomware_detected.toml +++ b/rules/promotions/endpoint_ransomware_detected.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Ransomware - Detected - Endpoint Security" risk_score = 99 rule_id = "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd" diff --git a/rules/promotions/endpoint_ransomware_prevented.toml b/rules/promotions/endpoint_ransomware_prevented.toml index 6210f58d1af..a07a3ced149 100644 --- a/rules/promotions/endpoint_ransomware_prevented.toml +++ b/rules/promotions/endpoint_ransomware_prevented.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Ransomware - Prevented - Endpoint Security" risk_score = 73 rule_id = "e3c5d5cb-41d5-4206-805c-f30561eae3ac" diff --git a/rules/promotions/external_alerts.toml b/rules/promotions/external_alerts.toml index 85d50629416..f4ff2b8275c 100644 --- a/rules/promotions/external_alerts.toml +++ b/rules/promotions/external_alerts.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/08" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ immediately begin investigating external alerts in the app. """ index = ["apm-*-transaction*", "auditbeat-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" max_signals = 10000 name = "External Alerts" risk_score = 47 @@ -56,3 +56,4 @@ operator = "equals" value = "99" severity = "critical" + diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index b10370eed46..129e4d503cc 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/15" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = ["Legitimate exchange system administration activity."] from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Exporting Exchange Mailbox via PowerShell" references = [ "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", diff --git a/rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml index bdf129a621f..cbd8c7b364d 100644 --- a/rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/15" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = ["Legitimate exchange system administration activity."] from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "New ActiveSyncAllowedDeviceID Added via PowerShell" references = [ "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index cfd60d2e0e0..608262f9aed 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ preparation for exfiltration. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Encrypting Files with WinRar or 7z" references = ["https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/"] risk_score = 47 diff --git a/rules/windows/command_and_control_certutil_network_connection.toml b/rules/windows/command_and_control_certutil_network_connection.toml index 089f2adf171..544bacac5db 100644 --- a/rules/windows/command_and_control_certutil_network_connection.toml +++ b/rules/windows/command_and_control_certutil_network_connection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/19" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ malware, from a remote URL. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Network Connection via Certutil" risk_score = 21 rule_id = "3838e0e3-1850-4850-a411-2e8c5ba40ba8" diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index 6e4281d3e9f..d56d8ba2fc9 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/04" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ targeted since they have most likely been used before a compromise and allow adv from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Connection to Commonly Abused Web Services" risk_score = 21 rule_id = "66883649-f908-4a5b-a1e0-54090a1d3a32" diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml index 97979c24450..50fe937960c 100644 --- a/rules/windows/command_and_control_dns_tunneling_nslookup.toml +++ b/rules/windows/command_and_control_dns_tunneling_nslookup.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/11" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ may indicate command and control activity utilizing the DNS protocol. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential DNS Tunneling via NsLookup" references = ["https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/"] risk_score = 47 diff --git a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml index 92c809c31e6..4fefd546b34 100644 --- a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml +++ b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/04" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ encryption algorithm to conceal command and control traffic. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Connection to Commonly Abused Free SSL Certificate Providers" risk_score = 21 rule_id = "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d" diff --git a/rules/windows/command_and_control_iexplore_via_com.toml b/rules/windows/command_and_control_iexplore_via_com.toml index f0c6f09b9d1..d1806372a79 100644 --- a/rules/windows/command_and_control_iexplore_via_com.toml +++ b/rules/windows/command_and_control_iexplore_via_com.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/28" maturity = "production" -updated_date = "2021/02/08" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ network connections and bypass host-based firewall restrictions. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Command and Control via Internet Explorer" risk_score = 47 rule_id = "acd611f3-2b93-47b3-a0a3-7723bcc46f6d" @@ -51,3 +51,4 @@ reference = "https://attack.mitre.org/techniques/T1071/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index bf6ac0b6193..e9ca91c5c1d 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ download arbitrary files as an alternative to certutil. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Remote File Download via Desktopimgdownldr Utility" references = ["https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/"] risk_score = 47 diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index 9c5e6ba7d9d..8afb348a930 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies the Windows Defender configuration utility (MpCmdRun.e from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Remote File Download via MpCmdRun" note = """### Investigating Remote File Download via MpCmdRun Verify details such as the parent process, URL reputation, and downloaded file details. Additionally, `MpCmdRun` logs this information in the Appdata Temp folder in `MpCmdRun.log`.""" diff --git a/rules/windows/command_and_control_remote_file_copy_powershell.toml b/rules/windows/command_and_control_remote_file_copy_powershell.toml index 8bdbcc21790..e358dd2793d 100644 --- a/rules/windows/command_and_control_remote_file_copy_powershell.toml +++ b/rules/windows/command_and_control_remote_file_copy_powershell.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/30" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies powershell.exe being used to download an executable fi from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Remote File Download via PowerShell" risk_score = 47 rule_id = "33f306e8-417c-411b-965c-c2812d6d3f4d" diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml index 4eab5104c68..448760db017 100644 --- a/rules/windows/command_and_control_remote_file_copy_scripts.toml +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/29" maturity = "production" -updated_date = "2021/02/08" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ from a remote destination. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Remote File Download via Script Interpreter" risk_score = 47 rule_id = "1d276579-3380-4095-ad38-e596a01bc64f" diff --git a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml index 70c6e35f9c9..c614c9b751c 100644 --- a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml +++ b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ post-exploitation command and control activity of the SUNBURST backdoor. from = "now-9m" index = ["logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "SUNBURST Command and Control Activity" note = "The SUNBURST malware attempts to hide within the Orion Improvement Program (OIP) network traffic. As this rule detects post-exploitation network traffic, investigations into this should be prioritized." references = [ diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index 8cf7ad6fba2..2818daa44f2 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies an executable or script file remotely downloaded via a from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Remote File Copy via TeamViewer" references = ["https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"] risk_score = 47 diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index 4d0abd65d5a..c40a857db73 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies the execution of known Windows utilities often abused to dump LSASS m from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Credential Access via Windows Utilities" references = ["https://lolbas-project.github.io/"] risk_score = 73 diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index 776efb9836b..176bea0e324 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Those files contain sensitive information including hashed domain and/or local c from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" max_signals = 33 name = "NTDS or SAM Database File Copied" references = ["https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/"] diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index 2dd7f3d7369..a18267b80fe 100755 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = ["The Build Engine is commonly used by Windows developers but from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft Build Engine Loading Windows Credential Libraries" risk_score = 73 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5" diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index fc014206fa3..f61880cb91a 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/13" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies the creation or modification of Domain Backup private keys. Adversari from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Creation or Modification of Domain Backup DPAPI private key" note = "### Domain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys." references = [ diff --git a/rules/windows/credential_access_dump_registry_hives.toml b/rules/windows/credential_access_dump_registry_hives.toml index d1448eaabad..3493fb89e6e 100644 --- a/rules/windows/credential_access_dump_registry_hives.toml +++ b/rules/windows/credential_access_dump_registry_hives.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/23" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies attempts to export a registry hive which may contain c from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Credential Acquisition via Registry Hive Dumping" references = [ "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8", diff --git a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml index a177c100273..1f8aaaafe59 100644 --- a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ with IIS web server access via a web shell can decrypt and dump the IIS AppPool from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" max_signals = 33 name = "Microsoft IIS Service Account Password Dumped" references = ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"] diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index 70aebe65e12..330b69b8ad8 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ password using aspnet_regiis command. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" max_signals = 33 name = "Microsoft IIS Connection Strings Decryption" references = [ diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml index 847e75a4664..e28ab9e96b4 100644 --- a/rules/windows/credential_access_kerberoasting_unusual_process.toml +++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/02" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Kerberos Traffic from Unusual Process" risk_score = 47 rule_id = "897dc6b5-b39f-432a-8d75-d3730d50c782" diff --git a/rules/windows/credential_access_lsass_memdump_file_created.toml b/rules/windows/credential_access_lsass_memdump_file_created.toml index c523655adcd..30fa3cb5da4 100644 --- a/rules/windows/credential_access_lsass_memdump_file_created.toml +++ b/rules/windows/credential_access_lsass_memdump_file_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ indicate a credential access attempt via trusted system utilities such as Task M from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "LSASS Memory Dump Creation" references = ["https://github.com/outflanknl/Dumpert", "https://github.com/hoangprod/AndrewSpecial"] risk_score = 73 diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index ec8170b11e3..ce77d850a8a 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/31" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies the password log file from the default Mimikatz memssp from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Mimikatz Memssp Log File Detected" risk_score = 73 rule_id = "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6" diff --git a/rules/windows/credential_access_mimikatz_powershell_module.toml b/rules/windows/credential_access_mimikatz_powershell_module.toml index a225252edf8..9fe9360d553 100644 --- a/rules/windows/credential_access_mimikatz_powershell_module.toml +++ b/rules/windows/credential_access_mimikatz_powershell_module.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/07" maturity = "development" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ PowerShell command. from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Mimikatz Powershell Module Activity Detected" note = "This rule identifies an adversary attempt to collect, decrypt, and/or use cached credentials. Alerts from this rule should be prioritized because an adversary has an initial foothold onto an endpoint." references = ["https://attack.mitre.org/software/S0002/"] diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index daa927cdaf3..a415fe95c08 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ memory. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Modification of WDigest Security Provider" references = [ "https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html", diff --git a/rules/windows/credential_access_saved_creds_vaultcmd.toml b/rules/windows/credential_access_saved_creds_vaultcmd.toml index 07add6f5875..fb0bf754e54 100644 --- a/rules/windows/credential_access_saved_creds_vaultcmd.toml +++ b/rules/windows/credential_access_saved_creds_vaultcmd.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ saved usernames and passwords. This may also be performed in preparation of late from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Searching for Saved Credentials via VaultCmd" references = [ "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index 0ad252323f4..82d55a75333 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Adversaries can add the 'hidden' attribute to files to hide them from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Adding Hidden File Attribute via Attrib" risk_score = 21 rule_id = "4630d948-40d4-4cef-ac69-4002e29bc3db" diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index 085d9f46553..14ccc4b41ae 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ attackers in an attempt to evade detection or destroy forensic evidence on a sys from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Clearing Windows Event Logs" risk_score = 21 rule_id = "d331bbe2-6db4-4941-80a5-8270db72eb61" diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml index a4e8b1e161a..dca314625c7 100644 --- a/rules/windows/defense_evasion_clearing_windows_security_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_security_logs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/12" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic", "Anabella Cristaldi"] @@ -12,7 +12,7 @@ or destroy forensic evidence on a system. from = "now-9m" index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Windows Event Logs Cleared" risk_score = 21 rule_id = "45ac4800-840f-414c-b221-53dd36a5aaf7" diff --git a/rules/windows/defense_evasion_code_injection_conhost.toml b/rules/windows/defense_evasion_code_injection_conhost.toml index 45e81eb3528..f8adadd476a 100644 --- a/rules/windows/defense_evasion_code_injection_conhost.toml +++ b/rules/windows/defense_evasion_code_injection_conhost.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/31" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies a suspicious Conhost child process which may be an ind from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Process from Conhost" references = [ "https://modexp.wordpress.com/2018/09/12/process-injection-user-data/", @@ -41,3 +41,4 @@ reference = "https://attack.mitre.org/techniques/T1055/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml index e2caba39162..514cb63011a 100644 --- a/rules/windows/defense_evasion_create_mod_root_certificate.toml +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/02/01" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ false_positives = ["Certain applications may install root certificates for the p from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Creation or Modification of Root Certificate" references = [ "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", diff --git a/rules/windows/defense_evasion_cve_2020_0601.toml b/rules/windows/defense_evasion_cve_2020_0601.toml index d8d7d89a115..07d15a1c7cd 100644 --- a/rules/windows/defense_evasion_cve_2020_0601.toml +++ b/rules/windows/defense_evasion_cve_2020_0601.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ malicious executable, making it appear the file was from a trusted, legitimate s """ index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)" risk_score = 21 rule_id = "56557cde-d923-4b88-adee-c61b3f3b5dc3" diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml index 6c64d84f21e..3011335a849 100644 --- a/rules/windows/defense_evasion_defender_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_defender_disabled_via_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/23" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ started manually. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Windows Defender Disabled via Registry Modification" note = "Detections should be investigated to identify if the hosts and users are authorized to use this tool. As this rule detects post-exploitation process activity, investigations into this should be prioritized" references = ["https://thedfirreport.com/2020/12/13/defender-control/"] diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index 8a681868fee..d4b5656392f 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ of files created during post-exploitation activities. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Delete Volume USN Journal with Fsutil" risk_score = 21 rule_id = "f675872f-6d85-40a3-b502-c0d2ef101e92" diff --git a/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml index 1c7f1477270..670caec247a 100644 --- a/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ system recovery. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Deleting Backup Catalogs with Wbadmin" risk_score = 21 rule_id = "581add16-df76-42bb-af8e-c979bfb39a59" diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index 4e8f061f361..ac3a6cd8461 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ disable the firewall during troubleshooting or to enable network mobility. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Disable Windows Firewall Rules via Netsh" risk_score = 47 rule_id = "4b438734-3793-4fda-bd42-ceeada0be8f9" diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index 36d1d0cb997..70c059951d3 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies suspicious .NET code execution. connections." from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious .NET Code Compilation" risk_score = 47 rule_id = "201200f1-a99b-43fb-88ed-f65a45c4972c" diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index 90d9e751b10..d3b9d321487 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/13" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ the Windows Firewall. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Remote Desktop Enabled in Windows Firewall" risk_score = 47 rule_id = "074464f9-f30d-4029-8c03-0ed237fffec7" diff --git a/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml b/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml index e8bd7e9d31f..7c04d8acf59 100644 --- a/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml +++ b/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ control or exfiltration. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Encoding or Decoding Files via CertUtil" risk_score = 47 rule_id = "fd70c98a-c410-42dc-a2e3-761c71848acf" diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index be33e5f5bd0..d0fe068c249 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/13" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ as a defense evasion technique to blend-in malicious activity with legitimate Wi from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "ImageLoad via Windows Update Auto Update Client" references = ["https://dtm.uk/wuauclt/"] risk_score = 47 diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index efbd26bb6d3..30476367ff6 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft Build Engine Started by an Office Application" references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"] risk_score = 73 diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index 2dc280274ae..6df9777f37a 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = ["The Build Engine is commonly used by Windows developers but from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft Build Engine Started by a Script Process" risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index d65499998c1..39a7385877e 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = ["The Build Engine is commonly used by Windows developers but from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft Build Engine Started by a System Process" risk_score = 47 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index 67a1a89cfd0..176fb374b02 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = ["The Build Engine is commonly used by Windows developers but from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft Build Engine Using an Alternate Name" risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index 635f8a78316..f4ec8530e6b 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft Build Engine Started an Unusual Process" references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"] risk_score = 21 diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index a727159d01d..e8f56a588a8 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ defenses via side loading a malicious DLL within the memory space of one of thos from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential DLL SideLoading via Trusted Microsoft Programs" risk_score = 73 rule_id = "1160dcdb-0a0a-4a79-91d8-9b84616edebd" diff --git a/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml b/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml index 627b8d36a65..6f5ac984b47 100644 --- a/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml +++ b/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ false_positives = ["These programs may be used by Windows developers but use by from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Trusted Developer Application Usage" risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1" diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index 743f0f86f4a..41b77f90157 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ benign file type but is actually executable code. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Executable File Creation with Multiple Extensions" risk_score = 47 rule_id = "8b2b3a62-a598-4293-bc14-3d5fa22bb98f" diff --git a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml index ac7052a2eb9..d89034c4648 100644 --- a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml +++ b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/25" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ defense evasion by avoiding the storing of malicious content directly on disk. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Encoded Executable Stored in the Registry" risk_score = 47 rule_id = "93c1ce76-494c-4f01-8167-35edfb52f7b1" diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index 6b86742a378..72b73186722 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ access via a webshell or other mechanism can disable HTTP Logging as an effectiv from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" max_signals = 33 name = "IIS HTTP Logging Disabled" risk_score = 73 diff --git a/rules/windows/defense_evasion_injection_msbuild.toml b/rules/windows/defense_evasion_injection_msbuild.toml index d3786ac1cbe..f5864bd392e 100755 --- a/rules/windows/defense_evasion_injection_msbuild.toml +++ b/rules/windows/defense_evasion_injection_msbuild.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ used to evade detection or elevate privileges. false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Process Injection by the Microsoft Build Engine" risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9" diff --git a/rules/windows/defense_evasion_installutil_beacon.toml b/rules/windows/defense_evasion_installutil_beacon.toml index f6054c95fd2..404b9d7fb71 100644 --- a/rules/windows/defense_evasion_installutil_beacon.toml +++ b/rules/windows/defense_evasion_installutil_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ often leveraged by adversaries to execute code and evade detection. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "InstallUtil Process Making Network Connections" risk_score = 21 rule_id = "a13167f1-eec2-4015-9631-1fee60406dcf" diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 171552b71ea..08a8952ccd2 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/24" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ injection. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Endpoint Security Parent Process" risk_score = 47 rule_id = "b41a13c6-ba45-4bab-a534-df53d0cfed6a" diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index 931a07a9532..70d3e06e21c 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ executable to avoid detection. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Renamed AutoIt Scripts Interpreter" risk_score = 47 rule_id = "2e1e835d-01e5-48ca-b9fc-7a61f7f11902" diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index 63a9461fd93..2fb9f6b7961 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/24" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = ["Custom Windows Error Reporting Debugger"] from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious WerFault Child Process" references = [ "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/", diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index 55a7184c691..613d44853ae 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ detections whitelisting those folders. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Program Files Directory Masquerading" risk_score = 47 rule_id = "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14" diff --git a/rules/windows/defense_evasion_masquerading_werfault.toml b/rules/windows/defense_evasion_masquerading_werfault.toml index d3ad8e5f0b7..69f5cfcc465 100644 --- a/rules/windows/defense_evasion_masquerading_werfault.toml +++ b/rules/windows/defense_evasion_masquerading_werfault.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/24" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ false_positives = ["Legit Application Crash with rare Werfault commandline value from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Windows Error Manager Masquerading" references = [ "https://twitter.com/SBousseaden/status/1235533224337641473", diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index e3998e6d1f2..43e6c0ec10b 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ application allowlists and signature validation. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Network Connection via Signed Binary" risk_score = 21 rule_id = "63e65ec3-43b1-45b0-8f2d-45b34291dc44" diff --git a/rules/windows/defense_evasion_modification_of_boot_config.toml b/rules/windows/defense_evasion_modification_of_boot_config.toml index e154a91a109..1325c1dcea4 100644 --- a/rules/windows/defense_evasion_modification_of_boot_config.toml +++ b/rules/windows/defense_evasion_modification_of_boot_config.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/16" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ attacker as a destructive technique. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Modification of Boot Configuration" risk_score = 21 rule_id = "69c251fb-a5d6-4035-b5ec-40438bd829ff" diff --git a/rules/windows/defense_evasion_msbuild_beacon_sequence.toml b/rules/windows/defense_evasion_msbuild_beacon_sequence.toml index 017ef04c4e6..7271c033bd4 100644 --- a/rules/windows/defense_evasion_msbuild_beacon_sequence.toml +++ b/rules/windows/defense_evasion_msbuild_beacon_sequence.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ leveraged by adversaries to execute code and evade detection. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "MsBuild Network Connection Sequence" risk_score = 21 rule_id = "9dc6ed5d-62a9-4feb-a903-fafa1d33b8e9" diff --git a/rules/windows/defense_evasion_msbuild_making_network_connections.toml b/rules/windows/defense_evasion_msbuild_making_network_connections.toml index 7bcb73239fc..c0e81c0e8be 100644 --- a/rules/windows/defense_evasion_msbuild_making_network_connections.toml +++ b/rules/windows/defense_evasion_msbuild_making_network_connections.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ leveraged by adversaries to execute code and evade detection. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "MsBuild Making Network Connections" risk_score = 47 rule_id = "0e79980b-4250-4a50-a509-69294c14e84b" diff --git a/rules/windows/defense_evasion_mshta_beacon.toml b/rules/windows/defense_evasion_mshta_beacon.toml index 67bfc9df480..5191203df38 100644 --- a/rules/windows/defense_evasion_mshta_beacon.toml +++ b/rules/windows/defense_evasion_mshta_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ leveraged by adversaries to execute malicious scripts and evade detection. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Mshta Making Network Connections" risk_score = 21 rule_id = "c2d90150-0133-451c-a783-533e736c12d7" diff --git a/rules/windows/defense_evasion_mshta_making_network_connections.toml b/rules/windows/defense_evasion_mshta_making_network_connections.toml index f11bc50499b..7d6f2258373 100644 --- a/rules/windows/defense_evasion_mshta_making_network_connections.toml +++ b/rules/windows/defense_evasion_mshta_making_network_connections.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "development" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ by adversaries to execute malicious scripts and evade detection. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Network Connection via Mshta" references = ["https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"] risk_score = 47 diff --git a/rules/windows/defense_evasion_msxsl_beacon.toml b/rules/windows/defense_evasion_msxsl_beacon.toml index 733ddfd1793..809d23168db 100644 --- a/rules/windows/defense_evasion_msxsl_beacon.toml +++ b/rules/windows/defense_evasion_msxsl_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ leveraged by adversaries to execute malicious scripts and evade detection. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "MsXsl Making Network Connections" risk_score = 21 rule_id = "870d1753-1078-403e-92d4-735f142edcca" diff --git a/rules/windows/defense_evasion_msxsl_network.toml b/rules/windows/defense_evasion_msxsl_network.toml index 610332803dd..390b71e902f 100644 --- a/rules/windows/defense_evasion_msxsl_network.toml +++ b/rules/windows/defense_evasion_msxsl_network.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/18" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ by adversaries to execute malicious scripts and evade detection. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Network Connection via MsXsl" risk_score = 21 rule_id = "b86afe07-0d98-4738-b15d-8d7465f95ff5" diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index 7f10d9b0313..68410361cc2 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ applications are often leveraged by adversaries to execute code and evade detect from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Unusual Network Activity from a Windows System Binary" risk_score = 21 rule_id = "1fe3b299-fbb5-4657-a937-1d746f2c711a" diff --git a/rules/windows/defense_evasion_port_forwarding_added_registry.toml b/rules/windows/defense_evasion_port_forwarding_added_registry.toml index 976d76fa8a3..31adda78077 100644 --- a/rules/windows/defense_evasion_port_forwarding_added_registry.toml +++ b/rules/windows/defense_evasion_port_forwarding_added_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/25" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ segmentation restrictions. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Port Forwarding Rule Addition" references = [ "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", diff --git a/rules/windows/defense_evasion_potential_processherpaderping.toml b/rules/windows/defense_evasion_potential_processherpaderping.toml index 3d53839ab55..28f8d5a5016 100644 --- a/rules/windows/defense_evasion_potential_processherpaderping.toml +++ b/rules/windows/defense_evasion_potential_processherpaderping.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/27" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ an evasion attempt to execute malicious code in a stealthy way. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Process Herpaderping Attempt" references = ["https://github.com/jxy-s/herpaderping"] risk_score = 73 diff --git a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml index b6fd1d61ec6..f0f500cbff0 100644 --- a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml +++ b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml @@ -1,19 +1,20 @@ [metadata] creation_date = "2020/11/04" maturity = "production" -updated_date = "2020/11/04" +updated_date = "2021/03/03" [rule] author = ["Elastic"] description = """ -Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native -files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the -adversary's footprint. +Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other +non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal +of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's +footprint. """ from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Process Termination followed by Deletion" risk_score = 47 rule_id = "09443c92-46b3-45a4-8f25-383b028b258d" @@ -43,3 +44,4 @@ reference = "https://attack.mitre.org/techniques/T1070/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_reg_beacon.toml b/rules/windows/defense_evasion_reg_beacon.toml index c690524fd38..6e5455c661c 100644 --- a/rules/windows/defense_evasion_reg_beacon.toml +++ b/rules/windows/defense_evasion_reg_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ may indicate adversarial activity as these tools are often leveraged by adversar from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Registration Tool Making Network Connections" risk_score = 21 rule_id = "6d3456a5-4a42-49d1-aaf2-7b1fd475b2c6" diff --git a/rules/windows/defense_evasion_rundll32_no_arguments.toml b/rules/windows/defense_evasion_rundll32_no_arguments.toml index 44931dfb381..03b8de715a8 100644 --- a/rules/windows/defense_evasion_rundll32_no_arguments.toml +++ b/rules/windows/defense_evasion_rundll32_no_arguments.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ RunDLL32 could indicate malicious activity. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Unusual Child Processes of RunDLL32" risk_score = 21 rule_id = "f036953a-4615-4707-a1ca-dc53bf69dcd5" diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml index eacc64b2208..c03a4929904 100644 --- a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +++ b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/23" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ exists for backwards compatibility. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Scheduled Tasks AT Command Enabled" references = ["https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"] risk_score = 47 diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index 12b49b1b3fb..fd77e917f0e 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ file overwrite and rename operations. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Secure File Deletion via SDelete Utility" note = "Verify process details such as command line and hash to confirm this activity legitimacy." risk_score = 21 @@ -44,3 +44,4 @@ reference = "https://attack.mitre.org/techniques/T1070/004/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_sip_provider_mod.toml b/rules/windows/defense_evasion_sip_provider_mod.toml index 39d09e29856..504860c0c45 100644 --- a/rules/windows/defense_evasion_sip_provider_mod.toml +++ b/rules/windows/defense_evasion_sip_provider_mod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/20" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ validation checks or inject code into critical processes. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "SIP Provider Modification" references = ["https://github.com/mattifestation/PoCSubjectInterfacePackage"] risk_score = 47 diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index 01c308808d1..5a30b0e1acc 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ technique to manipulate relevant security services. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "SolarWinds Process Disabling Services via Registry" references = [ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", diff --git a/rules/windows/defense_evasion_stop_process_service_threshold.toml b/rules/windows/defense_evasion_stop_process_service_threshold.toml index 95c2a25e479..c418af37558 100644 --- a/rules/windows/defense_evasion_stop_process_service_threshold.toml +++ b/rules/windows/defense_evasion_stop_process_service_threshold.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/03" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ short time period. This may indicate a defense evasion attempt. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "High Number of Process and/or Service Terminations" risk_score = 47 rule_id = "035889c4-2686-4583-a7df-67f89c292f2c" diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml index 44780788b41..fb81f1f0ef0 100644 --- a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ code execution. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Managed Code Hosting Process" references = ["https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html"] risk_score = 73 diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index 71e8db4d59d..7cd23879313 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ executed in the target process. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Windows Suspicious Script Object Execution" risk_score = 21 rule_id = "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff" diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index 82e258ba721..3bbf5cd3177 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/01/21" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ libraries it may be indicative of a whitelist bypass. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious WMIC XSL Script Execution" risk_score = 21 rule_id = "7f370d54-c0eb-4270-ac5a-9a6020585dc6" @@ -42,3 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1220/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index 868d0c39f7b..ffc34d1e193 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ such as command line, network connections, file writes and associated file signa from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Zoom Child Process" risk_score = 47 rule_id = "97aba1ef-6034-4bd3-8c1a-1e0996b27afa" diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index 390683b82de..53260a35a25 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ indicate activity related to remote code execution or other forms of exploitatio from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Unusual Executable File Creation by a System Critical Process" risk_score = 73 rule_id = "e94262f2-c1e9-4d3f-a907-aeab16712e1a" diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index 3c9f36c79d5..aadb1b20161 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/21" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ and sometimes done by adversaries to hide malware. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Unusual File Creation - Alternate Data Stream" risk_score = 47 rule_id = "71bccb61-e19b-452f-b104-79a60e546a95" diff --git a/rules/windows/defense_evasion_unusual_dir_ads.toml b/rules/windows/defense_evasion_unusual_dir_ads.toml index dadb97c65bd..395e9f422c2 100644 --- a/rules/windows/defense_evasion_unusual_dir_ads.toml +++ b/rules/windows/defense_evasion_unusual_dir_ads.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ by adversaries to hide malware. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Unusual Process Execution Path - Alternate Data Stream" risk_score = 47 rule_id = "4bd1c1af-79d4-4d37-9efa-6e0240640242" diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml index 5510f1ed47c..016fa18403a 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ and Control activity. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Unusual Network Connection via RunDLL32" risk_score = 47 rule_id = "52aaab7b-b51c-441a-89ce-4387b3aea886" diff --git a/rules/windows/defense_evasion_unusual_process_network_connection.toml b/rules/windows/defense_evasion_unusual_process_network_connection.toml index 5c4aa21e269..09edb13bed0 100644 --- a/rules/windows/defense_evasion_unusual_process_network_connection.toml +++ b/rules/windows/defense_evasion_unusual_process_network_connection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ applications are often leveraged by adversaries to execute code and evade detect from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Unusual Process Network Connection" risk_score = 21 rule_id = "610949a1-312f-4e04-bb55-3a79b8c95267" diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index ec52a08b5dc..96287c948f4 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies a suspicious child process of the Windows virtual syst from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Unusual Child Process from a System Virtual Process" risk_score = 73 rule_id = "de9bd7e0-49e9-4e92-a64d-53ade2e66af1" diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index 0e849b06d73..78b910bd7ba 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ defenses. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Evasion via Filter Manager" risk_score = 21 rule_id = "06dceabf-adca-48af-ac79-ffdf4c3b1e9a" diff --git a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml index ff63f526123..f3cb2359dfd 100644 --- a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ other destructive attacks. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Volume Shadow Copy Deletion via WMIC" risk_score = 73 rule_id = "dc9c1f74-dac3-48e3-b47f-eb79db358f57" diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index 47d7f0f0303..175b2c8375b 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "AdFind Command Activity" note = "`AdFind.exe` is a legitimate domain query tool. Rule alerts should be investigated to identify if the user has a role that would explain using this tool and that it is being run from an expected directory and endpoint. Leverage the exception workflow in the Kibana Security App or Elasticsearch API to tune this rule to your environment." references = [ diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index 96a3e630036..5954fc03121 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ tools. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Enumeration of Administrator Accounts" risk_score = 21 rule_id = "871ea072-1b71-4def-b016-6278b505138d" diff --git a/rules/windows/discovery_file_dir_discovery.toml b/rules/windows/discovery_file_dir_discovery.toml index 13db60d5aed..632c5f12843 100644 --- a/rules/windows/discovery_file_dir_discovery.toml +++ b/rules/windows/discovery_file_dir_discovery.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "File and Directory Discovery" risk_score = 21 rule_id = "7b08314d-47a0-4b71-ae4e-16544176924f" diff --git a/rules/windows/discovery_net_command_system_account.toml b/rules/windows/discovery_net_command_system_account.toml index f48d9c9d856..84692095df7 100644 --- a/rules/windows/discovery_net_command_system_account.toml +++ b/rules/windows/discovery_net_command_system_account.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ adversary has achieved privilege escalation. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Net command via SYSTEM account" risk_score = 21 rule_id = "2856446a-34e6-435b-9fb5-f8f040bfa7ed" diff --git a/rules/windows/discovery_net_view.toml b/rules/windows/discovery_net_view.toml index 2a2620c6285..4cacffbd8b9 100644 --- a/rules/windows/discovery_net_view.toml +++ b/rules/windows/discovery_net_view.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies attempts to enumerate hosts in a network using the bui from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Windows Network Enumeration" risk_score = 47 rule_id = "7b8bfc26-81d2-435e-965c-d722ee397ef1" diff --git a/rules/windows/discovery_peripheral_device.toml b/rules/windows/discovery_peripheral_device.toml index 9e190c89161..11ef33c046a 100644 --- a/rules/windows/discovery_peripheral_device.toml +++ b/rules/windows/discovery_peripheral_device.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/02" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ and components connected to a computer system. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Peripheral Device Discovery" risk_score = 21 rule_id = "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4" diff --git a/rules/windows/discovery_process_discovery_via_tasklist_command.toml b/rules/windows/discovery_process_discovery_via_tasklist_command.toml index 394835d76e6..06d24ad81c8 100644 --- a/rules/windows/discovery_process_discovery_via_tasklist_command.toml +++ b/rules/windows/discovery_process_discovery_via_tasklist_command.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Process Discovery via Tasklist" risk_score = 21 rule_id = "cc16f774-59f9-462d-8b98-d27ccd4519ec" diff --git a/rules/windows/discovery_query_registry_via_reg.toml b/rules/windows/discovery_query_registry_via_reg.toml index 7b7589dabd3..ea0c346eb45 100644 --- a/rules/windows/discovery_query_registry_via_reg.toml +++ b/rules/windows/discovery_query_registry_via_reg.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ activities. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Query Registry via reg.exe" risk_score = 21 rule_id = "68113fdc-3105-4cdd-85bb-e643c416ef0b" diff --git a/rules/windows/discovery_remote_system_discovery_commands_windows.toml b/rules/windows/discovery_remote_system_discovery_commands_windows.toml index d95e8508ba4..472f5eb4149 100644 --- a/rules/windows/discovery_remote_system_discovery_commands_windows.toml +++ b/rules/windows/discovery_remote_system_discovery_commands_windows.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Discovery of remote system information using built-in commands, w from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Remote System Discovery Commands" risk_score = 21 rule_id = "0635c542-1b96-4335-9b47-126582d2c19a" diff --git a/rules/windows/discovery_security_software_wmic.toml b/rules/windows/discovery_security_software_wmic.toml index 937d738506f..4751cd77f4d 100644 --- a/rules/windows/discovery_security_software_wmic.toml +++ b/rules/windows/discovery_security_software_wmic.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ such as AntiVirus or Host Firewall details. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Security Software Discovery using WMIC" risk_score = 47 rule_id = "6ea55c81-e2ba-42f2-a134-bccf857ba922" diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 3ebb86e2114..57e791c388b 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Whoami Process Activity" risk_score = 21 rule_id = "ef862985-3f13-4262-a686-5f357bbb9bc2" diff --git a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml index c785f3b57fa..7ad4ca556bd 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ false_positives = [ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Command Execution via SolarWinds Process" references = [ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", diff --git a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml index 9c4b901ad4b..462f05ab77c 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ false_positives = [ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious SolarWinds Child Process" references = [ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml index 003b6bd8eff..a09519be5c0 100644 --- a/rules/windows/execution_com_object_xwizard.toml +++ b/rules/windows/execution_com_object_xwizard.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/20" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ run a COM object created in registry to evade defensive counter measures. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Execution of COM object via Xwizard" references = [ "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index 13ca1806533..6a8ee3e4318 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Command Prompt Network Connection" risk_score = 21 rule_id = "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696" diff --git a/rules/windows/execution_command_shell_started_by_powershell.toml b/rules/windows/execution_command_shell_started_by_powershell.toml index b9e0ddfaeb3..06f585e84e3 100644 --- a/rules/windows/execution_command_shell_started_by_powershell.toml +++ b/rules/windows/execution_command_shell_started_by_powershell.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies a suspicious parent child process relationship with cm from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "PowerShell spawning Cmd" risk_score = 21 rule_id = "0f616aee-8161-4120-857e-742366f5eeb3" diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index 299db830d8c..c3b14e670ef 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies a suspicious parent child process relationship with cm from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Svchost spawning Cmd" risk_score = 21 rule_id = "fd7a6052-58fa-4397-93c3-4795249ccfa2" diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index 4b801df1a59..b7e49dd95e0 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies a suspicious parent child process relationship with cm from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Unusual Parent Process for cmd.exe" risk_score = 47 rule_id = "3b47900d-e793-49e8-968f-c90dc3526aa1" diff --git a/rules/windows/execution_command_shell_via_rundll32.toml b/rules/windows/execution_command_shell_via_rundll32.toml index a6a4d812c4a..c98241fd612 100644 --- a/rules/windows/execution_command_shell_via_rundll32.toml +++ b/rules/windows/execution_command_shell_via_rundll32.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies command shell activity started via RunDLL32, which is from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Command Shell Activity Started via RunDLL32" risk_score = 21 rule_id = "9ccf3ce0-0057-440a-91f5-870c6ad39093" diff --git a/rules/windows/execution_downloaded_shortcut_files.toml b/rules/windows/execution_downloaded_shortcut_files.toml index cd7dff492be..aa93bc13024 100644 --- a/rules/windows/execution_downloaded_shortcut_files.toml +++ b/rules/windows/execution_downloaded_shortcut_files.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" maturity = "development" query_schema_validation = false -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ phishing campaigns. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Downloaded Shortcut Files" risk_score = 21 rule_id = "6b1fd8e8-cefe-444c-bc4d-feaa2c497347" diff --git a/rules/windows/execution_downloaded_url_file.toml b/rules/windows/execution_downloaded_url_file.toml index ea00370ecb7..3a3bb43aff7 100644 --- a/rules/windows/execution_downloaded_url_file.toml +++ b/rules/windows/execution_downloaded_url_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" maturity = "development" query_schema_validation = false -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ phishing campaigns. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Downloaded URL Files" risk_score = 21 rule_id = "cd82e3d6-1346-4afd-8f22-38388bbf34cb" diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index 4b28636761a..a02c6b710bf 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Provider Service (WMIPrvSE). from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Enumeration Command Spawned via WMIPrvSE" risk_score = 21 rule_id = "770e0c4d-b998-41e5-a62e-c7901fd7f470" diff --git a/rules/windows/execution_from_unusual_directory.toml b/rules/windows/execution_from_unusual_directory.toml index 89531b7b719..5cafcdf6aff 100644 --- a/rules/windows/execution_from_unusual_directory.toml +++ b/rules/windows/execution_from_unusual_directory.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/30" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ malware in trusted paths. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Process Execution from an Unusual Directory" risk_score = 47 rule_id = "ebfe1448-7fac-4d59-acea-181bd89b1f7f" diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index c7ea9d01658..b52d5140031 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/30" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ malware in trusted paths. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Execution from Unusual Directory - Command Line" note = "This is related to the Process Execution from an Unusual Directory rule" risk_score = 47 diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index d566fab5fba..791901d1622 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ program (hh.exe). from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Network Connection via Compiled HTML File" risk_score = 21 rule_id = "b29ee2be-bf99-446c-ab1a-2dc0183394b8" diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index 56a6591f499..e9c270b1677 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ launched via scripts inside documents or during exploitation of MS Office applic from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Execution of File Written or Modified by Microsoft Office" risk_score = 21 rule_id = "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5" diff --git a/rules/windows/execution_pdf_written_file.toml b/rules/windows/execution_pdf_written_file.toml index e298228db92..7bb13946202 100644 --- a/rules/windows/execution_pdf_written_file.toml +++ b/rules/windows/execution_pdf_written_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ often launched via exploitation of PDF applications. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Execution of File Written or Modified by PDF Reader" risk_score = 21 rule_id = "1defdd62-cd8d-426e-a246-81a37751bb2b" diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index 21397ef8747..8f4a8d23c22 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "PsExec Network Connection" risk_score = 21 rule_id = "55d551c6-333b-4665-ab7e-5d14a59715ce" diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index 3e764952a5f..890eb0e308b 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Network Connection via Registration Utility" risk_score = 21 rule_id = "fb02b8d3-71ee-4af1-bacd-215d23f17efa" diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index 880452c0276..ab530c2c3a4 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/15" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = ["Legitimate scheduled tasks may be created during installatio from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Outbound Scheduled Task Activity via PowerShell" references = [ "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index 03a86f4ab72..8d5fade1a3a 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/28" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ paths. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Execution via local SxS Shared Module" note = "The SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory." references = ["https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection"] diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index fbe358e1cd2..2622dfcf662 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ be indicative of adversary lateral movement. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Cmd Execution via WMI" risk_score = 47 rule_id = "12f07955-1674-44f7-86b5-c35da0a6f41a" @@ -40,3 +40,4 @@ reference = "https://attack.mitre.org/techniques/T1047/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml index 2adf32ac854..ed939eafaab 100644 --- a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml +++ b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ be used to execute code and evade traditional parent/child processes spawned fro from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious WMI Image Load from MS Office" references = [ "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index 5c864f71c2d..7d9c7f24ad2 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/30" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ exploitation of PDF applications or social engineering. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious PDF Reader Child Process" risk_score = 21 rule_id = "53a26770-9cbd-40c5-8b57-61d01a325e14" diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index f69c3d72af6..853169f5463 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ with powershell.exe, some attackers do this to operate more stealthily. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious PowerShell Engine ImageLoad" risk_score = 47 rule_id = "852c1f19-68e8-43a6-9dce-340771fe1be3" @@ -92,3 +92,4 @@ reference = "https://attack.mitre.org/techniques/T1059/001/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index c861bc4d40c..0f2dcfa8d41 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ evade detection. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Process Execution via Renamed PsExec Executable" risk_score = 47 rule_id = "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2" diff --git a/rules/windows/execution_suspicious_short_program_name.toml b/rules/windows/execution_suspicious_short_program_name.toml index b8918dd526a..c00e0d5fa84 100644 --- a/rules/windows/execution_suspicious_short_program_name.toml +++ b/rules/windows/execution_suspicious_short_program_name.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/15" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ executing temporary utilities. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Execution - Short Program Name" risk_score = 47 rule_id = "17c7f6a5-5bc9-4e1f-92bf-13632d24384d" diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index 05e9e6338aa..8b910b6c43f 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Process Activity via Compiled HTML File" risk_score = 21 rule_id = "e3343ab9-4245-4715-b344-e11c56b0a47f" diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index 890cabedaca..3f7835e81b8 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ indicative of code injection. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Conhost Spawned By Suspicious Parent Process" references = [ "https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html", diff --git a/rules/windows/execution_via_net_com_assemblies.toml b/rules/windows/execution_via_net_com_assemblies.toml index a39cd1c88cc..4d5e08ffbed 100644 --- a/rules/windows/execution_via_net_com_assemblies.toml +++ b/rules/windows/execution_via_net_com_assemblies.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ utility. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Execution via Regsvcs/Regasm" risk_score = 21 rule_id = "47f09343-8d1f-4bb5-8bb0-00c9d18f5010" diff --git a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml index e152208a551..e6112a83ced 100644 --- a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ using xp_cmdshell, which is disabled by default, thus, it's important to review from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Execution via MSSQL xp_cmdshell Stored Procedure" risk_score = 73 rule_id = "4ed493fc-d637-4a36-80ff-ac84937e5461" diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml index 8b61566e2d4..96808be3869 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ other destructive attacks. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Volume Shadow Copy Deletion via VssAdmin" risk_score = 73 rule_id = "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921" diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index 5c702351f3d..35fdb1ade9b 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ executing a PowerShell script, may be indicative of malicious activity. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Windows Script Executing PowerShell" risk_score = 21 rule_id = "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc" diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml index bedb9d1ea92..52a27b71204 100644 --- a/rules/windows/initial_access_scripts_process_started_via_wmi.toml +++ b/rules/windows/initial_access_scripts_process_started_via_wmi.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/27" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ via Windows Management Instrumentation (WMI). This may be indicative of maliciou from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Windows Script Interpreter Executing Process via WMI" risk_score = 47 rule_id = "b64b183e-1a76-422d-9179-7b389513e74d" diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index 412d90affc6..6a35c3a2b6b 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ macros. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious MS Office Child Process" risk_score = 47 rule_id = "a624863f-a70d-417f-a7d2-7a404638d47f" diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index 38ae7afa65c..b5369811982 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ phishing activity. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious MS Outlook Child Process" risk_score = 21 rule_id = "32f4675e-6c49-4ace-80f9-97c9259dca2e" diff --git a/rules/windows/initial_access_unusual_dns_service_children.toml b/rules/windows/initial_access_unusual_dns_service_children.toml index 807167f1f20..77f2183a3df 100644 --- a/rules/windows/initial_access_unusual_dns_service_children.toml +++ b/rules/windows/initial_access_unusual_dns_service_children.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Unusual Child Process of dns.exe" note = """### Investigating Unusual Child Process Detection alerts from this rule indicate potential suspicious child processes spawned after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation: diff --git a/rules/windows/initial_access_unusual_dns_service_file_writes.toml b/rules/windows/initial_access_unusual_dns_service_file_writes.toml index 539d98ecc37..6c1f4be7682 100644 --- a/rules/windows/initial_access_unusual_dns_service_file_writes.toml +++ b/rules/windows/initial_access_unusual_dns_service_file_writes.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ may indicate activity related to remote code execution or other forms of exploit from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Unusual File Modification by dns.exe" note = """### Investigating Unusual File Write Detection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation: diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml index ae9ef65bf73..219374b219f 100644 --- a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +++ b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/29" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ executables from a trusted parent process. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Explorer Child Process" risk_score = 47 rule_id = "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b" diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index e0c8962c2be..5610adb230d 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ lateral movement but will be noisy if commonly done by admins. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Service Command Lateral Movement" risk_score = 21 rule_id = "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc" diff --git a/rules/windows/lateral_movement_dcom_hta.toml b/rules/windows/lateral_movement_dcom_hta.toml index a9f33818726..64f07d08e69 100644 --- a/rules/windows/lateral_movement_dcom_hta.toml +++ b/rules/windows/lateral_movement_dcom_hta.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ laterally while attempting to evading detection. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Incoming DCOM Lateral Movement via MSHTA" references = ["https://codewhitesec.blogspot.com/2018/07/lethalhta.html"] risk_score = 73 diff --git a/rules/windows/lateral_movement_dcom_mmc20.toml b/rules/windows/lateral_movement_dcom_mmc20.toml index 5292f3af9ff..b567b90e9f8 100644 --- a/rules/windows/lateral_movement_dcom_mmc20.toml +++ b/rules/windows/lateral_movement_dcom_mmc20.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ laterally. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Incoming DCOM Lateral Movement with MMC" references = ["https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/"] risk_score = 73 diff --git a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml index c572045131e..3eb65b70ca7 100644 --- a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml +++ b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ application to stealthily move laterally. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows" references = ["https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/"] risk_score = 47 diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index 78e50ca81d4..9c1f937900f 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ suspicious user-level processes moving laterally. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Direct Outbound SMB Connection" risk_score = 47 rule_id = "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1" diff --git a/rules/windows/lateral_movement_dns_server_overflow.toml b/rules/windows/lateral_movement_dns_server_overflow.toml index 453a2da8c3c..0d6ac759321 100644 --- a/rules/windows/lateral_movement_dns_server_overflow.toml +++ b/rules/windows/lateral_movement_dns_server_overflow.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["packetbeat-*", "filebeat-*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Abnormally Large DNS Response" note = """### Investigating Large DNS Responses Detection alerts from this rule indicate an attempt was made to exploit CVE-2020-1350 (SigRed) through the use of large DNS responses on a Windows DNS server. Here are some possible avenues of investigation: diff --git a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml index 628282b7259..db86141f45a 100644 --- a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml +++ b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/10" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ other files between systems in a compromised environment. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Lateral Tool Transfer" risk_score = 47 rule_id = "58bc134c-e8d2-4291-a552-b4b3e537c60b" diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml index da7ce966d10..695b45c2412 100644 --- a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +++ b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/11" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ indicate a lateral movement attempt. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Execution via TSClient Mountpoint" references = ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"] risk_score = 73 diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index 8a277253f15..af720899382 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ via network file shares. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Remote Execution via File Shares" references = ["https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html"] risk_score = 47 diff --git a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml index 036ba7b0142..ee718d6c1ac 100644 --- a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml +++ b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Incoming Execution via WinRM Remote Shell" risk_score = 47 rule_id = "1cd01db9-be24-4bef-8e7c-e923f0ff78ab" diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index 5e03c626f1f..307172d0649 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/15" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ adversary lateral movement, but could be noisy if administrators use WMI to remo from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "WMI Incoming Lateral Movement" risk_score = 47 rule_id = "f3475224-b179-4f78-8877-c2bd64c26b88" diff --git a/rules/windows/lateral_movement_local_service_commands.toml b/rules/windows/lateral_movement_local_service_commands.toml index 0e819232388..479114f92cf 100644 --- a/rules/windows/lateral_movement_local_service_commands.toml +++ b/rules/windows/lateral_movement_local_service_commands.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ lateral movement but will be noisy if commonly done by admins. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Local Service Commands" risk_score = 21 rule_id = "e8571d5f-bea1-46c2-9f56-998de2d3ed95" diff --git a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml index dbbb545ad9d..b157cdded85 100644 --- a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml +++ b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/02" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ preparation for data exfiltration. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Mounting Hidden or WebDav Remote Shares" risk_score = 21 rule_id = "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14" diff --git a/rules/windows/lateral_movement_powershell_remoting_target.toml b/rules/windows/lateral_movement_powershell_remoting_target.toml index 7ad245f88a7..9d879701b53 100644 --- a/rules/windows/lateral_movement_powershell_remoting_target.toml +++ b/rules/windows/lateral_movement_powershell_remoting_target.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -updated_date = "2021/02/08" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Incoming Execution via PowerShell Remoting" references = [ "https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1", diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml index 81c571aed76..a11734c9f7a 100644 --- a/rules/windows/lateral_movement_rdp_enabled_registry.toml +++ b/rules/windows/lateral_movement_rdp_enabled_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/25" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ adversary lateral movement preparation. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "RDP Enabled via Registry" risk_score = 47 rule_id = "58aa72ca-d968-4f34-b9f7-bea51d75eb50" diff --git a/rules/windows/lateral_movement_rdp_sharprdp_target.toml b/rules/windows/lateral_movement_rdp_sharprdp_target.toml index 1d1952dcb49..fc0d2d52e0d 100644 --- a/rules/windows/lateral_movement_rdp_sharprdp_target.toml +++ b/rules/windows/lateral_movement_rdp_sharprdp_target.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/11" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ against a remote target via Remote Desktop Protocol (RDP) for the purposes of la from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Potential SharpRDP Behavior" references = [ "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3", diff --git a/rules/windows/lateral_movement_rdp_tunnel_plink.toml b/rules/windows/lateral_movement_rdp_tunnel_plink.toml index 3a634677051..b996aca91a6 100644 --- a/rules/windows/lateral_movement_rdp_tunnel_plink.toml +++ b/rules/windows/lateral_movement_rdp_tunnel_plink.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ adversary lateral movement to interactively access restricted networks. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Remote Desktop Tunneling Detected" references = ["https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/"] risk_score = 73 @@ -42,3 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1021/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index 25cd8c96b3c..97a6f4001df 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/04" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ activity. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Remote File Copy to a Hidden Share" risk_score = 47 rule_id = "fa01341d-6662-426b-9d0c-6d81e33c8a9d" diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index 05a31c30d39..4325402e3cc 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/16" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ movement, but will be noisy if commonly done by administrators." from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Remotely Started Services via RPC" risk_score = 47 rule_id = "aa9a274d-6b53-424d-ac5e-cb8ca4251650" diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml index f6aa1d9b96f..32e13cb84ab 100644 --- a/rules/windows/lateral_movement_scheduled_task_target.toml +++ b/rules/windows/lateral_movement_scheduled_task_target.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/20" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies remote scheduled task creations on a target host. This from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Remote Scheduled Task Creation" note = "Decode the base64 encoded tasks actions registry value to investigate the task configured action." risk_score = 47 diff --git a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml index cdcc60e1e0f..ae279a4b63a 100644 --- a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml +++ b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ presence of RDP lateral movement capability. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious RDP ActiveX Client Loaded" references = ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"] risk_score = 47 diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index fbff932981c..290eebc771f 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ laterally by dropping a malicious script or executable that will be executed aft from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Lateral Movement via Startup Folder" references = ["https://www.mdsec.co.uk/2017/06/rdpinception/"] risk_score = 73 diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index c0557b5126a..cb8be6eef97 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Detects writing executable files that will be automatically launc from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Adobe Hijack Persistence" risk_score = 21 rule_id = "2bf78aa2-9c56-48de-b139-f169bf99cf86" diff --git a/rules/windows/persistence_app_compat_shim.toml b/rules/windows/persistence_app_compat_shim.toml index 193b3c6c7d0..eb0b1229478 100644 --- a/rules/windows/persistence_app_compat_shim.toml +++ b/rules/windows/persistence_app_compat_shim.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ abused by attackers to stealthily gain persistence and arbitrary code execution from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Installation of Custom Shim Databases" risk_score = 21 rule_id = "c5ce48a6-7f57-4ee8-9313-3d0024caee10" diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index 2b8b07a9264..339d23c3f89 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ process using the common API functions to create processes. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Registry Persistence via AppCert DLL" risk_score = 47 rule_id = "513f0ffd-b317-4b9c-9494-92ce861f22c7" diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml index 1a84aadf892..d321a1ba6ce 100644 --- a/rules/windows/persistence_appinitdlls_registry.toml +++ b/rules/windows/persistence_appinitdlls_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ process using the common library, user32.dll. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Registry Persistence via AppInit DLL" risk_score = 47 rule_id = "d0e159cf-73e9-40d1-a9ed-077e3158a855" diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index a8201cd6b7b..1654f3cdbc1 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/18" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ the net users command. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Creation of a Hidden Local User Account" references = [ "https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html", diff --git a/rules/windows/persistence_evasion_registry_ifeo_injection.toml b/rules/windows/persistence_evasion_registry_ifeo_injection.toml index d0bd9b3bb54..7fc0220a050 100644 --- a/rules/windows/persistence_evasion_registry_ifeo_injection.toml +++ b/rules/windows/persistence_evasion_registry_ifeo_injection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ different process to be executed. This functionality can be abused by an adversa from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Image File Execution Options Injection" references = [ "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", diff --git a/rules/windows/persistence_gpo_schtask_service_creation.toml b/rules/windows/persistence_gpo_schtask_service_creation.toml index a8b972f876f..4e5d9f86afc 100644 --- a/rules/windows/persistence_gpo_schtask_service_creation.toml +++ b/rules/windows/persistence_gpo_schtask_service_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/13" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ malicious payload remotely on all or a subset of the domain joined machines. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Creation or Modification of a new GPO Scheduled Task or Service" risk_score = 21 rule_id = "c0429aa8-9974-42da-bfb6-53a0a515a145" diff --git a/rules/windows/persistence_local_scheduled_task_commands.toml b/rules/windows/persistence_local_scheduled_task_commands.toml index 7894a3441b9..e6182cd21d0 100644 --- a/rules/windows/persistence_local_scheduled_task_commands.toml +++ b/rules/windows/persistence_local_scheduled_task_commands.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ false_positives = ["Legitimate scheduled tasks may be created during installatio from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Local Scheduled Task Commands" risk_score = 21 rule_id = "afcce5ad-65de-4ed2-8516-5e093d3ac99a" diff --git a/rules/windows/persistence_local_scheduled_task_scripting.toml b/rules/windows/persistence_local_scheduled_task_scripting.toml index a5e7a6d431f..15671496579 100644 --- a/rules/windows/persistence_local_scheduled_task_scripting.toml +++ b/rules/windows/persistence_local_scheduled_task_scripting.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/29" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = ["Legitimate scheduled tasks may be created during installatio from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Scheduled Task Created by a Windows Script" note = "Decode the base64 encoded Tasks Actions registry value to investigate the task's configured action." risk_score = 47 diff --git a/rules/windows/persistence_ms_office_addins_file.toml b/rules/windows/persistence_ms_office_addins_file.toml index 916e7dc376c..ab3a97039ae 100644 --- a/rules/windows/persistence_ms_office_addins_file.toml +++ b/rules/windows/persistence_ms_office_addins_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/16" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Detects attempts to establish persistence on an endpoint by abusi from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Persistence via Microsoft Office AddIns" references = ["https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/"] risk_score = 73 diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml index 486f735008c..82b520b30e6 100644 --- a/rules/windows/persistence_ms_outlook_vba_template.toml +++ b/rules/windows/persistence_ms_outlook_vba_template.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/23" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ false_positives = ["A legitimate VBA for Outlook is usually configured interacti from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Persistence via Microsoft Outlook VBA" references = [ "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index d58852601eb..a86167ad4e0 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ system. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Modification of Accessibility Binaries" references = ["https://www.elastic.co/blog/practical-security-engineering-stateful-detection"] risk_score = 73 diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index a6940a2ead6..de1ea984a81 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ an indication of an adversary's attempt to persist in a stealthy manner. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Uncommon Registry Persistence Change" references = ["https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"] risk_score = 47 diff --git a/rules/windows/persistence_run_key_and_startup_broad.toml b/rules/windows/persistence_run_key_and_startup_broad.toml index 8419907d704..499165b90d2 100644 --- a/rules/windows/persistence_run_key_and_startup_broad.toml +++ b/rules/windows/persistence_run_key_and_startup_broad.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ attackers will modify run keys within the registry or leverage startup folder it from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Startup or Run Key Registry Modification" risk_score = 21 rule_id = "97fc44d3-8dae-4019-ae83-298c3015600f" diff --git a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml index 807d5e4c403..69a428737f6 100644 --- a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml +++ b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ command line usage. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Execution of Persistent Suspicious Program" risk_score = 47 rule_id = "e7125cea-9fe1-42a5-9a05-b0792cf86f5a" diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index 16666e81298..81f47da29ff 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ modification of an existing service. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Unusual Persistence via Services Registry" risk_score = 21 rule_id = "403ef0d3-8259-40c9-a5b6-d48354712e49" diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index 7f7fb59cdc0..41f55226b8f 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ technique to maintain persistence. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Shortcut File Written or Modified for Persistence" risk_score = 47 rule_id = "440e2db4-bc7f-4c96-a068-65b78da59bde" diff --git a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml index b05ae0896b5..d416512f229 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/29" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ to maintain persistence in an environment. from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Startup Folder Persistence via Unsigned Process" risk_score = 41 rule_id = "2fba96c0-ade5-4bce-b92f-a5df2509da3f" diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index 4c7abad8f76..79788e9a080 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies script engines creating files in the startup folder, o from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Persistent Scripts in the Startup Directory" risk_score = 47 rule_id = "f7c4dc5a-a58d-491d-9f14-9b66507121c0" diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index 6274f54f8b1..f1e9f75dac5 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ executing malicious content triggered by hijacked references to COM objects. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Component Object Model Hijacking" references = [ "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index d43fccce241..43c40b1a0a6 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ be used to configure persistence and evade monitoring by avoiding the usage of t from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Image Load (taskschd.dll) from MS Office" references = [ "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml index 3812005cfb7..32a9100a095 100644 --- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ false_positives = ["Legitimate scheduled tasks running third party software."] from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Execution via Scheduled Task" risk_score = 47 rule_id = "5d1d6907-0747-4d5d-9b24-e4a18853dc0a" diff --git a/rules/windows/persistence_suspicious_service_created_registry.toml b/rules/windows/persistence_suspicious_service_created_registry.toml index 6e6e216f77a..10a21b46503 100644 --- a/rules/windows/persistence_suspicious_service_created_registry.toml +++ b/rules/windows/persistence_suspicious_service_created_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/23" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ stealthily persist or escalate privileges through abnormal service creation. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious ImagePath Service Creation" risk_score = 73 rule_id = "36a8e048-d888-4f61-a8b9-0f9e2e40f317" diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index 0862339cea7..80d46e94d01 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ testers may run a shell as a service to gain SYSTEM permissions. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "System Shells via Services" risk_score = 47 rule_id = "0022d47d-39c7-4f69-a232-4fe9dc7a3acd" diff --git a/rules/windows/persistence_time_provider_mod.toml b/rules/windows/persistence_time_provider_mod.toml index 7663bfecd86..8d42e255b6f 100644 --- a/rules/windows/persistence_time_provider_mod.toml +++ b/rules/windows/persistence_time_provider_mod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ provider. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Persistence via Time Provider Modification" references = ["https://pentestlab.blog/2019/10/22/persistence-time-providers/"] risk_score = 47 diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index 14ca9546c7e..472da4db6f9 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/09" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic", "Skoetting"] @@ -13,7 +13,7 @@ any action in Active Directory and on domain-joined systems. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "User Added to Privileged Group in Active Directory" references = [ "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory", diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index d956d3ee4ef..f360924640a 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ domain. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "User Account Creation" risk_score = 21 rule_id = "1aa9181a-492b-4c01-8b16-fa0735786b2b" diff --git a/rules/windows/persistence_user_account_creation_event_logs.toml b/rules/windows/persistence_user_account_creation_event_logs.toml index 2869b4b4c10..d6cdb773358 100644 --- a/rules/windows/persistence_user_account_creation_event_logs.toml +++ b/rules/windows/persistence_user_account_creation_event_logs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/04" maturity = "development" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Skoetting"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["winlogbeat-*", "logs-windows*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Creation of a local user account" risk_score = 21 rule_id = "38e17753-f581-4644-84da-0d60a8318694" diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index 0a12cf275a0..ecb6a9cc8a2 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ code execution in legitimate Windows processes. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Application Shimming via Sdbinst" risk_score = 21 rule_id = "fd4a992d-6130-4802-9ff8-829b89ae801f" diff --git a/rules/windows/persistence_via_hidden_run_key_valuename.toml b/rules/windows/persistence_via_hidden_run_key_valuename.toml index 1f3ccb259f0..993ce233723 100644 --- a/rules/windows/persistence_via_hidden_run_key_valuename.toml +++ b/rules/windows/persistence_via_hidden_run_key_valuename.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/15" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ registry key. An adversary may use this method to hide from system utilities suc from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Persistence via Hidden Run Key Detected" references = [ "https://github.com/outflanknl/SharpHide", diff --git a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml index 950c1b785ca..76c2e941873 100644 --- a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml +++ b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ abuse this to establish persistence in an environment. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Installation of Security Support Provider" risk_score = 47 rule_id = "e86da94d-e54b-4fb5-b96c-cecff87e8787" diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index d96ae084fb4..a52a3c66118 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ integrity level of system. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Persistence via TelemetryController Scheduled Task Hijack" references = [ "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/?utm_content=131234033&utm_medium=social&utm_source=twitter&hss_channel=tw-403811306", diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index 4942a9c88bf..47319b54032 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ level of SYSTEM. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Persistence via Update Orchestrator Service Hijack" references = ["https://github.com/irsl/CVE-2020-1313"] risk_score = 73 @@ -55,3 +55,4 @@ reference = "https://attack.mitre.org/techniques/T1543/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml index 43ab196a4f8..cb1777e6c84 100644 --- a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +++ b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ event and execute arbitrary code when that event occurs, providing persistence o from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Persistence via WMI Event Subscription" risk_score = 21 rule_id = "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c" diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index 6a14965bdd0..aab4f74dad2 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/20" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ administrator-level access to the system. This rule identifies registry value ch from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Disabling User Account Control via Registry Modification" references = [ "https://www.greyhathacker.net/?p=796", diff --git a/rules/windows/privilege_escalation_lsa_auth_package.toml b/rules/windows/privilege_escalation_lsa_auth_package.toml index 630cd9d0cc3..d2af1bc0a38 100644 --- a/rules/windows/privilege_escalation_lsa_auth_package.toml +++ b/rules/windows/privilege_escalation_lsa_auth_package.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/21" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ executed by SYSTEM when the authentication packages are loaded. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Potential LSA Authentication Package Abuse" risk_score = 47 rule_id = "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb" diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index 703d1d3f46f..6021fa1afbd 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/23" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ utilizing a framework such Metasploit's meterpreter getsystem command. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Privilege Escalation via Named Pipe Impersonation" references = [ "https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation", diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index 22b59b8121c..3bfe6d91379 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/07" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ privileges via privileged file write vulnerabilities. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious DLL Loaded for Persistence or Privilege Escalation" references = [ "https://itm4n.github.io/windows-dll-hijacking-clarified/", diff --git a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml index 2da7cc36c46..3b935691516 100644 --- a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml +++ b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/21" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ persistence, if permissions allow writing a fully-qualified pathname for that DL from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Port Monitor or Print Processor Registration Abuse" references = ["https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/"] risk_score = 47 diff --git a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml index b581aa081e4..651609a1c5f 100644 --- a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml +++ b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/26" maturity = "production" -updated_date = "2021/02/08" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ SYSTEM. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Print Spooler Point and Print DLL" references = [ "https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability", diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index 9df0efdc3ce..2ca944b1f4a 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ system is patched. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious PrintSpooler Service Executable File Creation" references = [ "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/", diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml index a854347a332..f7e24a8d2b2 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ CVE-2020-1048 and CVE-2020-1337. . from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious PrintSpooler SPL File Created" note = "Refer to CVEs, CVE-2020-1048 and CVE-2020-1337 for further information on the vulnerability and exploit. Verify that the relevant system is patched." references = ["https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337"] diff --git a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml index 49883e9f320..dce0037bf5a 100644 --- a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml +++ b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/26" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ primitive that is often combined with other vulnerabilities to elevate privilege from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Privilege Escalation via Windir Environment Variable" references = ["https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html"] risk_score = 73 diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml index 22f530bd566..dceba59e9e3 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/28" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code w from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface" references = ["https://github.com/hfiref0x/UACME"] risk_score = 73 @@ -47,3 +47,4 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index dc4cbc25cff..da36a8f3732 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ program. Attackers may attempt to bypass UAC to stealthily execute code with ele from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer" references = ["https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html"] risk_score = 47 @@ -49,3 +49,4 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml index 460f814cc6c..6094055d05a 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ to bypass UAC to stealthily execute code with elevated permissions. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "UAC Bypass via ICMLuaUtil Elevated COM Interface" risk_score = 73 rule_id = "68d56fdc-7ffa-4419-8e95-81641bd6f845" diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index 9f413d3b4ab..009e477f8c8 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ stealthily execute code with elevated permissions. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "UAC Bypass via DiskCleanup Scheduled Task Hijack" risk_score = 47 rule_id = "1dcc51f6-ba26-49e7-9ef4-2655abb2361e" diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml index fc60a01f44d..ee8a985972d 100644 --- a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +++ b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/27" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ stealthily execute code with elevated permissions. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "UAC Bypass Attempt via Privileged IFileOperation COM Interface" references = ["https://github.com/hfiref0x/UACME"] risk_score = 73 diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index ab5f18b14cb..f6cd58724e5 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ elevated permissions. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Bypass UAC via Event Viewer" risk_score = 21 rule_id = "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62" diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index abb0c1941da..0da5f10d2a4 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/26" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Attackers may bypass UAC to stealthily execute code with elevated permissions. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "UAC Bypass Attempt via Windows Directory Masquerading" references = ["https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e"] risk_score = 73 diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index 9683c564120..8967eb4b734 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "UAC Bypass via Windows Firewall Snap-In Hijack" references = ["https://github.com/AzAgarampur/byeintegrity-uac"] risk_score = 47 diff --git a/rules/windows/privilege_escalation_uac_sdclt.toml b/rules/windows/privilege_escalation_uac_sdclt.toml index a1ede6ae677..7d531a654a3 100644 --- a/rules/windows/privilege_escalation_uac_sdclt.toml +++ b/rules/windows/privilege_escalation_uac_sdclt.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2021/02/08" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ elevated permissions. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Bypass UAC via Sdclt" risk_score = 73 rule_id = "9b54e002-034a-47ac-9307-ad12c03fa900" diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index 1bdbf8fbb6f..f6494c24605 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ activity on a system. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Unusual Parent-Child Relationship" references = [ "https://github.com/sbousseaden/Slides/blob/master/Hunting MindMaps/PNG/Windows Processes TH.map.png", diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml index 0b9168e5aa2..b358c4d5c3f 100644 --- a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/13" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = ["Changes to Windows services or a rarely executed child proce from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Unusual Service Host Child Process - Childless Service" risk_score = 47 rule_id = "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7" diff --git a/rules/windows/privilege_escalation_wpad_exploitation.toml b/rules/windows/privilege_escalation_wpad_exploitation.toml index 06e6455861a..159baba5c28 100644 --- a/rules/windows/privilege_escalation_wpad_exploitation.toml +++ b/rules/windows/privilege_escalation_wpad_exploitation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2021/02/08" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ system compromise. from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "WPAD Service Exploit" risk_score = 73 rule_id = "ec328da1-d5df-482b-866c-4a435692b1f3" @@ -51,3 +51,4 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/tests/__init__.py b/tests/__init__.py index 4c602303fcc..360d78839ef 100644 --- a/tests/__init__.py +++ b/tests/__init__.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Detection Rules tests.""" import glob diff --git a/tests/kuery/__init__.py b/tests/kuery/__init__.py index 12d34f0e907..850838abc61 100644 --- a/tests/kuery/__init__.py +++ b/tests/kuery/__init__.py @@ -1,5 +1,6 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """KQL unit tests.""" diff --git a/tests/kuery/test_dsl.py b/tests/kuery/test_dsl.py index 7a7a4851c91..4af3217ebc0 100644 --- a/tests/kuery/test_dsl.py +++ b/tests/kuery/test_dsl.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import unittest import kql diff --git a/tests/kuery/test_eql2kql.py b/tests/kuery/test_eql2kql.py index c2c5eb560f8..6757f908a36 100644 --- a/tests/kuery/test_eql2kql.py +++ b/tests/kuery/test_eql2kql.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import unittest import kql diff --git a/tests/kuery/test_evaluator.py b/tests/kuery/test_evaluator.py index a5bef9aa512..94ae0c0beff 100644 --- a/tests/kuery/test_evaluator.py +++ b/tests/kuery/test_evaluator.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import unittest diff --git a/tests/kuery/test_kql2eql.py b/tests/kuery/test_kql2eql.py index 94ab81e1c73..6aaccb8e62d 100644 --- a/tests/kuery/test_kql2eql.py +++ b/tests/kuery/test_kql2eql.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import unittest import eql diff --git a/tests/kuery/test_lint.py b/tests/kuery/test_lint.py index a4e43ebd77c..7f0e97bd195 100644 --- a/tests/kuery/test_lint.py +++ b/tests/kuery/test_lint.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import unittest import kql diff --git a/tests/kuery/test_parser.py b/tests/kuery/test_parser.py index a7de4f548ef..f17ee0ad85b 100644 --- a/tests/kuery/test_parser.py +++ b/tests/kuery/test_parser.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import unittest import kql diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index 9049fef8e67..c5d38c04cc2 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Test that all rules have valid metadata and syntax.""" import json diff --git a/tests/test_mappings.py b/tests/test_mappings.py index e319b7ff935..860ed567d15 100644 --- a/tests/test_mappings.py +++ b/tests/test_mappings.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Test that all rules appropriately match against expected data sets.""" import copy diff --git a/tests/test_packages.py b/tests/test_packages.py index 608d04f7b15..ab9b6b07ab3 100644 --- a/tests/test_packages.py +++ b/tests/test_packages.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Test that the packages are built correctly.""" import unittest @@ -21,7 +22,7 @@ def get_rule_contents(): "author": ["Elastic"], "description": "test description", "language": "kuery", - "license": "Elastic License", + "license": "Elastic License v2", "name": "test rule", "query": "process.name:test.query", "risk_score": 21, diff --git a/tests/test_schemas.py b/tests/test_schemas.py index 3dbc060c0f0..a81de4d0287 100644 --- a/tests/test_schemas.py +++ b/tests/test_schemas.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Test stack versioned schemas.""" import unittest @@ -46,7 +47,7 @@ def setUpClass(cls): } ] } - cls.v79_kql = dict(cls.v78_kql, author=["Elastic"], license="Elastic License") + cls.v79_kql = dict(cls.v78_kql, author=["Elastic"], license="Elastic License v2") cls.v711_kql = copy.deepcopy(cls.v79_kql) cls.v711_kql["threat"][0]["technique"][0]["subtechnique"] = [{ "id": "T1059.001", @@ -69,7 +70,7 @@ def setUpClass(cls): "author": ["Elastic"], "description": "test description", "language": "kuery", - "license": "Elastic License", + "license": "Elastic License v2", "name": "test rule", "query": "process.name:test.query", "risk_score": 21, @@ -134,7 +135,7 @@ def test_eql_validation(self): "description": "test description", "index": ["filebeat-*"], "language": "eql", - "license": "Elastic License", + "license": "Elastic License v2", "name": "test rule", "risk_score": 21, "rule_id": str(uuid.uuid4()), diff --git a/tests/test_toml_formatter.py b/tests/test_toml_formatter.py index 4a3350a518e..4400a213440 100644 --- a/tests/test_toml_formatter.py +++ b/tests/test_toml_formatter.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import copy import json diff --git a/tests/test_utils.py b/tests/test_utils.py index eceeaaa3b00..1d86e01db7b 100644 --- a/tests/test_utils.py +++ b/tests/test_utils.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Test util time functions.""" import random