From 2c3dbfc039ec8d9a0e54ec78bc69f545ef3773b0 Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Wed, 22 May 2024 13:51:46 -0500 Subject: [PATCH] Revert "Back-porting Version Trimming (#3681)" This reverts commit 71d2c59b5c5dc6d193f9fe44dd66cae871a83462. --- .github/workflows/lock-versions.yml | 2 +- detection_rules/devtools.py | 71 +- detection_rules/etc/stack-schema-map.yaml | 59 +- detection_rules/etc/version.lock.json | 2570 ++++++++++++++++- docs/versioning.md | 26 - rules/apm/apm_403_response_to_a_post.toml | 4 +- .../apm_405_response_method_not_allowed.toml | 4 +- rules/apm/apm_sqlmap_user_agent.toml | 4 +- ..._google_drive_malicious_file_download.toml | 17 +- ...and_and_control_non_standard_ssh_port.toml | 23 +- ...s_cookies_chromium_browsers_debugging.toml | 14 +- ..._evasion_agent_spoofing_mismatched_id.toml | 11 +- ...evasion_agent_spoofing_multiple_hosts.toml | 15 +- ...e_evasion_deleting_websvr_access_logs.toml | 15 +- ...deletion_of_bash_command_line_history.toml | 28 +- ...sion_elastic_agent_service_terminated.toml | 16 +- ...ion_masquerading_space_after_filename.toml | 13 +- .../defense_evasion_timestomp_touch.toml | 18 +- .../discovery_security_software_grep.toml | 27 +- ...y_virtual_machine_fingerprinting_grep.toml | 13 +- ...on_pentest_eggshell_remote_admin_tool.toml | 13 +- .../execution_revershell_via_shell_cmd.toml | 25 +- ...xecution_suspicious_jar_child_process.toml | 31 +- ...tion_suspicious_java_netcon_childproc.toml | 14 +- .../guided_onboarding_sample_rule.toml | 4 +- .../impact_hosts_file_modified.toml | 21 +- ..._access_zoom_meeting_with_no_passcode.toml | 10 +- ...ultiple_alerts_different_tactics_host.toml | 11 +- .../multiple_alerts_involving_user.toml | 11 +- ...l_access_modify_auth_module_or_config.toml | 30 +- ...ersistence_shell_profile_modification.toml | 25 +- ...ence_ssh_authorized_keys_modification.toml | 49 +- ...lege_escalation_echo_nopasswd_sudoers.toml | 13 +- ...ation_setuid_setgid_bit_set_via_chmod.toml | 13 +- ...ilege_escalation_sudo_buffer_overflow.toml | 16 +- ...privilege_escalation_sudoers_file_mod.toml | 26 +- .../threat_intel_indicator_match_address.toml | 52 +- .../threat_intel_indicator_match_hash.toml | 64 +- ...threat_intel_indicator_match_registry.toml | 51 +- .../threat_intel_indicator_match_url.toml | 52 +- ...collection_cloudtrail_logging_created.toml | 12 +- ...cess_aws_getpassword_for_ec2_instance.toml | 5 +- ...ccess_aws_iam_assume_role_brute_force.toml | 8 +- ...ial_access_iam_user_addition_to_group.toml | 4 +- ...w_terms_secretsmanager_getsecretvalue.toml | 16 +- ...cess_root_console_failure_brute_force.toml | 14 +- ...se_evasion_cloudtrail_logging_deleted.toml | 13 +- ..._evasion_cloudtrail_logging_suspended.toml | 13 +- ...nse_evasion_cloudwatch_alarm_deletion.toml | 12 +- ..._evasion_config_service_rule_deletion.toml | 12 +- ...vasion_configuration_recorder_stopped.toml | 4 +- ...defense_evasion_ec2_flow_log_deletion.toml | 13 +- ...ense_evasion_ec2_network_acl_deletion.toml | 12 +- ...n_elasticache_security_group_creation.toml | 4 +- ...he_security_group_modified_or_deleted.toml | 4 +- ...calation_aws_suspicious_saml_activity.toml | 12 +- ...e_evasion_guardduty_detector_deletion.toml | 4 +- ...53_dns_query_resolver_config_deletion.toml | 5 +- ...sion_s3_bucket_configuration_deletion.toml | 12 +- .../aws/defense_evasion_waf_acl_deletion.toml | 12 +- ...asion_waf_rule_or_rule_group_deletion.toml | 12 +- ..._ec2_ami_shared_with_separate_account.toml | 5 +- ..._full_network_packet_capture_detected.toml | 13 +- ...ltration_ec2_snapshot_change_activity.toml | 4 +- .../exfiltration_ec2_vm_export_failure.toml | 13 +- .../aws/exfiltration_rds_snapshot_export.toml | 12 +- .../exfiltration_rds_snapshot_restored.toml | 12 +- ..._eventbridge_rule_disabled_or_deleted.toml | 4 +- .../impact_cloudtrail_logging_updated.toml | 14 +- .../impact_cloudwatch_log_group_deletion.toml | 14 +- ...impact_cloudwatch_log_stream_deletion.toml | 4 +- .../impact_ec2_disable_ebs_encryption.toml | 12 +- ...mpact_efs_filesystem_or_mount_deleted.toml | 4 +- .../aws/impact_iam_deactivate_mfa_device.toml | 13 +- .../aws/impact_iam_group_deletion.toml | 12 +- ...mk_disabled_or_scheduled_for_deletion.toml | 13 +- .../aws/impact_rds_group_deletion.toml | 12 +- .../impact_rds_instance_cluster_deletion.toml | 13 +- .../impact_rds_instance_cluster_stoppage.toml | 13 +- .../initial_access_console_login_root.toml | 6 +- .../aws/initial_access_password_recovery.toml | 13 +- .../initial_access_via_system_manager.toml | 4 +- .../ml_cloudtrail_error_message_spike.toml | 15 +- .../aws/ml_cloudtrail_rare_error_code.toml | 15 +- .../ml_cloudtrail_rare_method_by_city.toml | 15 +- .../ml_cloudtrail_rare_method_by_country.toml | 15 +- .../ml_cloudtrail_rare_method_by_user.toml | 15 +- .../persistence_ec2_network_acl_creation.toml | 13 +- ..._group_configuration_change_detection.toml | 13 +- .../aws/persistence_iam_group_creation.toml | 13 +- .../aws/persistence_rds_cluster_creation.toml | 13 +- .../aws/persistence_rds_group_creation.toml | 12 +- .../persistence_rds_instance_creation.toml | 13 +- ...ersistence_redshift_instance_creation.toml | 13 +- ...oute_53_domain_transfer_lock_disabled.toml | 13 +- ...domain_transferred_to_another_account.toml | 13 +- ..._53_hosted_zone_associated_with_a_vpc.toml | 13 +- .../aws/persistence_route_table_created.toml | 13 +- ...tence_route_table_modified_or_deleted.toml | 13 +- ...ege_escalation_root_login_without_mfa.toml | 6 +- ...ilege_escalation_sts_assumerole_usage.toml | 13 +- ..._escalation_sts_getsessiontoken_abuse.toml | 13 +- ...ege_escalation_updateassumerolepolicy.toml | 6 +- ...collection_update_event_hub_auth_rule.toml | 5 +- ..._full_network_packet_capture_detected.toml | 4 +- .../credential_access_key_vault_modified.toml | 4 +- ...ccess_storage_account_key_regenerated.toml | 11 +- ...e_application_credential_modification.toml | 11 +- ...sion_azure_automation_runbook_deleted.toml | 4 +- ...asion_azure_blob_permissions_modified.toml | 12 +- ...on_azure_diagnostic_settings_deletion.toml | 4 +- ...sion_azure_service_principal_addition.toml | 6 +- .../defense_evasion_event_hub_deletion.toml | 4 +- ...ense_evasion_firewall_policy_deletion.toml | 11 +- ...on_frontdoor_firewall_policy_deletion.toml | 11 +- ...nse_evasion_kubernetes_events_deleted.toml | 4 +- ...ense_evasion_network_watcher_deletion.toml | 11 +- ...ense_evasion_suppression_rule_created.toml | 4 +- .../discovery_blob_container_access_mod.toml | 4 +- .../execution_command_virtual_machine.toml | 4 +- ...e_service_principal_credentials_added.toml | 4 +- .../azure/impact_kubernetes_pod_deleted.toml | 4 +- .../azure/impact_resource_group_deletion.toml | 4 +- ...mpact_virtual_network_device_modified.toml | 4 +- ...ure_active_directory_high_risk_signin.toml | 6 +- ..._high_risk_signin_atrisk_or_confirmed.toml | 6 +- ...re_active_directory_powershell_signin.toml | 6 +- ...tack_via_azure_registered_application.toml | 6 +- ...ial_access_external_guest_user_invite.toml | 4 +- ...ence_azure_automation_account_created.toml | 4 +- ...utomation_runbook_created_or_modified.toml | 4 +- ...ence_azure_automation_webhook_created.toml | 4 +- ...re_conditional_access_policy_modified.toml | 4 +- ...re_global_administrator_role_assigned.toml | 4 +- ...nce_azure_pim_user_added_global_admin.toml | 4 +- ...ged_identity_management_role_modified.toml | 6 +- ...rsistence_mfa_disabled_for_azure_user.toml | 6 +- ..._added_as_owner_for_azure_application.toml | 4 +- ..._as_owner_for_azure_service_principal.toml | 4 +- ..._azure_kubernetes_rolebinding_created.toml | 11 +- .../container_workload_protection.toml | 9 +- ...s_aws_creds_search_inside_a_container.toml | 52 +- ..._files_compression_inside_a_container.toml | 14 +- ...r_passwords_search_inside_a_container.toml | 52 +- ...ed_object_modified_inside_a_container.toml | 18 +- ...work_tool_launched_inside_a_container.toml | 87 +- ...nt_binary_launched_inside_a_container.toml | 51 +- ...ecutable_via_chmod_inside_a_container.toml | 70 +- ...ecution_interactive_exec_to_container.toml | 54 +- ...shell_spawned_from_inside_a_container.toml | 55 +- ...stener_established_inside_a_container.toml | 59 +- ...ection_established_inside_a_container.toml | 36 +- ...h_process_launched_inside_a_container.toml | 35 +- ..._keys_modification_inside_a_container.toml | 46 +- ...e_via_modified_notify_on_release_file.toml | 4 +- ...scape_via_modified_release_agent_file.toml | 4 +- ...berarkpas_error_audit_event_promotion.toml | 11 +- ...commended_events_to_monitor_promotion.toml | 11 +- ...ytes_destination_geo_country_iso_code.toml | 18 +- ...ltration_ml_high_bytes_destination_ip.toml | 18 +- ...ration_ml_high_bytes_destination_port.toml | 18 +- ...ml_high_bytes_destination_region_name.toml | 18 +- ...high_bytes_written_to_external_device.toml | 18 +- ...es_written_to_external_device_airdrop.toml | 18 +- ...re_process_writing_to_external_device.toml | 18 +- ...ml_dga_activity_using_sunburst_domain.toml | 18 +- ...d_control_ml_dga_high_sum_probability.toml | 18 +- ...l_ml_dns_request_high_dga_probability.toml | 18 +- ..._request_predicted_to_be_a_dga_domain.toml | 18 +- .../endpoint/elastic_endpoint_security.toml | 4 +- ...ion_gcp_pub_sub_subscription_creation.toml | 12 +- ...collection_gcp_pub_sub_topic_creation.toml | 12 +- ...nse_evasion_gcp_firewall_rule_created.toml | 12 +- ...nse_evasion_gcp_firewall_rule_deleted.toml | 12 +- ...se_evasion_gcp_firewall_rule_modified.toml | 12 +- ...e_evasion_gcp_logging_bucket_deletion.toml | 12 +- ...nse_evasion_gcp_logging_sink_deletion.toml | 12 +- ...ion_gcp_pub_sub_subscription_deletion.toml | 12 +- ...se_evasion_gcp_pub_sub_topic_deletion.toml | 12 +- ...storage_bucket_configuration_modified.toml | 12 +- ...p_storage_bucket_permissions_modified.toml | 12 +- ...virtual_private_cloud_network_deleted.toml | 12 +- ...p_virtual_private_cloud_route_created.toml | 12 +- ...p_virtual_private_cloud_route_deleted.toml | 12 +- ...tration_gcp_logging_sink_modification.toml | 12 +- .../gcp/impact_gcp_iam_role_deletion.toml | 12 +- .../impact_gcp_service_account_deleted.toml | 12 +- .../impact_gcp_service_account_disabled.toml | 12 +- .../impact_gcp_storage_bucket_deleted.toml | 4 +- ...l_access_gcp_iam_custom_role_creation.toml | 12 +- ..._gcp_iam_service_account_key_deletion.toml | 12 +- ...e_gcp_key_created_for_service_account.toml | 12 +- ...rsistence_gcp_service_account_created.toml | 12 +- ...hub_protected_branch_settings_changed.toml | 17 +- .../github/execution_github_app_deleted.toml | 16 +- ..._high_number_of_cloned_repos_from_pat.toml | 24 +- ...multiple_behavior_alerts_from_account.toml | 30 +- .../execution_new_github_app_installed.toml | 17 +- .../impact_github_repository_deleted.toml | 31 +- .../persistence_github_org_owner_added.toml | 26 +- ...tence_organization_owner_role_granted.toml | 26 +- ...ship_transferred_via_google_workspace.toml | 11 +- ...ustom_gmail_route_created_or_modified.toml | 11 +- ...yption_key_accessed_by_anonymous_user.toml | 4 +- ...ed_from_blocklist_in_google_workspace.toml | 6 +- ...d_to_google_workspace_trusted_domains.toml | 6 +- ..._workspace_bitlocker_setting_disabled.toml | 6 +- ...th_login_from_third_party_application.toml | 17 +- ..._marketplace_changed_to_allow_any_app.toml | 6 +- ...ogle_workspace_alert_center_promotion.toml | 19 +- ..._google_workspace_admin_role_deletion.toml | 6 +- ...le_workspace_mfa_enforcement_disabled.toml | 4 +- ..._user_added_to_google_workspace_group.toml | 4 +- ..._access_granted_to_custom_application.toml | 11 +- ...ogle_workspace_suspended_user_renewed.toml | 11 +- ...tion_added_to_google_workspace_domain.toml | 6 +- ..._google_workspace_2sv_policy_disabled.toml | 6 +- ...workspace_admin_role_assigned_to_user.toml | 6 +- ...a_domain_wide_delegation_of_authority.toml | 12 +- ...e_workspace_custom_admin_role_created.toml | 12 +- ...le_workspace_password_policy_modified.toml | 6 +- ...stence_google_workspace_role_modified.toml | 12 +- ...pace_user_organizational_unit_changed.toml | 6 +- ...led_for_google_workspace_organization.toml | 6 +- ...covery_denied_service_account_request.toml | 4 +- ...covery_suspicious_self_subject_review.toml | 4 +- .../execution_user_exec_to_pod.toml | 4 +- ...l_access_anonymous_request_authorized.toml | 5 +- ...ed_service_created_with_type_nodeport.toml | 4 +- ...ted_with_excessive_linux_capabilities.toml | 4 +- ...e_escalation_pod_created_with_hostipc.toml | 4 +- ...calation_pod_created_with_hostnetwork.toml | 4 +- ...e_escalation_pod_created_with_hostpid.toml | 4 +- ...reated_with_sensitive_hostpath_volume.toml | 4 +- ...ege_escalation_privileged_pod_created.toml | 4 +- ...ignment_of_controller_service_account.toml | 4 +- ...ovement_ml_high_mean_rdp_process_args.toml | 20 +- ...ent_ml_high_mean_rdp_session_duration.toml | 20 +- ...ral_movement_ml_high_remote_file_size.toml | 20 +- ...ml_high_variance_rdp_session_duration.toml | 20 +- ...ovement_ml_rare_remote_file_directory.toml | 20 +- ...ovement_ml_rare_remote_file_extension.toml | 20 +- ...spike_in_connections_from_a_source_ip.toml | 20 +- ...ke_in_connections_to_a_destination_ip.toml | 20 +- ...al_movement_ml_spike_in_rdp_processes.toml | 20 +- ...ent_ml_spike_in_remote_file_transfers.toml | 20 +- ...nt_ml_unusual_time_for_an_rdp_session.toml | 20 +- ...llection_microsoft_365_new_inbox_rule.toml | 4 +- ..._365_brute_force_user_account_attempt.toml | 13 +- ...65_potential_password_spraying_attack.toml | 13 +- ...ccess_user_excessive_sso_logon_errors.toml | 13 +- ...osoft_365_exchange_dlp_policy_removed.toml | 11 +- ...change_malware_filter_policy_deletion.toml | 11 +- ..._365_exchange_malware_filter_rule_mod.toml | 11 +- ...65_exchange_safe_attach_rule_disabled.toml | 11 +- ...oft_365_mailboxauditbypassassociation.toml | 4 +- ..._365_exchange_transport_rule_creation.toml | 4 +- ...osoft_365_exchange_transport_rule_mod.toml | 4 +- ...oft_365_potential_ransomware_activity.toml | 4 +- ...t_365_unusual_volume_of_file_deletion.toml | 4 +- ...ss_microsoft_365_abnormal_clientappid.toml | 20 +- ...5_exchange_anti_phish_policy_deletion.toml | 11 +- ...soft_365_exchange_anti_phish_rule_mod.toml | 11 +- ...osoft_365_exchange_safelinks_disabled.toml | 11 +- ...65_user_restricted_from_sending_email.toml | 11 +- ...cess_o365_user_reported_phish_malware.toml | 4 +- ...al_movement_malware_uploaded_onedrive.toml | 4 +- ..._movement_malware_uploaded_sharepoint.toml | 4 +- ...e_suspicious_mailbox_right_delegation.toml | 4 +- ...exchange_dkim_signing_config_disabled.toml | 4 +- ...5_exchange_management_role_assignment.toml | 11 +- ..._365_global_administrator_role_assign.toml | 11 +- ..._teams_custom_app_interaction_allowed.toml | 11 +- ...oft_365_teams_external_access_enabled.toml | 4 +- ...rosoft_365_teams_guest_access_enabled.toml | 4 +- ...ion_new_or_modified_federation_domain.toml | 11 +- ...se_evasion_ml_rare_process_for_a_host.toml | 18 +- ..._ml_rare_process_for_a_parent_process.toml | 18 +- ...se_evasion_ml_rare_process_for_a_user.toml | 18 +- ...e_evasion_ml_suspicious_windows_event.toml | 18 +- ...icious_windows_event_high_probability.toml | 18 +- ...ous_windows_process_cluster_from_host.toml | 18 +- ...s_process_cluster_from_parent_process.toml | 18 +- ...ous_windows_process_cluster_from_user.toml | 18 +- ...mand_and_control_cat_network_activity.toml | 30 +- ..._control_linux_chisel_client_activity.toml | 36 +- ..._control_linux_chisel_server_activity.toml | 36 +- ...mand_and_control_linux_kworker_netcon.toml | 74 +- ...nd_control_linux_proxychains_activity.toml | 32 +- ...linux_suspicious_proxychains_activity.toml | 31 +- ...l_linux_tunneling_and_port_forwarding.toml | 35 +- ...work_activity_from_unknown_executable.toml | 25 +- ...d_and_control_tunneling_via_earthworm.toml | 19 +- ...ial_access_collection_sensitive_files.toml | 33 +- .../credential_access_credential_dumping.toml | 40 +- ...ntial_access_gdb_init_process_hooking.toml | 32 +- ...credential_access_gdb_process_hooking.toml | 34 +- ...ential_linux_local_account_bruteforce.toml | 27 +- ...tential_linux_ssh_bruteforce_external.toml | 15 +- ...tential_linux_ssh_bruteforce_internal.toml | 15 +- ...ntial_successful_linux_ftp_bruteforce.toml | 33 +- ...ntial_successful_linux_rdp_bruteforce.toml | 31 +- ...ntial_successful_linux_ssh_bruteforce.toml | 24 +- ...ential_access_proc_credential_dumping.toml | 33 +- .../credential_access_ssh_backdoor_log.toml | 14 +- ...tempt_to_disable_iptables_or_firewall.toml | 32 +- ...ion_attempt_to_disable_syslog_service.toml | 13 +- ..._base32_encoding_or_decoding_activity.toml | 25 +- ...binary_copied_to_suspicious_directory.toml | 39 +- ...defense_evasion_chattr_immutable_file.toml | 23 +- ...ense_evasion_clear_kernel_ring_buffer.toml | 47 +- ...ense_evasion_disable_apparmor_attempt.toml | 29 +- ...fense_evasion_disable_selinux_attempt.toml | 27 +- ...asion_esxi_suspicious_timestomp_touch.toml | 37 +- ...fense_evasion_file_deletion_via_shred.toml | 24 +- ...defense_evasion_file_mod_writable_dir.toml | 23 +- .../defense_evasion_hidden_file_dir_tmp.toml | 22 +- .../defense_evasion_hidden_shared_object.toml | 25 +- ...defense_evasion_kernel_module_removal.toml | 29 +- ...defense_evasion_kthreadd_masquerading.toml | 43 +- .../defense_evasion_log_files_deleted.toml | 24 +- .../defense_evasion_mount_execution.toml | 43 +- ...ense_evasion_potential_proot_exploits.toml | 46 +- .../defense_evasion_rename_esxi_files.toml | 16 +- ...efense_evasion_rename_esxi_index_file.toml | 20 +- ...s_utility_executed_via_tmux_or_screen.toml | 27 +- .../discovery_dynamic_linker_via_od.toml | 25 +- .../discovery_esxi_software_via_find.toml | 29 +- .../discovery_esxi_software_via_grep.toml | 31 +- .../discovery_kernel_module_enumeration.toml | 25 +- .../linux/discovery_linux_hping_activity.toml | 25 +- .../linux/discovery_linux_nping_activity.toml | 25 +- .../linux/discovery_ping_sweep_detected.toml | 33 +- rules/linux/discovery_proc_maps_read.toml | 21 +- ...very_pspy_process_monitoring_detected.toml | 27 +- ...very_sudo_allowed_command_enumeration.toml | 27 +- .../discovery_suid_sguid_enumeration.toml | 32 +- ...ry_suspicious_which_command_execution.toml | 31 +- ...overy_unusual_user_enumeration_via_id.toml | 19 +- ...covery_virtual_machine_fingerprinting.toml | 13 +- ...tion_abnormal_process_id_file_created.toml | 28 +- ...ion_curl_cve_2023_38545_heap_overflow.toml | 35 +- ...n_file_execution_followed_by_deletion.toml | 21 +- ...er_or_listener_established_via_netcat.toml | 13 +- .../execution_interpreter_tty_upgrade.toml | 30 +- .../execution_nc_listener_via_rlwrap.toml | 28 +- ...ion_netcon_from_rwx_mem_region_binary.toml | 54 +- ...cution_network_event_post_compilation.toml | 46 +- rules/linux/execution_perl_tty_shell.toml | 13 +- ...xecution_potential_hack_tool_executed.toml | 27 +- ..._process_started_from_process_id_file.toml | 26 +- ...ss_started_in_shared_memory_directory.toml | 23 +- rules/linux/execution_python_tty_shell.toml | 26 +- ..._remote_code_execution_via_postgresql.toml | 35 +- .../execution_shell_evasion_linux_binary.toml | 24 +- ...xecution_shell_via_background_process.toml | 50 +- ...ion_shell_via_child_tcp_utility_linux.toml | 44 +- ...ecution_shell_via_java_revshell_linux.toml | 44 +- ...on_shell_via_lolbin_interpreter_linux.toml | 48 +- ...execution_shell_via_meterpreter_linux.toml | 46 +- ...execution_shell_via_suspicious_binary.toml | 46 +- ...ution_shell_via_tcp_cli_utility_linux.toml | 44 +- ...ution_shell_via_udp_cli_utility_linux.toml | 40 +- ...traction_or_decrompression_via_funzip.toml | 51 +- ...us_executable_running_system_commands.toml | 41 +- ...icious_mining_process_creation_events.toml | 39 +- rules/linux/execution_tc_bpf_filter.toml | 28 +- ...nknown_rwx_mem_region_binary_executed.toml | 41 +- .../impact_data_encrypted_via_openssl.toml | 29 +- rules/linux/impact_esxi_process_kill.toml | 31 +- ...tial_linux_ransomware_file_encryption.toml | 29 +- ...ential_linux_ransomware_note_detected.toml | 27 +- .../linux/impact_process_kill_threshold.toml | 32 +- ...lateral_movement_ssh_it_worm_download.toml | 33 +- ...ment_telnet_network_activity_external.toml | 21 +- ...ment_telnet_network_activity_internal.toml | 21 +- ...istence_apt_package_manager_execution.toml | 41 +- ...ersistence_apt_package_manager_netcon.toml | 33 +- .../persistence_chkconfig_service_add.toml | 54 +- ...credential_access_modify_ssh_binaries.toml | 38 +- .../linux/persistence_cron_job_creation.toml | 92 +- .../persistence_dynamic_linker_backup.toml | 75 +- .../linux/persistence_etc_file_creation.toml | 127 +- .../persistence_init_d_file_creation.toml | 57 +- ...persistence_insmod_kernel_module_load.toml | 32 +- ...ersistence_kde_autostart_modification.toml | 105 +- .../linux/persistence_kernel_driver_load.toml | 40 +- ...stence_kernel_driver_load_by_non_root.toml | 37 +- .../persistence_kworker_file_creation.toml | 59 +- ...sistence_linux_backdoor_user_creation.toml | 37 +- .../persistence_linux_group_creation.toml | 24 +- ...e_linux_shell_activity_via_web_server.toml | 39 +- ...rsistence_linux_user_account_creation.toml | 24 +- ..._linux_user_added_to_privileged_group.toml | 32 +- ...rsistence_message_of_the_day_creation.toml | 51 +- ...sistence_message_of_the_day_execution.toml | 60 +- .../linux/persistence_rc_script_creation.toml | 51 +- ...sistence_setuid_setgid_capability_set.toml | 27 +- .../persistence_shared_object_creation.toml | 41 +- ...ence_shell_configuration_modification.toml | 31 +- ...suspicious_file_opened_through_editor.toml | 76 +- ...e_suspicious_ssh_execution_xzbackdoor.toml | 38 +- rules/linux/persistence_systemd_netcon.toml | 31 +- ...tence_systemd_scheduled_timer_created.toml | 75 +- .../persistence_systemd_service_creation.toml | 77 +- ...ersistence_tainted_kernel_module_load.toml | 32 +- ...ainted_kernel_module_out_of_tree_load.toml | 30 +- .../linux/persistence_udev_rule_creation.toml | 27 +- ...on_chown_chmod_unauthorized_file_read.toml | 34 +- ...ation_container_util_misconfiguration.toml | 32 +- ..._docker_mount_chroot_container_escape.toml | 29 +- ...lege_escalation_kworker_uid_elevation.toml | 36 +- ...lation_ld_preload_shared_object_modif.toml | 27 +- ...lation_linux_suspicious_symbolic_link.toml | 30 +- ...lege_escalation_linux_uid_int_max_bug.toml | 34 +- ...n_load_and_unload_of_kernel_via_kexec.toml | 53 +- ...alation_looney_tunables_cve_2023_4911.toml | 27 +- ...ege_escalation_netcon_via_sudo_binary.toml | 31 +- ...ge_escalation_overlayfs_local_privesc.toml | 23 +- ...vilege_escalation_pkexec_envar_hijack.toml | 14 +- ...ation_potential_bufferoverflow_attack.toml | 27 +- ...lation_potential_wildcard_shell_spawn.toml | 21 +- ...ge_escalation_sda_disk_mount_non_root.toml | 32 +- ...privilege_escalation_shadow_file_read.toml | 31 +- ...vilege_escalation_sudo_cve_2019_14287.toml | 31 +- .../privilege_escalation_sudo_hijacking.toml | 24 +- ...tion_sudo_token_via_process_injection.toml | 29 +- ...uspicious_cap_setuid_python_execution.toml | 26 +- ...calation_suspicious_passwd_file_write.toml | 23 +- ...scalation_uid_change_post_compilation.toml | 22 +- ...uid_elevation_from_unknown_executable.toml | 37 +- ...lation_unshare_namespace_manipulation.toml | 23 +- ...ege_escalation_writable_docker_socket.toml | 27 +- ...edential_access_credentials_keychains.toml | 12 +- ...dential_access_dumping_hashes_bi_cmds.toml | 12 +- ...tial_access_dumping_keychain_security.toml | 18 +- .../credential_access_kerberosdump_kcc.toml | 12 +- ...s_keychain_pwd_retrieval_security_cmd.toml | 12 +- ...ential_access_mitm_localhost_webproxy.toml | 12 +- ...access_potential_macos_ssh_bruteforce.toml | 14 +- ...al_access_promt_for_pwd_via_osascript.toml | 12 +- .../credential_access_systemkey_dumping.toml | 12 +- ...vasion_apple_softupdates_modification.toml | 12 +- ...evasion_attempt_del_quarantine_attrib.toml | 18 +- ...evasion_attempt_to_disable_gatekeeper.toml | 12 +- ...ense_evasion_install_root_certificate.toml | 12 +- ...cy_controls_tcc_database_modification.toml | 12 +- ...tion_privacy_pref_sshd_fulldiskaccess.toml | 13 +- .../defense_evasion_safari_config_change.toml | 12 +- ...dboxed_office_app_suspicious_zip_file.toml | 12 +- ...vasion_tcc_bypass_mounted_apfs_access.toml | 13 +- ..._evasion_unload_endpointsecurity_kext.toml | 12 +- ...covery_users_domain_built_in_commands.toml | 15 +- ...vasion_electron_app_childproc_node_js.toml | 13 +- ...l_access_suspicious_browser_childproc.toml | 13 +- ...staller_package_spawned_network_event.toml | 13 +- ...cution_script_via_automator_workflows.toml | 12 +- ...ing_osascript_exec_followed_by_netcon.toml | 13 +- ...n_shell_execution_via_apple_scripting.toml | 12 +- ...ential_access_kerberos_bifrostconsole.toml | 13 +- .../lateral_movement_mounting_smb_share.toml | 12 +- ...ral_movement_remote_ssh_login_enabled.toml | 12 +- ...teral_movement_vpn_connection_attempt.toml | 12 +- ...stence_account_creation_hide_at_logon.toml | 12 +- ...ce_creation_change_launch_agents_file.toml | 12 +- ..._creation_hidden_login_item_osascript.toml | 13 +- ...creation_modif_launch_deamon_sequence.toml | 12 +- ..._access_authorization_plugin_creation.toml | 12 +- rules/macos/persistence_crontab_creation.toml | 12 +- ...launch_agent_deamon_logonitem_process.toml | 13 +- ...rectory_services_plugins_modification.toml | 12 +- ...e_docker_shortcuts_plist_modification.toml | 12 +- ...persistence_emond_rules_file_creation.toml | 12 +- ...istence_emond_rules_process_execution.toml | 12 +- .../persistence_enable_root_account.toml | 12 +- ...n_hidden_launch_agent_deamon_creation.toml | 13 +- ...istence_folder_action_scripts_runtime.toml | 13 +- ...rsistence_login_logout_hooks_defaults.toml | 12 +- ...stence_loginwindow_plist_modification.toml | 12 +- ...fication_sublime_app_plugin_or_script.toml | 12 +- ...ersistence_periodic_tasks_file_mdofiy.toml | 12 +- ...saver_engine_unexpected_child_process.toml | 12 +- ...e_screensaver_plist_file_modification.toml | 12 +- ...ence_suspicious_calendar_modification.toml | 12 +- ...tence_via_atom_init_file_modification.toml | 12 +- ...calation_explicit_creds_via_scripting.toml | 13 +- ...alation_exploit_adobe_acrobat_updater.toml | 6 +- ...ilege_escalation_root_crontab_filemod.toml | 12 +- ...d_control_ml_packetbeat_dns_tunneling.toml | 13 +- ...ntrol_ml_packetbeat_rare_dns_question.toml | 23 +- ...d_and_control_ml_packetbeat_rare_urls.toml | 21 +- ...control_ml_packetbeat_rare_user_agent.toml | 21 +- ..._ml_auth_spike_in_failed_logon_events.toml | 17 +- ..._access_ml_auth_spike_in_logon_events.toml | 16 +- ...pike_in_logon_events_from_a_source_ip.toml | 22 +- ...s_ml_linux_anomalous_metadata_process.toml | 22 +- ...cess_ml_linux_anomalous_metadata_user.toml | 23 +- ...l_access_ml_suspicious_login_activity.toml | 13 +- ...ml_windows_anomalous_metadata_process.toml | 26 +- ...ss_ml_windows_anomalous_metadata_user.toml | 26 +- ...ml_linux_system_information_discovery.toml | 13 +- ...ystem_network_configuration_discovery.toml | 13 +- ...x_system_network_connection_discovery.toml | 13 +- ...ery_ml_linux_system_process_discovery.toml | 13 +- ...covery_ml_linux_system_user_discovery.toml | 13 +- ...execution_ml_windows_anomalous_script.toml | 29 +- ...ml_auth_rare_hour_for_a_user_to_logon.toml | 15 +- ...ess_ml_auth_rare_source_ip_for_a_user.toml | 14 +- ...nitial_access_ml_auth_rare_user_logon.toml | 22 +- ...l_access_ml_linux_anomalous_user_name.toml | 14 +- ...access_ml_windows_anomalous_user_name.toml | 17 +- ...windows_rare_user_type10_remote_login.toml | 17 +- rules/ml/ml_high_count_network_denies.toml | 23 +- rules/ml/ml_high_count_network_events.toml | 22 +- .../ml_linux_anomalous_network_activity.toml | 12 +- ...linux_anomalous_network_port_activity.toml | 12 +- .../ml/ml_packetbeat_rare_server_domain.toml | 6 +- rules/ml/ml_rare_destination_country.toml | 31 +- .../ml/ml_spike_in_traffic_to_a_country.toml | 15 +- ...ml_windows_anomalous_network_activity.toml | 12 +- ..._ml_linux_anomalous_process_all_hosts.toml | 25 +- ...istence_ml_rare_process_by_host_linux.toml | 26 +- ...tence_ml_rare_process_by_host_windows.toml | 59 +- ...ce_ml_windows_anomalous_path_activity.toml | 33 +- ...l_windows_anomalous_process_all_hosts.toml | 14 +- ...ml_windows_anomalous_process_creation.toml | 14 +- ...sistence_ml_windows_anomalous_service.toml | 24 +- ...tion_ml_linux_anomalous_sudo_activity.toml | 13 +- ...tion_ml_windows_rare_user_runas_event.toml | 18 +- ..._ml_linux_anomalous_compiler_activity.toml | 26 +- ...cepted_default_telnet_port_connection.toml | 4 +- ...mand_and_control_cobalt_strike_beacon.toml | 4 +- ...cobalt_strike_default_teamserver_cert.toml | 4 +- ...download_rar_powershell_from_internet.toml | 4 +- .../command_and_control_fin7_c2_behavior.toml | 4 +- .../command_and_control_halfbaked_beacon.toml | 4 +- ...d_control_nat_traversal_port_activity.toml | 4 +- .../command_and_control_port_26_activity.toml | 4 +- ...te_desktop_protocol_from_the_internet.toml | 4 +- ...l_network_computing_from_the_internet.toml | 4 +- ...ual_network_computing_to_the_internet.toml | 4 +- ...very_potential_network_sweep_detected.toml | 43 +- ...iscovery_potential_port_scan_detected.toml | 40 +- ...very_potential_syn_port_scan_detected.toml | 42 +- ...mote_procedure_call_from_the_internet.toml | 4 +- ...remote_procedure_call_to_the_internet.toml | 5 +- ...file_sharing_activity_to_the_internet.toml | 5 +- ...al_access_unsecure_elasticsearch_node.toml | 4 +- .../lateral_movement_dns_server_overflow.toml | 4 +- ..._access_endgame_cred_dumping_detected.toml | 20 +- ...access_endgame_cred_dumping_prevented.toml | 21 +- .../endgame_adversary_behavior_detected.toml | 10 +- .../promotions/endgame_malware_detected.toml | 6 +- .../promotions/endgame_malware_prevented.toml | 6 +- .../endgame_ransomware_detected.toml | 6 +- .../endgame_ransomware_prevented.toml | 6 +- .../execution_endgame_exploit_detected.toml | 19 +- .../execution_endgame_exploit_prevented.toml | 19 +- rules/promotions/external_alerts.toml | 22 +- ...on_endgame_cred_manipulation_detected.toml | 13 +- ...n_endgame_cred_manipulation_prevented.toml | 13 +- ...ion_endgame_permission_theft_detected.toml | 13 +- ...on_endgame_permission_theft_prevented.toml | 15 +- ...on_endgame_process_injection_detected.toml | 15 +- ...n_endgame_process_injection_prevented.toml | 13 +- ...lection_email_outlook_mailbox_via_com.toml | 24 +- ...ion_email_powershell_exchange_mailbox.toml | 26 +- .../collection_posh_audio_capture.toml | 13 +- rules/windows/collection_posh_keylogger.toml | 13 +- rules/windows/collection_posh_mailbox.toml | 13 +- .../collection_posh_screen_grabber.toml | 13 +- .../collection_posh_webcam_video_capture.toml | 16 +- .../windows/collection_winrar_encryption.toml | 24 +- .../command_and_control_certreq_postdata.toml | 31 +- ...ommand_and_control_common_webservices.toml | 4 +- ...nd_and_control_dns_tunneling_nslookup.toml | 16 +- ...control_encrypted_channel_freesslcert.toml | 13 +- .../command_and_control_headless_browser.toml | 25 +- .../command_and_control_iexplore_via_com.toml | 12 +- ...and_and_control_ingress_transfer_bits.toml | 19 +- ...w_terms_commonly_abused_rat_execution.toml | 27 +- ...ontrol_port_forwarding_added_registry.toml | 16 +- .../command_and_control_rdp_tunnel_plink.toml | 17 +- ...ol_remote_file_copy_desktopimgdownldr.toml | 4 +- ...and_control_remote_file_copy_mpcmdrun.toml | 4 +- ...d_control_remote_file_copy_powershell.toml | 4 +- ..._and_control_remote_file_copy_scripts.toml | 23 +- ...d_and_control_screenconnect_childproc.toml | 24 +- ...control_sunburst_c2_activity_detected.toml | 13 +- ...d_control_teamviewer_remote_file_copy.toml | 10 +- .../credential_access_adidns_wildcard.toml | 12 +- ...ntial_access_bruteforce_admin_account.toml | 12 +- ...ple_logon_failure_followed_by_success.toml | 12 +- ...rce_multiple_logon_failure_same_srcip.toml | 21 +- .../credential_access_cmdline_dump_tool.toml | 15 +- ...ess_copy_ntds_sam_volshadowcp_cmdline.toml | 22 +- ...ial_access_credential_dumping_msbuild.toml | 26 +- ...ial_access_dcsync_newterm_subjectuser.toml | 39 +- ...tial_access_dcsync_replication_rights.toml | 9 +- ...ntial_access_disable_kerberos_preauth.toml | 22 +- .../credential_access_dnsnode_creation.toml | 9 +- ...cess_domain_backup_dpapi_private_keys.toml | 23 +- ...credential_access_dump_registry_hives.toml | 14 +- .../credential_access_generic_localdumps.toml | 14 +- ...ntial_access_iis_apppoolsa_pwd_appcmd.toml | 21 +- ..._access_iis_connectionstrings_dumping.toml | 21 +- ..._access_kerberoasting_unusual_process.toml | 13 +- .../windows/credential_access_kirbi_file.toml | 21 +- .../credential_access_ldap_attributes.toml | 17 +- ...l_access_lsass_handle_via_malseclogon.toml | 12 +- ...edential_access_lsass_loaded_susp_dll.toml | 20 +- ...ial_access_lsass_memdump_file_created.toml | 6 +- ...al_access_lsass_memdump_handle_access.toml | 13 +- ...edential_access_lsass_openprocess_api.toml | 24 +- ...l_access_mimikatz_memssp_default_logs.toml | 14 +- ...ial_access_mimikatz_powershell_module.toml | 13 +- ..._access_mod_wdigest_security_provider.toml | 6 +- ...l_access_moving_registry_hive_via_smb.toml | 6 +- ...e_network_logon_provider_modification.toml | 16 +- ...edential_access_posh_invoke_ninjacopy.toml | 45 +- ...edential_access_posh_kerb_ticket_dump.toml | 17 +- .../credential_access_posh_minidump.toml | 13 +- .../credential_access_posh_relay_tools.toml | 18 +- ...credential_access_posh_request_ticket.toml | 13 +- .../credential_access_posh_veeam_sql.toml | 18 +- ..._potential_lsa_memdump_via_mirrordump.toml | 12 +- ...cess_relay_ntlm_auth_via_http_spoolss.toml | 25 +- ...dential_access_remote_sam_secretsdump.toml | 6 +- ...ntial_access_saved_creds_vault_winlog.toml | 4 +- ...redential_access_saved_creds_vaultcmd.toml | 21 +- ...edelegationprivilege_assigned_to_user.toml | 10 +- .../credential_access_shadow_credentials.toml | 14 +- ...dential_access_spn_attribute_modified.toml | 6 +- ...l_access_suspicious_comsvcs_imageload.toml | 15 +- ...ccess_suspicious_lsass_access_generic.toml | 17 +- ...ccess_suspicious_lsass_access_memdump.toml | 15 +- ..._suspicious_lsass_access_via_snapshot.toml | 12 +- ...cious_winreg_access_via_sebackup_priv.toml | 16 +- ..._symbolic_link_to_shadow_copy_created.toml | 15 +- ...ial_access_veeam_backup_dll_imageload.toml | 14 +- .../credential_access_veeam_commands.toml | 28 +- ...ess_via_snapshot_lsass_clone_creation.toml | 12 +- ...dential_access_wireless_creds_dumping.toml | 14 +- ...den_file_attribute_with_via_attribexe.toml | 43 +- ...defense_evasion_amsi_bypass_dllhijack.toml | 14 +- ...efense_evasion_amsi_bypass_powershell.toml | 13 +- .../defense_evasion_amsienable_key_mod.toml | 15 +- ...sion_clearing_windows_console_history.toml | 16 +- ...e_evasion_clearing_windows_event_logs.toml | 15 +- ...vasion_clearing_windows_security_logs.toml | 12 +- ...ing_policy_modification_builtin_tools.toml | 31 +- ..._signing_policy_modification_registry.toml | 29 +- ...e_evasion_create_mod_root_certificate.toml | 6 +- .../defense_evasion_cve_2020_0601.toml | 12 +- ...vasion_defender_disabled_via_registry.toml | 15 +- ...ion_defender_exclusion_via_powershell.toml | 14 +- ...delete_volume_usn_journal_with_fsutil.toml | 22 +- .../windows/defense_evasion_disable_nla.toml | 22 +- ...asion_disable_posh_scriptblocklogging.toml | 15 +- ...ble_windows_firewall_rules_with_netsh.toml | 14 +- ...disabling_windows_defender_powershell.toml | 15 +- ...efense_evasion_disabling_windows_logs.toml | 15 +- ...efense_evasion_dns_over_https_enabled.toml | 24 +- ...vasion_dotnet_compiler_parent_process.toml | 28 +- ...evasion_enable_inbound_rdp_with_netsh.toml | 14 +- ...n_enable_network_discovery_with_netsh.toml | 14 +- ...ecution_control_panel_suspicious_args.toml | 29 +- ...ense_evasion_execution_lolbas_wuauclt.toml | 30 +- ...ecution_msbuild_started_by_office_app.toml | 14 +- ...n_execution_msbuild_started_by_script.toml | 30 +- ...ion_msbuild_started_by_system_process.toml | 29 +- ...ion_execution_msbuild_started_renamed.toml | 7 +- ...cution_msbuild_started_unusal_process.toml | 27 +- ...execution_suspicious_explorer_winword.toml | 23 +- ...sion_execution_windefend_unusual_path.toml | 23 +- ..._evasion_file_creation_mult_extension.toml | 14 +- ...efense_evasion_from_unusual_directory.toml | 22 +- ...sion_hide_encoded_executable_registry.toml | 22 +- ...ense_evasion_iis_httplogging_disabled.toml | 22 +- .../defense_evasion_injection_msbuild.toml | 14 +- .../defense_evasion_installutil_beacon.toml | 20 +- ...querading_as_elastic_endpoint_process.toml | 24 +- ..._masquerading_business_apps_installer.toml | 18 +- ...asion_masquerading_communication_apps.toml | 17 +- ...e_evasion_masquerading_renamed_autoit.toml | 6 +- ...erading_suspicious_werfault_childproc.toml | 29 +- ...vasion_masquerading_trusted_directory.toml | 21 +- ...defense_evasion_masquerading_werfault.toml | 23 +- ..._evasion_microsoft_defender_tampering.toml | 23 +- ...isc_lolbin_connecting_to_the_internet.toml | 22 +- ...e_evasion_ms_office_suspicious_regmod.toml | 6 +- ...on_msbuild_making_network_connections.toml | 22 +- .../windows/defense_evasion_mshta_beacon.toml | 20 +- .../defense_evasion_msxsl_network.toml | 20 +- ...etwork_connection_from_windows_binary.toml | 39 +- ...e_evasion_parent_process_pid_spoofing.toml | 15 +- ...persistence_account_tokenfilterpolicy.toml | 16 +- .../defense_evasion_posh_encryption.toml | 13 +- ...efense_evasion_posh_process_injection.toml | 15 +- ..._powershell_windows_firewall_disabled.toml | 7 +- ...cess_termination_followed_by_deletion.toml | 17 +- ...ense_evasion_proxy_execution_via_msdt.toml | 13 +- ...defense_evasion_root_dir_ads_creation.toml | 24 +- ...defense_evasion_rundll32_no_arguments.toml | 14 +- ...fense_evasion_sccm_scnotification_dll.toml | 14 +- ...ion_scheduledjobs_at_protocol_enabled.toml | 21 +- ..._evasion_sdelete_like_filename_rename.toml | 18 +- .../defense_evasion_sip_provider_mod.toml | 14 +- ...ackdoor_service_disabled_via_registry.toml | 24 +- ..._evasion_suspicious_certutil_commands.toml | 23 +- ...picious_execution_from_mounted_device.toml | 15 +- ...n_suspicious_managedcode_host_process.toml | 17 +- ...picious_process_access_direct_syscall.toml | 16 +- ...suspicious_process_creation_calltrace.toml | 13 +- ...efense_evasion_suspicious_scrobj_load.toml | 15 +- ...evasion_suspicious_short_program_name.toml | 20 +- ...defense_evasion_suspicious_wmi_script.toml | 24 +- ...evasion_suspicious_zoom_child_process.toml | 27 +- ..._critical_proc_abnormal_file_activity.toml | 7 +- .../defense_evasion_timestomp_sysmon.toml | 14 +- ...sion_unsigned_dll_loaded_from_suspdir.toml | 20 +- ...fense_evasion_untrusted_driver_loaded.toml | 32 +- ...nse_evasion_unusual_ads_file_creation.toml | 14 +- .../defense_evasion_unusual_dir_ads.toml | 14 +- ...nusual_network_connection_via_dllhost.toml | 20 +- ...usual_network_connection_via_rundll32.toml | 23 +- ...on_unusual_process_network_connection.toml | 21 +- ...asion_unusual_system_vp_child_program.toml | 21 +- .../defense_evasion_via_filter_manager.toml | 23 +- ...se_evasion_windows_filtering_platform.toml | 22 +- ...evasion_workfolders_control_execution.toml | 4 +- .../defense_evasion_wsl_bash_exec.toml | 40 +- .../defense_evasion_wsl_child_process.toml | 26 +- .../defense_evasion_wsl_enabled_via_dism.toml | 27 +- .../defense_evasion_wsl_filesystem.toml | 26 +- .../defense_evasion_wsl_kalilinux.toml | 26 +- ...nse_evasion_wsl_registry_modification.toml | 19 +- ...discovery_active_directory_webservice.toml | 20 +- .../discovery_adfind_command_activity.toml | 31 +- rules/windows/discovery_admin_recon.toml | 37 +- .../discovery_command_system_account.toml | 16 +- ...enumerating_domain_trusts_via_dsquery.toml | 32 +- ..._enumerating_domain_trusts_via_nltest.toml | 39 +- ...scovery_group_policy_object_discovery.toml | 31 +- .../discovery_high_number_ad_properties.toml | 7 +- .../windows/discovery_peripheral_device.toml | 22 +- .../discovery_posh_invoke_sharefinder.toml | 18 +- ...unusual_discovery_signal_proc_cmdline.toml | 22 +- ...sual_discovery_signal_proc_executable.toml | 22 +- .../discovery_whoami_command_activity.toml | 14 +- ...arwinds_backdoor_child_cmd_powershell.toml | 24 +- ...inds_backdoor_unusual_child_processes.toml | 13 +- .../windows/execution_com_object_xwizard.toml | 21 +- ...and_prompt_connecting_to_the_internet.toml | 22 +- ...tion_command_shell_started_by_svchost.toml | 4 +- ...mand_shell_started_by_unusual_process.toml | 23 +- .../execution_command_shell_via_rundll32.toml | 19 +- ...tion_delayed_via_ping_lolbas_unsigned.toml | 125 +- .../execution_downloaded_shortcut_files.toml | 12 +- .../execution_downloaded_url_file.toml | 13 +- .../execution_enumeration_via_wmiprvse.toml | 60 +- .../execution_from_unusual_path_cmdline.toml | 14 +- ...le_program_connecting_to_the_internet.toml | 22 +- ...execution_initial_access_via_msc_file.toml | 20 +- rules/windows/execution_mofcomp.toml | 17 +- .../execution_ms_office_written_file.toml | 28 +- rules/windows/execution_pdf_written_file.toml | 23 +- .../execution_posh_hacktool_authors.toml | 22 +- .../execution_posh_portable_executable.toml | 15 +- ...ution_psexec_lateral_movement_command.toml | 26 +- ...er_program_connecting_to_the_internet.toml | 24 +- ...tion_scheduled_task_powershell_source.toml | 33 +- ...xecution_shared_modules_local_sxs_dll.toml | 14 +- .../windows/execution_suspicious_cmd_wmi.toml | 25 +- ...n_suspicious_image_load_wmi_ms_office.toml | 14 +- .../execution_suspicious_pdf_reader.toml | 26 +- ...ecution_suspicious_powershell_imgload.toml | 27 +- .../execution_suspicious_psexesvc.toml | 31 +- .../execution_via_compiled_html_file.toml | 22 +- .../execution_via_hidden_shell_conhost.toml | 19 +- .../exfiltration_smb_rare_destination.toml | 24 +- .../windows/impact_backup_file_deletion.toml | 23 +- ...deleting_backup_catalogs_with_wbadmin.toml | 32 +- ...pact_high_freq_file_renames_by_kernel.toml | 19 +- .../impact_modification_of_boot_config.toml | 22 +- .../impact_ransomware_file_rename_smb.toml | 30 +- .../impact_ransomware_note_file_over_smb.toml | 25 +- ...impact_stop_process_service_threshold.toml | 24 +- ...copy_deletion_or_resized_via_vssadmin.toml | 23 +- ...e_shadow_copy_deletion_via_powershell.toml | 24 +- ..._volume_shadow_copy_deletion_via_wmic.toml | 27 +- ..._evasion_suspicious_htm_file_creation.toml | 12 +- ...itial_access_execution_from_inetcache.toml | 28 +- ...access_execution_from_removable_media.toml | 15 +- ...l_access_execution_remote_via_msiexec.toml | 22 +- ...al_access_execution_via_office_addins.toml | 32 +- ...cess_exfiltration_first_time_seen_usb.toml | 35 +- ...ial_access_exploit_jetbrains_teamcity.toml | 29 +- ...al_access_script_executing_powershell.toml | 19 +- ...ccess_scripts_process_started_via_wmi.toml | 34 +- ...l_access_suspicious_ms_exchange_files.toml | 18 +- ...access_suspicious_ms_exchange_process.toml | 24 +- ...ious_ms_exchange_worker_child_process.toml | 18 +- ...ss_suspicious_ms_office_child_process.toml | 26 +- ...s_suspicious_ms_outlook_child_process.toml | 29 +- ...explorer_suspicious_child_parent_args.toml | 20 +- ..._access_webshell_screenconnect_server.toml | 30 +- ...l_access_xsl_script_execution_via_com.toml | 18 +- .../lateral_movement_alternate_creds_pth.toml | 14 +- .../windows/lateral_movement_cmd_service.toml | 20 +- rules/windows/lateral_movement_dcom_hta.toml | 20 +- .../windows/lateral_movement_dcom_mmc20.toml | 24 +- ...t_dcom_shellwindow_shellbrowserwindow.toml | 20 +- ...n_lanman_nullsessionpipe_modification.toml | 17 +- ...vement_direct_outbound_smb_connection.toml | 13 +- ...ateral_movement_evasion_rdp_shadowing.toml | 25 +- ...movement_executable_tool_transfer_smb.toml | 13 +- ..._movement_execution_from_tsclient_mup.toml | 23 +- ...nt_execution_via_file_shares_sequence.toml | 18 +- ...vement_incoming_winrm_shell_execution.toml | 21 +- .../lateral_movement_incoming_wmi.toml | 22 +- ...ment_mount_hidden_or_webdav_share_net.toml | 26 +- ...l_movement_powershell_remoting_target.toml | 25 +- ...lateral_movement_rdp_enabled_registry.toml | 20 +- .../lateral_movement_rdp_sharprdp_target.toml | 12 +- ...ovement_remote_file_copy_hidden_share.toml | 21 +- ...ement_remote_service_installed_winlog.toml | 12 +- .../lateral_movement_remote_services.toml | 21 +- ..._movement_remote_task_creation_winlog.toml | 10 +- ...ateral_movement_scheduled_task_target.toml | 21 +- ...ement_suspicious_rdp_client_imageload.toml | 17 +- ...movement_unusual_dns_service_children.toml | 23 +- ...ement_unusual_dns_service_file_writes.toml | 15 +- ...l_movement_via_startup_folder_rdp_smb.toml | 16 +- .../windows/persistence_ad_adminsdholder.toml | 16 +- .../persistence_adobe_hijack_persistence.toml | 34 +- .../windows/persistence_app_compat_shim.toml | 13 +- .../persistence_appcertdlls_registry.toml | 25 +- .../persistence_appinitdlls_registry.toml | 4 +- ...persistence_browser_extension_install.toml | 15 +- .../persistence_dontexpirepasswd_account.toml | 6 +- ...evasion_hidden_local_account_creation.toml | 15 +- ...tence_evasion_registry_ifeo_injection.toml | 19 +- ...egistry_startup_shell_folder_modified.toml | 20 +- ...sistence_local_scheduled_job_creation.toml | 23 +- ...istence_local_scheduled_task_creation.toml | 13 +- ...stence_local_scheduled_task_scripting.toml | 24 +- .../persistence_ms_office_addins_file.toml | 17 +- .../persistence_ms_outlook_vba_template.toml | 14 +- ...istence_msds_alloweddelegateto_krbtgt.toml | 13 +- ...persistence_msoffice_startup_registry.toml | 20 +- .../windows/persistence_netsh_helper_dll.toml | 23 +- ...ll_exch_mailbox_activesync_add_device.toml | 23 +- .../persistence_powershell_profiles.toml | 17 +- ...escalation_via_accessibility_features.toml | 15 +- .../persistence_registry_uncommon.toml | 32 +- .../persistence_remote_password_reset.toml | 16 +- ...persistence_run_key_and_startup_broad.toml | 14 +- ...ce_runtime_run_key_startup_susp_procs.toml | 14 +- ...stence_scheduled_task_creation_winlog.toml | 4 +- .../persistence_scheduled_task_updated.toml | 5 +- ...istence_sdprop_exclusion_dsheuristics.toml | 10 +- .../persistence_service_dll_unsigned.toml | 19 +- ...stence_service_windows_service_winlog.toml | 21 +- .../persistence_services_registry.toml | 19 +- ...er_file_written_by_suspicious_process.toml | 15 +- ...lder_file_written_by_unsigned_process.toml | 18 +- .../persistence_startup_folder_scripts.toml | 15 +- ...stence_suspicious_com_hijack_registry.toml | 21 +- ...s_image_load_scheduled_task_ms_office.toml | 21 +- ...nce_suspicious_scheduled_task_runtime.toml | 15 +- ...e_suspicious_service_created_registry.toml | 19 +- ...istence_sysmon_wmi_event_subscription.toml | 27 +- ...ersistence_system_shells_via_services.toml | 28 +- .../persistence_temp_scheduled_task.toml | 16 +- .../persistence_time_provider_mod.toml | 17 +- ..._account_added_to_privileged_group_ad.toml | 14 +- .../persistence_user_account_creation.toml | 22 +- .../persistence_via_application_shimming.toml | 21 +- ...rsistence_via_bits_job_notify_command.toml | 23 +- ...sistence_via_hidden_run_key_valuename.toml | 21 +- ...sa_security_support_provider_registry.toml | 19 +- ...emetrycontroller_scheduledtask_hijack.toml | 31 +- ...ia_update_orchestrator_service_hijack.toml | 17 +- ...nt_instrumentation_event_subscription.toml | 25 +- ...tence_via_wmi_stdregprov_run_services.toml | 14 +- ...ia_xp_cmdshell_mssql_stored_procedure.toml | 31 +- .../persistence_webshell_detection.toml | 40 +- .../persistence_werfault_reflectdebugger.toml | 17 +- ...tion_create_process_as_different_user.toml | 4 +- ...tion_create_process_with_token_unpriv.toml | 18 +- ...privilege_escalation_credroaming_ldap.toml | 13 +- ...ilege_escalation_disable_uac_registry.toml | 27 +- ...ege_escalation_driver_newterm_imphash.toml | 36 +- ...lege_escalation_expired_driver_loaded.toml | 19 +- ...lege_escalation_exploit_cve_202238028.toml | 24 +- ...calation_gpo_schtask_service_creation.toml | 16 +- ...ege_escalation_group_policy_iniscript.toml | 6 +- ...lation_group_policy_privileged_groups.toml | 6 +- ...scalation_group_policy_scheduled_task.toml | 9 +- ...rivilege_escalation_installertakeover.toml | 14 +- ...scalation_krbrelayup_service_creation.toml | 14 +- ...privilege_escalation_lsa_auth_package.toml | 13 +- ...privilege_escalation_make_token_local.toml | 9 +- ...e_escalation_named_pipe_impersonation.toml | 14 +- ...scalation_newcreds_logon_rare_process.toml | 14 +- ...ge_escalation_persistence_phantom_dll.toml | 10 +- ...ion_port_monitor_print_pocessor_abuse.toml | 15 +- ...e_escalation_posh_token_impersonation.toml | 13 +- ...ation_printspooler_registry_copyfiles.toml | 15 +- ..._printspooler_service_suspicious_file.toml | 15 +- ...printspooler_suspicious_file_deletion.toml | 15 +- ...tion_printspooler_suspicious_spl_file.toml | 15 +- ...calation_rogue_windir_environment_var.toml | 14 +- ...lation_samaccountname_spoofing_attack.toml | 16 +- ...on_service_control_spawned_script_int.toml | 36 +- ...alation_suspicious_dnshostname_update.toml | 14 +- ...lation_tokenmanip_sedebugpriv_enabled.toml | 4 +- ...lege_escalation_uac_bypass_com_clipup.toml | 18 +- ...ge_escalation_uac_bypass_com_ieinstal.toml | 19 +- ...n_uac_bypass_com_interface_icmluautil.toml | 18 +- ...alation_uac_bypass_diskcleanup_hijack.toml | 25 +- ...escalation_uac_bypass_dll_sideloading.toml | 19 +- ...ge_escalation_uac_bypass_event_viewer.toml | 24 +- ...ege_escalation_uac_bypass_mock_windir.toml | 43 +- ...scalation_uac_bypass_winfw_mmc_hijack.toml | 36 +- ...lege_escalation_unquoted_service_path.toml | 15 +- ...tion_unusual_parentchild_relationship.toml | 22 +- ...ion_unusual_printspooler_childprocess.toml | 13 +- ...n_unusual_svchost_childproc_childless.toml | 16 +- ...rivilege_escalation_via_ppid_spoofing.toml | 12 +- ...ilege_escalation_via_rogue_named_pipe.toml | 12 +- .../privilege_escalation_via_token_theft.toml | 12 +- ...on_windows_service_via_unusual_client.toml | 4 +- ...collection_archive_data_zip_imageload.toml | 20 +- ...ction_common_compressed_archived_file.toml | 76 +- ...tion_files_staged_in_recycle_bin_root.toml | 27 +- ...n_linux_suspicious_clipboard_activity.toml | 35 +- .../collection_outlook_email_archive.toml | 26 +- ...ommand_and_control_bitsadmin_activity.toml | 21 +- ...d_control_certutil_network_connection.toml | 4 +- ..._and_control_linux_ssh_x11_forwarding.toml | 30 +- ...nd_and_control_non_standard_http_port.toml | 51 +- .../credential_access_mdmp_file_creation.toml | 18 +- ...al_access_mdmp_file_unusual_extension.toml | 22 +- ...dential_access_win_private_key_access.toml | 23 +- ...ense_evasion_cmd_copy_binary_contents.toml | 29 +- .../defense_evasion_cmstp_execution.toml | 22 +- ...rading_unusual_archive_file_extension.toml | 20 +- ...ication_apps_suspicious_child_process.toml | 23 +- ..._creation_of_hidden_files_directories.toml | 37 +- .../defense_evasion_dll_hijack.toml | 20 +- ...evasion_dotnet_clickonce_dfsvc_netcon.toml | 28 +- ...fense_evasion_download_susp_extension.toml | 45 +- ...cution_via_visualstudio_prebuildevent.toml | 31 +- ..._evasion_file_permission_modification.toml | 20 +- .../defense_evasion_generic_deletion.toml | 21 +- ...indirect_command_exec_pcalua_forfiles.toml | 29 +- ...fense_evasion_injection_from_msoffice.toml | 29 +- ..._evasion_installutil_command_activity.toml | 25 +- ...se_evasion_invalid_codesign_imageload.toml | 21 +- ...defense_evasion_masquerading_browsers.toml | 22 +- ...squerading_unusual_exe_file_extension.toml | 19 +- .../defense_evasion_masquerading_vlc_dll.toml | 23 +- ...ense_evasion_masquerading_windows_dll.toml | 25 +- ...ion_masquerading_windows_system32_exe.toml | 24 +- ...fense_evasion_msdt_suspicious_diagcab.toml | 49 +- ...on_msiexec_installsource_archive_file.toml | 22 +- ...vasion_processes_with_trailing_spaces.toml | 37 +- ...nse_evasion_service_disabled_registry.toml | 12 +- ...defense_evasion_service_path_registry.toml | 23 +- .../defense_evasion_services_exe_path.toml | 23 +- ..._evasion_suspicious_msiexec_execution.toml | 27 +- .../defense_evasion_unsigned_bits_client.toml | 38 +- ...nse_evasion_unusual_process_extension.toml | 26 +- ...nse_evasion_unusual_process_path_wbem.toml | 31 +- .../defense_evasion_write_dac_access.toml | 35 +- ...iscovery_files_dir_systeminfo_via_cmd.toml | 36 +- .../discovery_generic_account_groups.toml | 37 +- .../discovery_generic_process_discovery.toml | 35 +- .../discovery_generic_registry_query.toml | 27 +- .../discovery_hosts_file_access.toml | 31 +- .../discovery_internet_capabilities.toml | 29 +- ...ry_kernel_module_enumeration_via_proc.toml | 31 +- .../discovery_linux_modprobe_enumeration.toml | 31 +- .../discovery_linux_sysctl_enumeration.toml | 31 +- ...ry_linux_system_information_discovery.toml | 29 +- ...ery_linux_system_owner_user_discovery.toml | 29 +- .../discovery_net_share_discovery_winlog.toml | 22 +- rules_building_block/discovery_net_view.toml | 34 +- ..._accounts_or_groups_via_builtin_tools.toml | 39 +- .../discovery_of_domain_groups.toml | 29 +- .../discovery_posh_password_policy.toml | 21 +- ..._post_exploitation_external_ip_lookup.toml | 29 +- ...ery_potential_memory_seeking_activity.toml | 25 +- ...y_process_discovery_via_builtin_tools.toml | 31 +- ...ote_system_discovery_commands_windows.toml | 29 +- .../discovery_security_software_wmic.toml | 43 +- .../discovery_signal_unusual_user_host.toml | 24 +- ...overy_suspicious_memory_grep_activity.toml | 27 +- ...discovery_suspicious_proc_enumeration.toml | 27 +- .../discovery_system_network_connections.toml | 31 +- .../discovery_system_service_discovery.toml | 40 +- .../discovery_system_time_discovery.toml | 37 +- .../discovery_win_network_connections.toml | 28 +- ..._windows_system_information_discovery.toml | 26 +- ...ution_github_new_event_action_for_pat.toml | 28 +- ...n_github_new_repo_interaction_for_pat.toml | 28 +- ..._github_new_repo_interaction_for_user.toml | 28 +- .../execution_github_repo_created.toml | 25 +- ...n_github_repo_interaction_from_new_ip.toml | 30 +- .../execution_linux_segfault.toml | 16 +- ...ution_settingcontent_ms_file_creation.toml | 40 +- .../execution_unix_socket_communication.toml | 39 +- ...execution_unsigned_service_executable.toml | 37 +- .../execution_wmi_wbemtest.toml | 27 +- ...thub_member_removed_from_organization.toml | 27 +- .../impact_github_pat_access_revoked.toml | 27 +- ...github_user_blocked_from_organization.toml | 27 +- .../initial_access_cross_site_scripting.toml | 15 +- ..._access_github_new_ip_address_for_pat.toml | 31 +- ...access_github_new_ip_address_for_user.toml | 31 +- ..._access_github_new_user_agent_for_pat.toml | 31 +- ...access_github_new_user_agent_for_user.toml | 31 +- rules_building_block/lateral_movement_at.toml | 32 +- ...ral_movement_rdp_conn_unusual_process.toml | 21 +- ...movement_unusual_process_sql_accounts.toml | 30 +- .../lateral_movement_wmic_remote.toml | 25 +- ...e_aws_iam_login_profile_added_to_user.toml | 25 +- ...persistence_creation_of_kernel_module.toml | 33 +- .../persistence_github_new_pat_for_user.toml | 31 +- ...github_new_user_added_to_organization.toml | 29 +- .../persistence_startup_folder_lnk.toml | 18 +- .../persistence_transport_agent_exchange.toml | 43 +- .../privilege_escalation_trap_execution.toml | 33 +- tests/test_all_rules.py | 10 +- 1036 files changed, 11345 insertions(+), 12299 deletions(-) delete mode 100644 docs/versioning.md diff --git a/.github/workflows/lock-versions.yml b/.github/workflows/lock-versions.yml index 1dfd97ad776..bda7d3dbe3b 100644 --- a/.github/workflows/lock-versions.yml +++ b/.github/workflows/lock-versions.yml @@ -6,7 +6,7 @@ on: description: 'List of branches to lock versions (ordered, comma separated)' required: true # 7.17 was intentionally skipped because it was added late and was bug fix only - default: '8.9,8.10,8.11,8.12,8.13,8.14' + default: '8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13,8.14' jobs: pr: diff --git a/detection_rules/devtools.py b/detection_rules/devtools.py index 7befb9d1a37..71bd2f218eb 100644 --- a/detection_rules/devtools.py +++ b/detection_rules/devtools.py @@ -812,9 +812,8 @@ def raw_permalink(raw_link): @dev_group.command('trim-version-lock') @click.argument('stack_version') -@click.option('--skip-rule-updates', is_flag=True, help='Skip updating the rules') @click.option('--dry-run', is_flag=True, help='Print the changes rather than saving the file') -def trim_version_lock(stack_version: str, skip_rule_updates: bool, dry_run: bool): +def trim_version_lock(stack_version: str, dry_run: bool): """Trim all previous entries within the version lock file which are lower than the min_version.""" stack_versions = get_stack_versions() assert stack_version in stack_versions, \ @@ -822,78 +821,36 @@ def trim_version_lock(stack_version: str, skip_rule_updates: bool, dry_run: bool min_version = Version.parse(stack_version) version_lock_dict = default_version_lock.version_lock.to_dict() - removed = defaultdict(list) - rule_msv_drops = [] - - today = time.strftime('%Y/%m/%d') - rc: RuleCollection | None = None - if dry_run: - rc = RuleCollection() - else: - if not skip_rule_updates: - click.echo('Loading rules ...') - rc = RuleCollection.default() + removed = {} for rule_id, lock in version_lock_dict.items(): - file_min_stack: Version | None = None - if 'min_stack_version' in lock: - file_min_stack = Version.parse((lock['min_stack_version']), optional_minor_and_patch=True) - if file_min_stack <= min_version: - removed[rule_id].append( - f'locked min_stack_version <= {min_version} - {"will remove" if dry_run else "removing"}!' - ) - rule_msv_drops.append(rule_id) - file_min_stack = None - - if not dry_run: - lock.pop('min_stack_version') - if not skip_rule_updates: - # remove the min_stack_version and min_stack_comments from rules as well (and update date) - rule = rc.id_map.get(rule_id) - if rule: - new_meta = dataclasses.replace( - rule.contents.metadata, - updated_date=today, - min_stack_version=None, - min_stack_comments=None - ) - contents = dataclasses.replace(rule.contents, metadata=new_meta) - new_rule = TOMLRule(contents=contents, path=rule.path) - new_rule.save_toml() - removed[rule_id].append('rule min_stack_version dropped') - else: - removed[rule_id].append('rule not found to update!') - if 'previous' in lock: prev_vers = [Version.parse(v, optional_minor_and_patch=True) for v in list(lock['previous'])] - outdated_vers = [v for v in prev_vers if v < min_version] + outdated_vers = [f"{v.major}.{v.minor}" for v in prev_vers if v < min_version] if not outdated_vers: continue # we want to remove all "old" versions, but save the latest that is >= the min version supplied as the new # stack_version. - latest_version = max(outdated_vers) + if dry_run: + outdated_minus_current = [str(v) for v in outdated_vers if v < stack_version] + if outdated_minus_current: + removed[rule_id] = outdated_minus_current for outdated in outdated_vers: - short_outdated = f"{outdated.major}.{outdated.minor}" - popped = lock['previous'].pop(str(short_outdated)) - # the core of the update - we only need to keep previous entries that are newer than the min supported - # version (from stack-schema-map and stack-version parameter) and older than the locked - # min_stack_version for a given rule, if one exists - if file_min_stack and outdated == latest_version and outdated < file_min_stack: - lock['previous'][f'{min_version.major}.{min_version.minor}'] = popped - removed[rule_id].append(f'{short_outdated} updated to: {min_version.major}.{min_version.minor}') - else: - removed[rule_id].append(f'{outdated} dropped') + popped = lock['previous'].pop(str(outdated)) + if outdated >= stack_version: + lock['previous'][str(Version(stack_version[:2]))] = popped # remove the whole previous entry if it is now blank if not lock['previous']: lock.pop('previous') - click.echo(f'Changes {"that will be " if dry_run else ""} applied:' if removed else 'No changes') - click.echo('\n'.join(f'{k}: {", ".join(v)}' for k, v in removed.items())) - if not dry_run: + if dry_run: + click.echo(f'The following versions would be collapsed to {stack_version}:' if removed else 'No changes') + click.echo('\n'.join(f'{k}: {", ".join(v)}' for k, v in removed.items())) + else: new_lock = VersionLockFile.from_dict(dict(data=version_lock_dict)) new_lock.save_to_file() diff --git a/detection_rules/etc/stack-schema-map.yaml b/detection_rules/etc/stack-schema-map.yaml index f2ea604e4ca..9daf9547d8a 100644 --- a/detection_rules/etc/stack-schema-map.yaml +++ b/detection_rules/etc/stack-schema-map.yaml @@ -42,38 +42,39 @@ # beats: "8.2.1" # ecs: "8.2.1" # endgame: "1.9.0" -# "8.3.0": -# beats: "8.3.3" -# ecs: "8.3.1" -# endgame: "1.9.0" - -# "8.4.0": -# beats: "8.4.3" -# ecs: "8.4.0" -# endgame: "8.4.0" - -# "8.5.0": -# beats: "8.5.3" -# ecs: "8.5.2" -# endgame: "8.4.0" - -# "8.6.0": -# beats: "8.6.1" -# ecs: "8.6.1" -# endgame: "8.4.0" - -# "8.7.0": -# beats: "8.7.0" -# ecs: "8.7.0" -# endgame: "8.4.0" - -# "8.8.0": -# beats: "8.8.2" -# ecs: "8.8.0" -# endgame: "8.4.0" ## Supported +"8.3.0": + beats: "8.3.3" + ecs: "8.3.1" + endgame: "1.9.0" + +"8.4.0": + beats: "8.4.3" + ecs: "8.4.0" + endgame: "8.4.0" + +"8.5.0": + beats: "8.5.3" + ecs: "8.5.2" + endgame: "8.4.0" + +"8.6.0": + beats: "8.6.1" + ecs: "8.6.1" + endgame: "8.4.0" + +"8.7.0": + beats: "8.7.0" + ecs: "8.7.0" + endgame: "8.4.0" + +"8.8.0": + beats: "8.8.2" + ecs: "8.8.0" + endgame: "8.4.0" + "8.9.0": beats: "8.9.0" ecs: "8.9.0" diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index b59efb5d6fd..d28d74a8359 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -2,7 +2,7 @@ "000047bb-b27a-47ec-8b62-ef1a5d2c9e19": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 206, "rule_name": "Attempt to Modify an Okta Policy Rule", "sha256": "ab816235d1086e87acda877a4f3bc72e72af952ecf7a40b59d2d45991812ef73", @@ -16,258 +16,346 @@ "version": 207 }, "00140285-b827-4aee-aa09-8113f58a08f3": { + "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Windows Utilities", "sha256": "ac7d08baf88d495e5767d5845ee47e22b500b643e11ca7e806309d30e958a1fc", "type": "eql", "version": 112 }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { + "min_stack_version": "8.3", "rule_name": "System Shells via Services", "sha256": "6685da19ff0ea1ee48d11d6029d1c69a780149fe7f8d8d9b2f60ed9766f28e71", "type": "eql", "version": 110 }, "00678712-b2df-11ed-afe9-f661ea17fbcc": { + "min_stack_version": "8.4", "rule_name": "Google Workspace Suspended User Account Renewed", "sha256": "cfbc6ffe95e39937d68146e42f932947e2c3c96cc9a42ab296e12bc8c613f5f1", "type": "query", "version": 2 }, "0136b315-b566-482f-866c-1d8e2477ba16": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 User Restricted from Sending Email", + "sha256": "3801a06e2eb380734652847208adb12ceb5e1bb394da148a047b8a25afe3bc17", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 User Restricted from Sending Email", "sha256": "35df6afe89ac91c72e0499d991574f17f0b1d4567e874f7e65976b6828bfac4f", "type": "query", "version": 206 }, "015cca13-8832-49ac-a01b-a396114809f6": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Redshift Cluster Creation", + "sha256": "7a1faa4c3dfde300711d7bb69b6a93b8e64a3d33cc83a37a3d5cfcf6d9b09b2d", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Redshift Cluster Creation", "sha256": "4b8809bf7107aa3e8169d82047acb52c422c663b159574d29a8176d7a9fb6dca", "type": "query", "version": 206 }, "0171f283-ade7-4f87-9521-ac346c68cc9b": { + "min_stack_version": "8.3", "rule_name": "Potential Network Scan Detected", "sha256": "931bd95c0fff284b33e383dce3f3fccaf7b0c36b8b6b946b1c39ff5ded2aa8e1", "type": "threshold", "version": 5 }, "01c49712-25bc-49d2-a27d-d7ce52f5dc49": { + "min_stack_version": "8.6", "rule_name": "First Occurrence of GitHub User Interaction with Private Repo", "sha256": "adb33991bc7e05efa461ee20ccaa7ac960c540154ae482921c711a1e850b06cf", "type": "new_terms", "version": 1 }, "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { + "min_stack_version": "8.3", "rule_name": "Potential Cookies Theft via Browser Debugging", "sha256": "0ae709b171f47f1273c0e0cdc34fd30e5b64862da6d9840ff006ba59d85f9b10", "type": "eql", "version": 105 }, "0294f105-d7af-4a02-ae90-35f56763ffa2": { + "min_stack_version": "8.8", "rule_name": "First Occurrence of GitHub Repo Interaction From a New IP", "sha256": "5c428cb19c48c4a48a019d8275c5361269f5caba6736aec0a5304d2790f5789c", "type": "new_terms", "version": 1 }, "02a23ee7-c8f8-4701-b99d-e9038ce313cb": { + "min_stack_version": "8.4", "rule_name": "Process Created with an Elevated Token", "sha256": "a08170ff704e6eee3ac998cc9775b0a089926b6ba906ba421faa17c0c11a47db", "type": "eql", "version": 6 }, "02a4576a-7480-4284-9327-548a806b5e48": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", + "sha256": "8f8844fda927ba3149c7d983e7f7619e33e5745f8b1f389c0e10f3b6ba852e0a", + "type": "eql", + "version": 106 + } + }, "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", "sha256": "08ccb0b77ba1240408e1418cf800f0677b541367930b3cb9a986a4adfcbe2dac", "type": "eql", "version": 208 }, "02bab13d-fb14-4d7c-b6fe-4a28874d37c5": { + "min_stack_version": "8.3", "rule_name": "Potential Ransomware Note File Dropped via SMB", "sha256": "dafd8f85b8e37f96aaabd0405826cb232ac4c2f22571f2878d3a875a0e141da8", "type": "eql", "version": 1 }, "02ea4563-ec10-4974-b7de-12e65aa4f9b3": { + "min_stack_version": "8.3", "rule_name": "Dumping Account Hashes via Built-In Commands", "sha256": "450f7c6f060ecb022c4c2e14be6190a34524d0c07a56809370cfbd62e51f85bb", "type": "query", "version": 106 }, "03024bd9-d23f-4ec1-8674-3cf1a21e130b": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", + "sha256": "f0f075e54cb17ce304f0d93b12277a29c7b1454d8bec5c05615e31fc6ebee725", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", "sha256": "74d0cdf9039c5f529d26a7d3c4c076e387ed8e163e3ae7e021feb78bbd355573", "type": "query", "version": 206 }, "035889c4-2686-4583-a7df-67f89c292f2c": { + "min_stack_version": "8.3", "rule_name": "High Number of Process and/or Service Terminations", "sha256": "5bb8f568879a496363f640b8866b46e0a39fe4e15005cab6f5af9eb499e3584d", "type": "threshold", "version": 109 }, "035a6f21-4092-471d-9cda-9e379f459b1e": { + "min_stack_version": "8.3", "rule_name": "Potential Memory Seeking Activity", "sha256": "4fa0b41dabe97414e45d4ae961a4c4fd9c445bca04d51659e7251547e80fe258", "type": "eql", "version": 2 }, "0369e8a6-0fa7-4e7a-961a-53180a4c966e": { + "min_stack_version": "8.3", "rule_name": "Suspicious Dynamic Linker Discovery via od", "sha256": "4ae40153ed65b4fdddee0a5528f9123c100ef8e2ba1710993374975e3b6320d8", "type": "eql", "version": 2 }, "03a514d9-500e-443e-b6a9-72718c548f6c": { + "min_stack_version": "8.8", "rule_name": "SSH Process Launched From Inside A Container", "sha256": "f4b1b23b638e8ea812f6cf173daedccc2a82fb1df5feeca4e6723b6726052c4d", "type": "eql", "version": 2 }, "03c23d45-d3cb-4ad4-ab5d-b361ffe8724a": { + "min_stack_version": "8.3", "rule_name": "Potential Network Scan Executed From Host", "sha256": "d8d678cf5d5ac1994120d5171bc69702a7acd37f5bb9611dd14a19a952652ea4", "type": "threshold", "version": 3 }, "0415f22a-2336-45fa-ba07-618a5942e22c": { + "min_stack_version": "8.3", "rule_name": "Modification of OpenSSH Binaries", "sha256": "ceef6d0c728c9575da9bd78da19050dc7e02eaee57eca642272639b91d863494", "type": "query", "version": 109 }, "041d4d41-9589-43e2-ba13-5680af75ebc2": { + "min_stack_version": "8.3", "rule_name": "Deprecated - Potential DNS Tunneling via Iodine", "sha256": "bee1691d491fbbea753a91ebb85df78974469ba5769d4a517e72420787563047", "type": "query", "version": 105 }, "04c5a96f-19c5-44fd-9571-a0b033f9086f": { + "min_stack_version": "8.3", "rule_name": "Azure AD Global Administrator Role Assigned", "sha256": "fd3270ab237a24dde97ddba5bd81bde19c086742e131a59117fa0e610f05bef9", "type": "query", "version": 102 }, "053a0387-f3b5-4ba5-8245-8002cca2bd08": { + "min_stack_version": "8.3", "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", "sha256": "08eeec4ed1f73497e06767edc13231268e1d647f7b29f0401175d1618d04affa", "type": "eql", "version": 110 }, "054db96b-fd34-43b3-9af2-587b3bd33964": { + "min_stack_version": "8.6", "rule_name": "Potential Persistence Through Systemd-udevd", "sha256": "f62fb7313ec0d7a280a370adae0caf8ba65410a71d6574ade7ab588a95963763", "type": "new_terms", "version": 3 }, "0564fb9d-90b9-4234-a411-82a546dc1343": { + "min_stack_version": "8.3", "rule_name": "Microsoft IIS Service Account Password Dumped", "sha256": "a85b92effa53537c7a86f7871455c176bc2c48a6928248fa29dcf8a548677730", "type": "eql", "version": 110 }, "05b358de-aa6d-4f6c-89e6-78f74018b43b": { + "min_stack_version": "8.3", "rule_name": "Conhost Spawned By Suspicious Parent Process", "sha256": "0437ed81150e42654cb33e6ad318152edb266126d44225341bc12cc678bc578e", "type": "eql", "version": 110 }, "05cad2fb-200c-407f-b472-02ea8c9e5e4a": { + "min_stack_version": "8.3", "rule_name": "Tainted Kernel Module Load", "sha256": "ce113c2fec8fb1bd012edc6533530b5ebe0b8145fa062e4e77c0a909435c6bf4", "type": "query", "version": 4 }, "05e5a668-7b51-4a67-93ab-e9af405c9ef3": { + "min_stack_version": "8.3", "rule_name": "Interactive Terminal Spawned via Perl", "sha256": "e7a0bce29457ba5f1e9159d5e17e7344da87a83b390be4e989e842573acca754", "type": "query", "version": 108 }, "0635c542-1b96-4335-9b47-126582d2c19a": { + "min_stack_version": "8.3", "rule_name": "Remote System Discovery Commands", "sha256": "b86728d65216af8f9dfa8912908f8a4225fdff95bd52dd63c2483d7bdd8385b4", "type": "eql", "version": 112 }, "06568a02-af29-4f20-929c-f3af281e41aa": { + "min_stack_version": "8.3", "rule_name": "System Time Discovery", "sha256": "c26f50ed371b312a315bf0bbbc399f65d446218ecd7f63e471538c0e145ea7c9", "type": "eql", "version": 7 }, "0678bc9c-b71a-433b-87e6-2f664b6b3131": { + "min_stack_version": "8.9", "rule_name": "Unusual Remote File Size", "sha256": "db958e84da3e58cefee53ec77d608ff51199a4e721318451ce091585bb908cc1", "type": "machine_learning", "version": 3 }, "06a7a03c-c735-47a6-a313-51c354aef6c3": { + "min_stack_version": "8.3", "rule_name": "Enumerating Domain Trusts via DSQUERY.EXE", "sha256": "4e653f97afcad71acd94ddf79e5534455c79986773fc543839900cc60e129d88", "type": "eql", "version": 7 }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { + "min_stack_version": "8.3", "rule_name": "Potential Evasion via Filter Manager", "sha256": "547a848b0b1c9458a6a838abb3430914bb8557a0b1bd030f11d882f5605e024c", "type": "eql", "version": 110 }, "074464f9-f30d-4029-8c03-0ed237fffec7": { + "min_stack_version": "8.3", "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", "sha256": "4682c4aac80de38bf56894acd47cac808366a9f47329763291361bb23756d3a8", "type": "eql", "version": 110 }, "07639887-da3a-4fbf-9532-8ce748ff8c50": { + "min_stack_version": "8.3", "rule_name": "GitHub Protected Branch Settings Changed", "sha256": "092ecb6ac6f1197744e2e114398553fa810674561481b66f9665c3ed95ff0017", "type": "eql", "version": 2 }, "0787daa6-f8c5-453b-a4ec-048037f6c1cd": { + "min_stack_version": "8.3", "rule_name": "Suspicious Proc Pseudo File System Enumeration", "sha256": "9dfcd341fcbfb91ac853a20da424eeb340c470adbfda7667e5f86e796de58ce5", "type": "threshold", "version": 7 }, "07b1ef73-1fde-4a49-a34a-5dd40011b076": { + "min_stack_version": "8.3", "rule_name": "Local Account TokenFilter Policy Disabled", "sha256": "1a734f41fd03d0ba5772ea20c1ee6db1efa178fc9f2c859a901c9c597ffaec46", "type": "eql", "version": 8 }, "07b5f85a-240f-11ed-b3d9-f661ea17fbce": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 103, + "rule_name": "Google Drive Ownership Transferred via Google Workspace", + "sha256": "4ec0b63c545009d7d16d34cd9b95f34edbcf4135f498aa77a805f544b07e6310", + "type": "query", + "version": 5 + } + }, "rule_name": "Google Drive Ownership Transferred via Google Workspace", "sha256": "9df4d9a342110c032419b2564bf6376a9357291ca8b3ead073faf9e5214419e6", "type": "query", "version": 106 }, "080bc66a-5d56-4d1f-8071-817671716db9": { + "min_stack_version": "8.3", "rule_name": "Suspicious Browser Child Process", - "sha256": "1678ce85ef34f778c0a71b6aec184f3f30550c0c641544c922f4ae9eee9dd5be", + "sha256": "1678ce85ef34f778c0a71b6aec184f3f30550c0c641544c922f4ae9eee9dd5be", "type": "eql", "version": 107 }, "082e3f8c-6f80-485c-91eb-5b112cb79b28": { + "min_stack_version": "8.3", "rule_name": "Launch Agent Creation or Modification and Immediate Loading", "sha256": "e27de95651bbdd93ef96aab3c00d5d496a005ac796a8a277a28331ad9552a879", "type": "eql", "version": 106 }, "083fa162-e790-4d85-9aeb-4fea04188adb": { + "min_stack_version": "8.3", "rule_name": "Suspicious Hidden Child Process of Launchd", "sha256": "997d8ce81fcbd8b47fa77b50434bd99ba1c4606f6d935a4af76098e5d9c28ece", "type": "query", "version": 106 }, "0859355c-0f08-4b43-8ff5-7d2a4789fc08": { + "min_stack_version": "8.4", "rule_name": "First Time Seen Removable Device", "sha256": "085b5157400c5090fec630066b9c606cb33fa8334b9c49babca8242399a11b91", "type": "new_terms", "version": 4 }, "089db1af-740d-4d84-9a5b-babd6de143b0": { + "min_stack_version": "8.3", "rule_name": "Windows Account or Group Discovery", "sha256": "45048599d6d9175e13e297d71afbd3a7d4d80e6d6421abd188c563a5c862bfbb", "type": "eql", @@ -280,18 +368,21 @@ "version": 100 }, "092b068f-84ac-485d-8a55-7dd9e006715f": { + "min_stack_version": "8.3", "rule_name": "Creation of Hidden Launch Agent or Daemon", "sha256": "bd61ec617f7cc0e401d2a89073a35ae316baab560f044fda528a0a38bbd2c993", "type": "eql", "version": 107 }, "09443c92-46b3-45a4-8f25-383b028b258d": { + "min_stack_version": "8.3", "rule_name": "Process Termination followed by Deletion", "sha256": "8628999b147b10ff30f618a79c4aee2123744abc0e2bb05cc8c98d11017145ad", "type": "eql", "version": 109 }, "095b6a58-8f88-4b59-827c-ab584ad4e759": { + "min_stack_version": "8.3", "rule_name": "Member Removed From GitHub Organization", "sha256": "425013c02e030ebacc0fd4c5249f59222b5afe82c2e8f03b6a1cc1139bdf917a", "type": "eql", @@ -304,18 +395,21 @@ "version": 100 }, "09bc6c90-7501-494d-b015-5d988dc3f233": { + "min_stack_version": "8.3", "rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory", "sha256": "bdc3b02c0073ad81ac689ad056327c1e74d84408ac65b51b4738e1fc7c3b5d13", "type": "eql", "version": 4 }, "09d028a5-dcde-409f-8ae0-557cef1b7082": { + "min_stack_version": "8.3", "rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted", "sha256": "08faf9e24053c3b8463889e3c47cec194c8acedaad33ce17bc7acd6ac50c3a53", "type": "query", "version": 102 }, "0a97b20f-4144-49ea-be32-b540ecc445de": { + "min_stack_version": "8.3", "rule_name": "Malware - Detected - Elastic Endgame", "sha256": "6e5837c5ce6d6866ed28e8c33e2bd9945580de7462f25874b585d7f96997daa2", "type": "query", @@ -331,7 +425,7 @@ "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 105, "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", "sha256": "434f9932a025ca56e9e7088380e4e35b25f922c6694252391c071315e7c84f14", @@ -345,42 +439,58 @@ "version": 106 }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { + "min_stack_version": "8.3", "rule_name": "Anomalous Windows Process Creation", "sha256": "a97e8495484e9053dfe57d0b3b3e2cc47984f3e326f8bce2c00bcab788337579", "type": "machine_learning", "version": 105 }, "0b2f3da5-b5ec-47d1-908b-6ebb74814289": { + "min_stack_version": "8.3", "rule_name": "User account exposed to Kerberoasting", "sha256": "830231e34039027f460477ed025efa9ef0a7efb45b9d97d43080f7d9deceeec3", "type": "query", "version": 109 }, "0b803267-74c5-444d-ae29-32b5db2d562a": { + "min_stack_version": "8.3", "rule_name": "Potential Shell via Wildcard Injection Detected", "sha256": "d23957bdc3e4530971529039105978c60ef34d1dda87b408528c03a1d39da1ca", "type": "eql", "version": 5 }, "0c093569-dff9-42b6-87b1-0242d9f7d9b4": { + "min_stack_version": "8.3", "rule_name": "Processes with Trailing Spaces", "sha256": "29769b5de5c0ab41be457818db9d6f387037ff6423addf05789011df15cbf286", "type": "eql", "version": 2 }, "0c41e478-5263-4c69-8f9e-7dfd2c22da64": { + "min_stack_version": "8.5", "rule_name": "Threat Intel IP Address Indicator Match", "sha256": "cd59f82b14abfb2a445bdd96682846602eb2f8abc1ef27f64dda99f452f99290", "type": "threat_match", "version": 6 }, "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { + "min_stack_version": "8.3", "rule_name": "Peripheral Device Discovery", "sha256": "f01eac25f9c7d222bc6e12ea4b86f7b4a06d4b76608183e9be91aaf9671427b7", "type": "eql", "version": 109 }, "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": { + "min_stack_version": "8.5", + "previous": { + "8.3": { + "max_allowable_version": 203, + "rule_name": "Threat Intel Indicator Match", + "sha256": "7d0bb73186b47e9fa99ec5b21fe2b862b5cbd6432100901fc476e30bced047a3", + "type": "threat_match", + "version": 105 + } + }, "rule_name": "Deprecated - Threat Intel Indicator Match", "sha256": "ec5023dc861db76d527d73f0343ba6a97b38c94f47aaa698929029d922d98e6a", "type": "threat_match", @@ -394,60 +504,97 @@ "version": 1 }, "0ce6487d-8069-4888-9ddd-61b52490cebc": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "O365 Exchange Suspicious Mailbox Right Delegation", + "sha256": "2dfc5642c7eff9f946739bbe4289e5bd8fe6f4374a492ed1fc5215e7b6e721ff", + "type": "query", + "version": 106 + } + }, "rule_name": "O365 Exchange Suspicious Mailbox Right Delegation", "sha256": "68fc02b03cbb322ff078a6a531807bf5fe21ae93726dad1ea16c11ed71d4c746", "type": "query", "version": 206 }, "0d160033-fab7-4e72-85a3-3a9d80c8bff7": { + "min_stack_version": "8.3", "rule_name": "Multiple Alerts Involving a User", "sha256": "43984fe31af84306a2a8266b867a70c8b185159a7419988e7211ff4a74fde252", "type": "threshold", "version": 3 }, "0d69150b-96f8-467c-a86d-a67a3378ce77": { + "min_stack_version": "8.3", "rule_name": "Nping Process Activity", "sha256": "b3f71d6cd3a2c3a2f492e825c65e78db5b3faa4eefed530678b5c504496230ec", "type": "eql", "version": 108 }, "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": { + "min_stack_version": "8.3", "rule_name": "Execution of File Written or Modified by Microsoft Office", "sha256": "e6fecbbaa834a04e699f62857b0e60f7e8c9bb3cb40d033165265ace22ac1cbb", "type": "eql", "version": 110 }, "0e4367a0-a483-439d-ad2e-d90500b925fd": { + "min_stack_version": "8.8", "rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)", "sha256": "87d0a19367e8add592f2100c95bd1076e0a1aea6b46d62bc39297eb59dffb3b8", "type": "new_terms", "version": 1 }, "0e52157a-8e96-4a95-a6e3-5faae5081a74": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "SharePoint Malware File Upload", + "sha256": "e32858e7a0449a506cfe595eabf2e1e82954cf683de287c05d0bf7295253c579", + "type": "query", + "version": 106 + } + }, "rule_name": "SharePoint Malware File Upload", "sha256": "815889da8ead699edd9b19124c697cd9038a641d065cf2dbfef062e81dfb5393", "type": "query", "version": 206 }, "0e5acaae-6a64-4bbc-adb8-27649c03f7e1": { + "min_stack_version": "8.3", "rule_name": "GCP Service Account Key Creation", "sha256": "ffe1bc8de6ff95c0fd9bb67fb93eace9b0ba96055cbf863fe0286dd7b033061b", "type": "query", "version": 104 }, "0e79980b-4250-4a50-a509-69294c14e84b": { + "min_stack_version": "8.3", "rule_name": "MsBuild Making Network Connections", "sha256": "c8013d923873ed418f022b29c77bb4c548a392af89e2a3cd747186d534386880", "type": "eql", "version": 109 }, "0f4d35e4-925e-4959-ab24-911be207ee6f": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 102, + "rule_name": "RC Script Creation", + "sha256": "56ff748867dc738357a731cfd37b4ae44c954383780d616e3d9034aed76dd9e1", + "type": "eql", + "version": 6 + } + }, "rule_name": "Potential Persistence Through Run Control Detected", "sha256": "6feb69680930d9a84dce295a56510b4938d7455565609a55b6f340a60f9eee5b", "type": "new_terms", "version": 110 }, "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": { + "min_stack_version": "8.3", "rule_name": "Netcat Listener Established via rlwrap", "sha256": "1f0f4f689d14c5e8a3b4843b2eeaad564fbc252458ad52473fa7fdcee3d19147", "type": "eql", @@ -460,18 +607,30 @@ "version": 100 }, "0f93cb9a-1931-48c2-8cd0-f173fd3e5283": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", + "sha256": "62abee660a99e58c72f6c4c79047fea8effc510ba10448a766fc3d03d4a36720", + "type": "threshold", + "version": 106 + } + }, "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", "sha256": "47d7607c096aab4bd73fbeb257e8746ed0ebb08d3f0e1cf65c62bc978d545735", "type": "threshold", "version": 208 }, "0ff84c42-873d-41a2-a4ed-08d74d352d01": { + "min_stack_version": "8.3", "rule_name": "Privilege Escalation via Root Crontab File Modification", "sha256": "77aa00047d7d61f2d5e30b916036032f69c56b68731a43c72c0c8f18adf55895", "type": "query", "version": 106 }, "10445cf0-0748-11ef-ba75-f661ea17fbcc": { + "min_stack_version": "8.9", "rule_name": "AWS IAM Login Profile Added to User", "sha256": "aa8a7eac601e73065c58f11ee43537d79be77a14b5a766d34772f5b1cc74c2e9", "type": "query", @@ -484,30 +643,53 @@ "version": 100 }, "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": { + "min_stack_version": "8.7", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "WebProxy Settings Modification", + "sha256": "6a6fc5b28bc33810532d1d7a900fbf07ff13f612317d5e8518f9b19104567c0a", + "type": "query", + "version": 106 + } + }, "rule_name": "WebProxy Settings Modification", "sha256": "aea77c71f5a15f5ba810f2f316aef50e4fa6948ad6b4e6b1c77449fd584157af", "type": "query", "version": 206 }, "11013227-0301-4a8c-b150-4db924484475": { + "min_stack_version": "8.3", "rule_name": "Abnormally Large DNS Response", "sha256": "a8cf0f414de9d2716b4dbf0198d541bf88a0777aefe1be83c09fc6f472d86721", "type": "query", "version": 105 }, "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { + "min_stack_version": "8.3", "rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs", "sha256": "47fb83a4f1705416ad0ba2cf6d42e319617bf0e145a68f21652116832e770309", "type": "eql", "version": 110 }, "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { + "min_stack_version": "8.3", "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", "sha256": "94905ad569d414ab1a3c0037dcdb641498c790debb11ceeea8d3354c9b7acd76", "type": "eql", "version": 111 }, "119c8877-8613-416d-a98a-96b6664ee73a": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS RDS Snapshot Export", + "sha256": "d7c79adde1bf89e2a7544eec2729c0b5c45c62fdcdd5f00090d28e5cb73f6da7", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS RDS Snapshot Export", "sha256": "a00e77547551b6a8212c1d2b2c97be59f34bacf51a65366e59724bb0f5d3060c", "type": "query", @@ -520,18 +702,30 @@ "version": 100 }, "11dd9713-0ec6-4110-9707-32daae1ee68c": { + "min_stack_version": "8.3", "rule_name": "PowerShell Script with Token Impersonation Capabilities", "sha256": "049b0cbfdd71a4ec9ecdce8350842eb7d32d60c45681f6342878de029adf212a", "type": "query", "version": 11 }, "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { + "min_stack_version": "8.3", "rule_name": "Third-party Backup Files Deleted via Unexpected Process", "sha256": "c0a79cd64ff9bae3ad1545d8a18809dd34644d93ed177bd5f4586a2bb2cb4dba", "type": "eql", "version": 112 }, "12051077-0124-4394-9522-8f4f4db1d674": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", + "sha256": "845e16fdf9dd59a0ee37658ad41a83a6149e5487422dac763de90cde6aad227f", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", "sha256": "15feead7d77394bd6bf71dd30d81329b1fbca72fbffc872a6f07f0b3a696b0d7", "type": "query", @@ -544,6 +738,7 @@ "version": 100 }, "1224da6c-0326-4b4f-8454-68cdc5ae542b": { + "min_stack_version": "8.9", "rule_name": "Suspicious Windows Process Cluster Spawned by a User", "sha256": "37bda4461229741fa959b9d762f3bf17c0d03378734fbc1a04cbe4563675bea6", "type": "machine_learning", @@ -556,48 +751,83 @@ "version": 100 }, "128468bf-cab1-4637-99ea-fdf3780a4609": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 104, + "rule_name": "Suspicious Lsass Process Access", + "sha256": "c30f6e62697cdaf210db4d6f79d2686bc91e4427ee7bbaea3468482a88373d5c", + "type": "eql", + "version": 5 + } + }, "rule_name": "Suspicious Lsass Process Access", "sha256": "5c2585fe5a2a7819a271da84ecd01be9aae6dd102b4b648aba3170d710547554", "type": "eql", "version": 107 }, "12a2f15d-597e-4334-88ff-38a02cb1330b": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 199, + "rule_name": "Kubernetes Suspicious Self-Subject Review", + "sha256": "658882e3d31e0988978c24743e8f15fb3423fde5b395cbfc75a641548a291359", + "type": "query", + "version": 101 + } + }, "rule_name": "Kubernetes Suspicious Self-Subject Review", "sha256": "88110d27337692c0a9c75ea40f6f8f7a3d14cb6e22a5864992d0ca94879b45ec", "type": "query", "version": 203 }, "12cbf709-69e8-4055-94f9-24314385c27e": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 199, + "rule_name": "Kubernetes Pod Created With HostNetwork", + "sha256": "00e261301692eeb8bc7453cbea5c4605ca9c6d2ae38199b35ad83ffd4a9d0c4b", + "type": "query", + "version": 101 + } + }, "rule_name": "Kubernetes Pod Created With HostNetwork", "sha256": "e48fb5d94222f67fbea19233c7fea01163d00908c3844df80f9e36d5e87ad7b7", "type": "query", "version": 203 }, "12de29d4-bbb0-4eef-b687-857e8a163870": { + "min_stack_version": "8.3", "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", "sha256": "cfc3f15827b9bb563753aa681d0ca6558f43be24b76a68468ff0df98e1f80d7a", "type": "eql", "version": 3 }, "12f07955-1674-44f7-86b5-c35da0a6f41a": { + "min_stack_version": "8.3", "rule_name": "Suspicious Cmd Execution via WMI", "sha256": "07748a896518875c7361a26af5beac29e29097fd6ec0285208e2e88d7df4a538", "type": "eql", "version": 111 }, "1327384f-00f3-44d5-9a8c-2373ba071e92": { + "min_stack_version": "8.3", "rule_name": "Persistence via Scheduled Job Creation", "sha256": "614d79b1b8057b2eb0a33fea72890f4c745a48ab6092bb1919f7a503d2de9471", "type": "eql", "version": 108 }, "138c5dd5-838b-446e-b1ac-c995c7f8108a": { + "min_stack_version": "8.3", "rule_name": "Rare User Logon", "sha256": "84ad771aac0fd0883efd7525692d964e0f85a436752431c84b7dc4e012b05679", "type": "machine_learning", "version": 104 }, "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": { + "min_stack_version": "8.3", "rule_name": "Potential Ransomware Behavior - High count of Readme files by System", "sha256": "c119669a028d3ccf727586836356bcd2113986db9358089ed57907330b748a73", "type": "threshold", @@ -610,102 +840,137 @@ "version": 100 }, "13e908b9-7bf0-4235-abc9-b5deb500d0ad": { + "min_stack_version": "8.9", "rule_name": "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity", "sha256": "e4aac0fcc25bbc7121134faf7852704142d562d2c72bf9973c69b0dfd8d6046c", "type": "eql", "version": 4 }, "141e9b3a-ff37-4756-989d-05d7cbf35b0e": { + "min_stack_version": "8.3", "rule_name": "Azure External Guest User Invitation", "sha256": "c606c9477a2fa88e6a1b70468ffa95df50528629745068026ef6c9758caadaf1", "type": "query", "version": 102 }, "143cb236-0956-4f42-a706-814bcaa0cf5a": { + "min_stack_version": "8.3", "rule_name": "RPC (Remote Procedure Call) from the Internet", "sha256": "9b392ee77e47d008944419960e03112af84f3ccc7b043af0c2d16d636e610214", "type": "query", "version": 103 }, "14dab405-5dd9-450c-8106-72951af2391f": { + "min_stack_version": "8.3", "rule_name": "Office Test Registry Persistence", "sha256": "b2c192b0f4c41a2de5c1f96b495002c57338a58a1e385275e8ea17208673bda2", "type": "eql", "version": 3 }, "14de811c-d60f-11ec-9fd7-f661ea17fbce": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 199, + "rule_name": "Kubernetes User Exec into Pod", + "sha256": "3d39cfe20aef41ad7da949c25c18b33868177276c2c4ee9af234be4282e68392", + "type": "query", + "version": 101 + } + }, "rule_name": "Kubernetes User Exec into Pod", "sha256": "2e20c515d2b1304091833efa5d5f19b38c4f1eaa4f2a5b3cdee64f89ed7bf4a9", "type": "query", "version": 203 }, "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { + "min_stack_version": "8.3", "rule_name": "Potential Persistence via Time Provider Modification", "sha256": "d3adc721588e0ae5b24bc4f24e2615b84100397158efd20f6fa50212746fb697", "type": "eql", "version": 109 }, "1542fa53-955e-4330-8e4d-b2d812adeb5f": { + "min_stack_version": "8.3", "rule_name": "Execution from a Removable Media with Network Connection", "sha256": "08e49b310aebe20ea4da9f40fb9ce90e74aecdd6f957b972419ec258f95a26b4", "type": "eql", "version": 3 }, "15a8ba77-1c13-4274-88fe-6bd14133861e": { + "min_stack_version": "8.3", "rule_name": "Scheduled Task Execution at Scale via GPO", "sha256": "6bc3367c8bea5ce3680aa60ee8341e332dc12fe82786393e1b98fa8130a817c4", "type": "query", "version": 110 }, "15c0b7a7-9c34-4869-b25b-fa6518414899": { + "min_stack_version": "8.3", "rule_name": "Remote File Download via Desktopimgdownldr Utility", "sha256": "f31b60069f41b2547dfb226805c62256ec852c2b5ec5014524230d20ca42a646", "type": "eql", "version": 112 }, "15dacaa0-5b90-466b-acab-63435a59701a": { + "min_stack_version": "8.3", "rule_name": "Virtual Private Network Connection Attempt", "sha256": "52e3e7aa2ff5aaa21a773c0bc30319fdc45efdaaba99697504cbe1d2d2fd12a0", "type": "eql", "version": 107 }, "160896de-b66f-42cb-8fef-20f53a9006ea": { + "min_stack_version": "8.8", "rule_name": "Potential Container Escape via Modified release_agent File", "sha256": "198ac6af38569c23460312f45acfeb0bb1489a5761ed5536c026e9b6f8154ac3", "type": "eql", "version": 1 }, "16280f1e-57e6-4242-aa21-bb4d16f13b2f": { + "min_stack_version": "8.3", "rule_name": "Azure Automation Runbook Created or Modified", "sha256": "d63660127e37638852d3943a3f02745a9d7ecf28ffba3fd3d314558d66fa3633", "type": "query", "version": 102 }, "166727ab-6768-4e26-b80c-948b228ffc06": { + "min_stack_version": "8.3", "rule_name": "File Creation Time Changed", "sha256": "97689ef71b5c442a2f7ab44c32a163607b4189beb06ee6d37b4563b34ddedd0c", "type": "eql", "version": 5 }, "16904215-2c95-4ac8-bf5c-12354e047192": { + "min_stack_version": "8.3", "rule_name": "Potential Kerberos Attack via Bifrost", "sha256": "a410bedff2a62e53036e60647e7db0a18a0cc64c1bb6e0f0e225395665a9be6d", "type": "query", "version": 106 }, "169f3a93-efc7-4df2-94d6-0d9438c310d1": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS IAM Group Creation", + "sha256": "b742e26488a024ca917c76ed8b6d78e38bceaf88b12ac5a184cba21816858e5c", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS IAM Group Creation", "sha256": "4620f71e7445e4762398530b8020b93c31a36073051ab2f0820f982f55d43df1", "type": "query", "version": 206 }, "16a52c14-7883-47af-8745-9357803f0d4c": { + "min_stack_version": "8.3", "rule_name": "Component Object Model Hijacking", "sha256": "0895ba08cf37c96cf8d9fa25aa47f21883cbb621246244853ae74168e9818f08", "type": "eql", "version": 113 }, "16fac1a1-21ee-4ca6-b720-458e3855d046": { + "min_stack_version": "8.3", "rule_name": "Startup/Logon Script added to Group Policy Object", "sha256": "59d27ffb2150faa1ebe4b4b332f29ed9b1a561166aa568c6b699a55de0aec81f", "type": "query", @@ -719,54 +984,63 @@ "version": 1 }, "1781d055-5c66-4adf-9c59-fc0fa58336a5": { + "min_stack_version": "8.3", "rule_name": "Unusual Windows Username", "sha256": "3f017bebc4cd49b96144c2c37d613353b9c74438bb528240c830a99a32537120", "type": "machine_learning", "version": 104 }, "1781d055-5c66-4adf-9c71-fc0fa58338c7": { + "min_stack_version": "8.3", "rule_name": "Unusual Windows Service", "sha256": "89e1fd74a24609ea12f4b8735c03de06e82fa5940400ce7cc3860d473e9f9b9a", "type": "machine_learning", "version": 103 }, "1781d055-5c66-4adf-9d60-fc0fa58337b6": { + "min_stack_version": "8.3", "rule_name": "Suspicious Powershell Script", "sha256": "c3d4419ad9b4d398652f573451d61439143854032c964a86b28b44f63627d3d3", "type": "machine_learning", "version": 104 }, "1781d055-5c66-4adf-9d82-fc0fa58449c8": { + "min_stack_version": "8.3", "rule_name": "Unusual Windows User Privilege Elevation Activity", "sha256": "3e378c975b7684d44d468c1b90b70fd66198d70f52b1af31c2d9877e6e01cda5", "type": "machine_learning", "version": 103 }, "1781d055-5c66-4adf-9e93-fc0fa69550c9": { + "min_stack_version": "8.3", "rule_name": "Unusual Windows Remote User", "sha256": "83958e6d3f7ccbbbba3e4f0796b176f124604f15277f14ce33c142029d6c8ff9", "type": "machine_learning", "version": 103 }, "17b0a495-4d9f-414c-8ad0-92f018b8e001": { + "min_stack_version": "8.6", "rule_name": "New Systemd Service Created by Previously Unknown Process", "sha256": "a5967e9202be0f4e0df4d0f82dfd5f067e8bc9eea60585cbc5664b744761966d", "type": "new_terms", "version": 9 }, "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { + "min_stack_version": "8.3", "rule_name": "Renamed Utility Executed with Short Program Name", "sha256": "23f4030c21a08bb1eb019a328b8fe62aeea2683957f343f0399abdff84347b22", "type": "eql", "version": 109 }, "17e68559-b274-4948-ad0b-f8415bb31126": { + "min_stack_version": "8.3", "rule_name": "Unusual Network Destination Domain Name", "sha256": "d0d9eef72ecbbb7af63f2aa522abc13a4cba650dd6da7a17c6b37218c39c1fb8", "type": "machine_learning", "version": 103 }, "184dfe52-2999-42d9-b9d1-d1ca54495a61": { + "min_stack_version": "8.3", "rule_name": "GCP Logging Sink Modification", "sha256": "f831f5412e30676ce24c068dcaf3521ab6be818cb202bca3625fb0f61ea6c3b2", "type": "query", @@ -779,114 +1053,169 @@ "version": 100 }, "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": { + "min_stack_version": "8.9", "rule_name": "Spike in Number of Connections Made to a Destination IP", "sha256": "3e6623fdaad77b45863a2c6f198c7624d4b02fa0f1934011776802944a3348fb", "type": "machine_learning", "version": 3 }, "193549e8-bb9e-466a-a7f9-7e783f5cb5a6": { + "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Recently Compiled Executable", "sha256": "1fd050c07f8fd38281dde31dc1bba3256181b411f576fcaa07b6ff077393de1f", "type": "eql", "version": 4 }, "19de8096-e2b0-4bd8-80c9-34a820813fff": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "Rare AWS Error Code", + "sha256": "36fb7f357ab4c1d87f38a2a9f453fb1093c959582b23dda8d3071db185b7d65d", + "type": "machine_learning", + "version": 108 + } + }, "rule_name": "Rare AWS Error Code", "sha256": "45da42408e9e47f7550b2ff787fd33fe211dc4d0c4ccbfd9342ae768d88384ec", "type": "machine_learning", "version": 208 }, "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": { + "min_stack_version": "8.9", "rule_name": "Spike in Number of Processes in an RDP Session", "sha256": "fc1329361d122f9fce2eca535c54dd0b8a1fee4f8d33775b225227e2d4084002", "type": "machine_learning", "version": 3 }, "1a289854-5b78-49fe-9440-8a8096b1ab50": { + "min_stack_version": "8.8", "rule_name": "Suspicious Network Tool Launched Inside A Container", "sha256": "e456a59a32e02e71884dee04e925140b321a34650d49651cf7216610213066fc", "type": "eql", "version": 2 }, "1a36cace-11a7-43a8-9a10-b497c5a02cd3": { + "min_stack_version": "8.3", "rule_name": "Azure Application Credential Modification", "sha256": "e08f14b9002ce52664d169dc98fd7a2d3fd3dd0e24933ce44ec2f0cc93f14b7a", "type": "query", "version": 102 }, "1a6075b0-7479-450e-8fe7-b8b8438ac570": { + "min_stack_version": "8.3", "rule_name": "Execution of COM object via Xwizard", "sha256": "069735bb9cd4e472acbdcba371bd44bb50df1f225267d294773ac746e8ecc9e5", "type": "eql", "version": 109 }, "1aa8fa52-44a7-4dae-b058-f3333b91c8d7": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS CloudTrail Log Suspended", + "sha256": "e728282d89ab6116e74d508a075da4f9a1388ba2da235fd87605b4ad580312f0", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS CloudTrail Log Suspended", "sha256": "79a7a700b91ee492ba34e1584212dbac2ee5766b96b03f09c67c80be60c7726b", "type": "query", "version": 209 }, "1aa9181a-492b-4c01-8b16-fa0735786b2b": { + "min_stack_version": "8.3", "rule_name": "User Account Creation", "sha256": "96534addae6874564d720b53fb0d2b7f621702dd58f3fdebb1d3c69a80f55abb", "type": "eql", "version": 109 }, "1b0b4818-5655-409b-9c73-341cac4bb73f": { + "min_stack_version": "8.4", "rule_name": "Process Created with a Duplicated Token", "sha256": "8a3f85e624e03fc489be5ae5c3c3392fc053e5e5eed530158a04ccdf5754e802", "type": "eql", "version": 3 }, "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { + "min_stack_version": "8.3", "rule_name": "Connection to Internal Network via Telnet", "sha256": "803c07bf24bc75956c52cc55234f63d9d5a1f1212b218d05190d23eb47d81f2e", "type": "eql", "version": 107 }, "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS ElastiCache Security Group Modified or Deleted", + "sha256": "bcef75f6d49bb03184f9398613ed080bc7bd2279da99afaa50ba68d3a99f3b4c", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS ElastiCache Security Group Modified or Deleted", "sha256": "4ec77baf3f125b101b58f9cdec2c125de10cdb0a80f5c9112906dc0be6b3480d", "type": "query", "version": 206 }, "1c27fa22-7727-4dd3-81c0-de6da5555feb": { + "min_stack_version": "8.3", "rule_name": "Potential Internal Linux SSH Brute Force Detected", "sha256": "346faa48fc37e53ed0faaaa6a2bee5597d92a0306565cfad61329c29b22f7516", "type": "eql", "version": 11 }, "1c5a04ae-d034-41bf-b0d8-96439b5cc774": { + "min_stack_version": "8.3", "rule_name": "Potential Process Injection from Malicious Document", "sha256": "cf0f3605f0acb1cc600d240d90683e7996a55174af3ca9f770db65371eb95bc1", "type": "eql", "version": 2 }, "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 211, + "rule_name": "Possible Consent Grant Attack via Azure-Registered Application", + "sha256": "bf4b6f557cbd3c0c009d3f0aa39401b563a920b2ed64f0d20ef86c9a95fc5e45", + "type": "query", + "version": 112 + } + }, "rule_name": "Possible Consent Grant Attack via Azure-Registered Application", "sha256": "483537ca1f0a318f54568c093b78b5eca0658c9ceb0ab3daeed48949bb0e18c7", "type": "query", "version": 212 }, "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { + "min_stack_version": "8.3", "rule_name": "Suspicious File Creation in /etc for Persistence", "sha256": "dde38b44453671943b7ae6cb4d6fef20e85307ac3723a158fe57ee96d8b1f29d", "type": "eql", "version": 113 }, "1c966416-60c1-436b-bfd0-e002fddbfd89": { + "min_stack_version": "8.3", "rule_name": "Azure Kubernetes Rolebindings Created", "sha256": "d86625ab5e731436d6846810c232431aafe71ea4ce7684c0f5ad7b03709bb6ce", "type": "query", "version": 102 }, "1ca62f14-4787-4913-b7af-df11745a49da": { + "min_stack_version": "8.3", "rule_name": "New GitHub App Installed", "sha256": "02e98cecd6d72a19ba1f1961d35d14774632ecb42f89c7fc7f1e162b60bc89fe", "type": "eql", "version": 1 }, "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { + "min_stack_version": "8.3", "rule_name": "Incoming Execution via WinRM Remote Shell", "sha256": "c2dcf9dc41b1c7835b791709f6bae17ad8765e7d39f7ab93d95f5368f5330f3a", "type": "eql", @@ -900,42 +1229,49 @@ "version": 2 }, "1d276579-3380-4095-ad38-e596a01bc64f": { + "min_stack_version": "8.3", "rule_name": "Remote File Download via Script Interpreter", "sha256": "3afe36281fd5b755b076bbb9801c4924e40bd5ea64954a50fc5bc408c7ddabed", "type": "eql", "version": 110 }, "1d72d014-e2ab-4707-b056-9b96abe7b511": { + "min_stack_version": "8.3", "rule_name": "External IP Lookup from Non-Browser Process", "sha256": "912ddc841c0eace4d5cc31a814d86a6177d5f51e6038d37bde4b9ed37ee62433", "type": "eql", "version": 108 }, "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": { + "min_stack_version": "8.3", "rule_name": "PowerShell Script with Encryption/Decryption Capabilities", "sha256": "56bbf0cae42f67fdd41f149363a1891554948e2dbd182c1e0c9fed1a39f36100", "type": "query", "version": 6 }, "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { + "min_stack_version": "8.3", "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", "sha256": "b09a3222c4eab9324474c30ec5eddb3cd13c0f86e3b9776fc690aa77d8fe9e9d", "type": "eql", "version": 109 }, "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": { + "min_stack_version": "8.4", "rule_name": "Suspicious Inter-Process Communication via Outlook", "sha256": "eb4c56089e3f5a64944ea09016b315e24d78a78381989d1d29939502318b82f1", "type": "eql", "version": 6 }, "1defdd62-cd8d-426e-a246-81a37751bb2b": { + "min_stack_version": "8.3", "rule_name": "Execution of File Written or Modified by PDF Reader", "sha256": "b1632c3ea7afb58a44d388ad05920751d22614d6714b65ffeb29af66d7ebf70d", "type": "eql", "version": 108 }, "1df1152b-610a-4f48-9d7a-504f6ee5d9da": { + "min_stack_version": "8.3", "rule_name": "Potential Linux Hack Tool Launched", "sha256": "d83c19a46e9401aef5cd62ba06786de63e0ea6448479965630475a6b00667731", "type": "eql", @@ -944,7 +1280,7 @@ "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 105, "rule_name": "PowerShell Script with Discovery Capabilities", "sha256": "f190de5af14bbb60e793a9add72d0cf2b89e9a8fd2f593c098664a50360aaf06", @@ -958,84 +1294,107 @@ "version": 107 }, "1e0b832e-957e-43ae-b319-db82d228c908": { + "min_stack_version": "8.3", "rule_name": "Azure Storage Account Key Regenerated", "sha256": "49bb6b71d6e597de0157a424d93fdb4690ae7ad2586b8d725a627878c02edc1e", "type": "query", "version": 102 }, "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc": { + "min_stack_version": "8.3", "rule_name": "Creation of a DNS-Named Record", "sha256": "9b97868151d1bdb1c5754a996d30cf988232f389c492b7f9132402adae176f75", "type": "eql", "version": 1 }, "1e6363a6-3af5-41d4-b7ea-d475389c0ceb": { + "min_stack_version": "8.3", "rule_name": "Creation of SettingContent-ms Files", "sha256": "411958937e7a1d399c000c3ee9bc6e256d0b92a5aea3474e468b84f5991e8bed", "type": "eql", "version": 3 }, "1e9b271c-8caa-4e20-aed8-e91e34de9283": { + "min_stack_version": "8.8", "rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)", "sha256": "c4f772b100c3877e71a485342787e5f29775002ef02710d07bffd3db397230d0", "type": "new_terms", "version": 1 }, "1e9fc667-9ff1-4b33-9f40-fefca8537eb0": { + "min_stack_version": "8.3", "rule_name": "Unusual Sudo Activity", "sha256": "aad0990989bfa63d159c45b28e23cec25bcdd6cb4054ad31584f085b1e38568c", "type": "machine_learning", "version": 103 }, "1f0a69c0-3392-4adf-b7d5-6012fd292da8": { + "min_stack_version": "8.3", "rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell", "sha256": "dac35e0c6992ca7c37e472c37d77eaf0c2e9f17c74efd5f6531194cc4a769762", "type": "query", "version": 8 }, "1f460f12-a3cf-4105-9ebb-f788cc63f365": { + "min_stack_version": "8.3", "rule_name": "Unusual Process Execution on WBEM Path", "sha256": "3e850845c9653b3956dd9ccfe15415b8f6399a899dd58c87a592f2ae81b921de", "type": "eql", "version": 2 }, "1faec04b-d902-4f89-8aff-92cd9043c16f": { + "min_stack_version": "8.3", "rule_name": "Unusual Linux User Calling the Metadata Service", "sha256": "8eb47dead708d739318e797d2fac9c942978cd80eca1354c0063c15ff502adb9", "type": "machine_learning", "version": 103 }, "1fe3b299-fbb5-4657-a937-1d746f2c711a": { + "min_stack_version": "8.3", "rule_name": "Unusual Network Activity from a Windows System Binary", "sha256": "276423364d5b8bf0affee9f5efd056cba314fa27ef1d574a4ebe6f5b4e0e542e", "type": "eql", "version": 111 }, "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { + "min_stack_version": "8.3", "rule_name": "Exploit - Detected - Elastic Endgame", "sha256": "fc5bc7344b50468b39f14fc82c958267c265618e2278cadaecafa7a7f1dab9a2", "type": "query", "version": 103 }, "201200f1-a99b-43fb-88ed-f65a45c4972c": { + "min_stack_version": "8.3", "rule_name": "Suspicious .NET Code Compilation", "sha256": "5fd6637d01d25848657a37779415e23778a84ee81a913351ee2bbb54701fe88a", "type": "eql", "version": 110 }, "202829f6-0271-4e88-b882-11a655c590d4": { + "min_stack_version": "8.3", "rule_name": "Executable Masquerading as Kernel Process", "sha256": "fa7e58294659262a26ba947cc59044854477a5a49edc98f0d6f896d91e1d9f6d", "type": "eql", "version": 2 }, "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { + "min_stack_version": "8.3", "rule_name": "Creation or Modification of Root Certificate", "sha256": "a137b8929c8afb05318cec2dac421d5e03d1bba700cb7978151e0429bb7a6e53", "type": "eql", "version": 110 }, "2045567e-b0af-444a-8c0b-0b6e2dae9e13": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Route 53 Domain Transferred to Another Account", + "sha256": "cd100d12464b46b1f170d8e6b26ed144023ba52b4077a97354a6a9fcbabf7465", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Route 53 Domain Transferred to Another Account", "sha256": "140169be7f1e330d6e6068d329d4de47c02db8df773930e4ae57f7e5f36c9297", "type": "query", @@ -1044,7 +1403,7 @@ "20457e4f-d1de-4b92-ae69-142e27a4342a": { "min_stack_version": "8.11", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 206, "rule_name": "Access of Stored Browser Credentials", "sha256": "2096c9935d4a0209a44ab553fb8f3453c10cb834b1b2665a96e6f2852635d563", @@ -1058,12 +1417,14 @@ "version": 207 }, "205b52c4-9c28-4af4-8979-935f3278d61a": { + "min_stack_version": "8.3", "rule_name": "Werfault ReflectDebugger Persistence", "sha256": "b892d4534c1a5905601ccc529ccaedbf3f944ac4e46b8475f4ac04d2752af982", "type": "eql", "version": 2 }, "208dbe77-01ed-4954-8d44-1e5751cb20de": { + "min_stack_version": "8.3", "rule_name": "LSASS Memory Dump Handle Access", "sha256": "407aa36a170976cc90021ba2e2b10b9d211b7142cb685d4fcdede10a65073287", "type": "eql", @@ -1076,102 +1437,137 @@ "version": 100 }, "210d4430-b371-470e-b879-80b7182aa75e": { + "min_stack_version": "8.3", "rule_name": "Mofcomp Activity", "sha256": "a7bd50e06e9eecee6eb4de339db9e9e7ffc5b08ce32a9bc2a119b2aa4f2fdf45", "type": "eql", "version": 2 }, "2138bb70-5a5e-42fd-be5e-b38edf6a6777": { + "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Child", "sha256": "cda609fdc97eb250f4f9c03ad3abf9c6760ae78ab03cc3f8fad23789f6ca8ade", "type": "eql", "version": 2 }, "21bafdf0-cf17-11ed-bd57-f661ea17fbcc": { + "min_stack_version": "8.4", "rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application", "sha256": "8b83d7d20910ac09b5cd9f7b2e96a38f9b03f38f314ecf1f779637906818161b", "type": "new_terms", "version": 3 }, "220be143-5c67-4fdb-b6ce-dd6826d024fd": { + "min_stack_version": "8.3", "rule_name": "Full User-Mode Dumps Enabled System-Wide", "sha256": "9252233dd00ddb80533d2b70ccda0987fc97cab21f4fe935dcb0806e07dc9354", "type": "eql", "version": 7 }, "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 203, + "rule_name": "SSH Authorized Keys File Modification", + "sha256": "8e07f35dbd0f747e519638ad9464ab2502ac2d84b6db85f092155081cf57f23c", + "type": "query", + "version": 104 + } + }, "rule_name": "SSH Authorized Keys File Modification", "sha256": "093ec92b83608b188904a800b2dc5dc20b93d5e0b11e10e6da27f754f44a18e0", "type": "new_terms", "version": 205 }, "22599847-5d13-48cb-8872-5796fee8692b": { + "min_stack_version": "8.3", "rule_name": "SUNBURST Command and Control Activity", "sha256": "28c3a8e43a93472d905579b46b496842487fb7c462bf01bdbde7cdc16361b2e7", "type": "eql", "version": 108 }, "227dc608-e558-43d9-b521-150772250bae": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "AWS S3 Bucket Configuration Deletion", + "sha256": "ad8600664f0e0704b136c9959aec90beb90d433fd1457d49adc4e920ad882f17", + "type": "query", + "version": 106 + } + }, "rule_name": "AWS S3 Bucket Configuration Deletion", "sha256": "c893799e9c59f2c1403b0350b301a705c63a0d1c86f201f9b1effafd647a7629", "type": "query", "version": 207 }, "231876e7-4d1f-4d63-a47c-47dd1acdc1cb": { + "min_stack_version": "8.3", "rule_name": "Potential Shell via Web Server", "sha256": "95829ac14cae4f4c82e003be08372f6c44edc266c796409e6971824d0be747f1", "type": "query", "version": 105 }, "2326d1b2-9acf-4dee-bd21-867ea7378b4d": { + "min_stack_version": "8.3", "rule_name": "GCP Storage Bucket Permissions Modification", "sha256": "278f8d56c3932a208c4873795aa99690d1d05550d1e099c6fcdb6f6fca729604", "type": "query", "version": 104 }, "2339f03c-f53f-40fa-834b-40c5983fc41f": { + "min_stack_version": "8.3", "rule_name": "Kernel Module Load via insmod", "sha256": "3327b2f3c9c739028f181cd20b7cf3e768c7eae5f4363b478ef982fee21b8eb2", "type": "eql", "version": 109 }, "2377946d-0f01-4957-8812-6878985f515d": { + "min_stack_version": "8.9", "rule_name": "Deprecated - Remote File Creation on a Sensitive Directory", "sha256": "6a0b13ec054468e1055fdcc971c3fbc84f6f9054c828eca4d3c0fa648b9c5fb4", "type": "eql", "version": 2 }, "23bcd283-2bc0-4db2-81d4-273fc051e5c0": { + "min_stack_version": "8.6", "rule_name": "Unknown Execution of Binary with RWX Memory Region", "sha256": "b160874aab9501cba7d0344a3fcb2181a25f3d7a5067a23804bc3f8abb705dd1", "type": "new_terms", "version": 1 }, "24401eca-ad0b-4ff9-9431-487a8e183af9": { + "min_stack_version": "8.3", "rule_name": "New GitHub Owner Added", "sha256": "30fc492bcc0364696d21c281124ec1d963222a387430bd66f8db31b80df23764", "type": "eql", "version": 3 }, "25224a80-5a4a-4b8a-991e-6ab390465c4f": { + "min_stack_version": "8.3", "rule_name": "Lateral Movement via Startup Folder", "sha256": "dcf5239bdf937bd790a721fc5c7fceea3af8c5377ce0b466359a5ebb23a57ed6", "type": "eql", "version": 108 }, "2553a9af-52a4-4a05-bb03-85b2a479a0a0": { + "min_stack_version": "8.3", "rule_name": "Potential PowerShell HackTool Script by Author", "sha256": "cbf8a4fc5c8f2ee86365483602e84f800fbd791c3e29fe467f20a6333d47dfc3", "type": "query", "version": 1 }, "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": { + "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Background Process", "sha256": "0ffb76c84bbd4407b32cb3cde060faa39ff1aca7f3f59d031d45d7e449cb74d5", "type": "eql", "version": 4 }, "25d917c4-aa3c-4111-974c-286c0312ff95": { + "min_stack_version": "8.6", "rule_name": "Network Activity Detected via Kworker", "sha256": "6169ab76be1ab1b6d165bc6e91e309957523da07f42cfa74c0b2eabc0fff457b", "type": "new_terms", @@ -1185,36 +1581,51 @@ "version": 1 }, "2605aa59-29ac-4662-afad-8d86257c7c91": { + "min_stack_version": "8.3", "rule_name": "Potential Suspicious DebugFS Root Device Access", "sha256": "412a8490a6178fe02adf3eb8d88b4b119d8af57a0e8583ca4a61a6504c554ab5", "type": "eql", "version": 5 }, "2636aa6c-88b5-4337-9c31-8d0192a8ef45": { + "min_stack_version": "8.3", "rule_name": "Azure Blob Container Access Level Modification", "sha256": "b8c9984ea50176ed7e98738246a92b5729623ecdef068b256bd5deae26c26534", "type": "query", "version": 102 }, "265db8f5-fc73-4d0d-b434-6483b56372e2": { + "min_stack_version": "8.3", "rule_name": "Persistence via Update Orchestrator Service Hijack", "sha256": "b97eb034c01d5415f2b4529e1b4aeacb6d1b5858e035d9f7b16071f08a107800", "type": "eql", "version": 111 }, "26b01043-4f04-4d2f-882a-5a1d2e95751b": { + "min_stack_version": "8.3", "rule_name": "Privileges Elevation via Parent Process PID Spoofing", "sha256": "fe01406a8aba7ef1783b900ebd444367f6c97053baf29469fd03f5fe099c7517", "type": "eql", "version": 7 }, "26edba02-6979-4bce-920a-70b080a7be81": { + "min_stack_version": "8.3", "rule_name": "Azure Active Directory High Risk User Sign-in Heuristic", "sha256": "81486e6269e07586e44c0e2e31d679dd20a6c335f856a8adad10143d41b7ada7", "type": "query", "version": 105 }, "26f68dba-ce29-497b-8e13-b4fde1db5a2d": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", + "sha256": "ab30e15051fb603800f933ba9b3f6539ac75a662fd2dfcbe66c8f7121c7608a9", + "type": "threshold", + "version": 107 + } + }, "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", "sha256": "a8e968ab16236593316417aca2763610f442cfa6d00fe3c5a4a453085fc7f633", "type": "threshold", @@ -1223,7 +1634,7 @@ "27071ea3-e806-4697-8abc-e22c92aa4293": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 104, "rule_name": "PowerShell Script with Archive Compression Capabilities", "sha256": "e45eab95dfc89f02571c3f4a759eccf69d16d6b97a471c585cf0cea086acc29f", @@ -1237,36 +1648,60 @@ "version": 105 }, "2724808c-ba5d-48b2-86d2-0002103df753": { + "min_stack_version": "8.3", "rule_name": "Attempt to Clear Kernel Ring Buffer", "sha256": "b84e6128363d24d3503b13f1a618bc430f08140f5a82611c3c3e4f3a5271d2b5", "type": "eql", "version": 4 }, "272a6484-2663-46db-a532-ef734bf9a796": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Exchange Transport Rule Modification", + "sha256": "fbfde864c7e1f31e7fcfef374c9517e890a58223969f83a4c15fee6afb623353", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Exchange Transport Rule Modification", "sha256": "4901f8288ffd58d58227242aedd0caaab898038617870ffef05e9c235a9a082e", "type": "query", "version": 206 }, "2772264c-6fb9-4d9d-9014-b416eed21254": { + "min_stack_version": "8.3", "rule_name": "Incoming Execution via PowerShell Remoting", "sha256": "115702bf56a63d8b0495b440b3bc5f48f161657df80ecb5dd778177cad8cf99b", "type": "eql", "version": 109 }, "2783d84f-5091-4d7d-9319-9fceda8fa71b": { + "min_stack_version": "8.3", "rule_name": "GCP Firewall Rule Modification", "sha256": "7f903b4ec5008e277d2c4f30f030c9063155c7624b7938ba5d57635458cfbbdf", "type": "query", "version": 104 }, "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Teams External Access Enabled", + "sha256": "94685626f0a0ed06951084baeb71eae9ec250c07e2ccd46be608e1f1321d5726", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Teams External Access Enabled", "sha256": "0cb5f4c7faf103570f876bb43508577a2927c58a22ed1b35c609f2d195630f56", "type": "query", "version": 206 }, "2820c9c2-bcd7-4d6e-9eba-faf3891ba450": { + "min_stack_version": "8.3", "rule_name": "Account Password Reset Remotely", "sha256": "b3b4c980cf7d25e52dfb1d1cc53500ac0a87c2b13922dccaf6b9de0b389532e7", "type": "eql", @@ -1280,18 +1715,21 @@ "version": 1 }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { + "min_stack_version": "8.3", "rule_name": "Account Discovery Command via SYSTEM Account", "sha256": "7395e4f0038f91caff80f8f82fb7a573cc2e3be731008e546f8e2f2738da7397", "type": "eql", "version": 111 }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { + "min_stack_version": "8.3", "rule_name": "Exploit - Prevented - Elastic Endgame", "sha256": "72767580ec9592b48af7b23c8f44b94bf3c619c87d45496757413417e9238c4d", "type": "query", "version": 103 }, "28738f9f-7427-4d23-bc69-756708b5f624": { + "min_stack_version": "8.3", "rule_name": "Suspicious File Changes Activity Detected", "sha256": "a5b402b3a9e4d3ba808b853c5d78107f40d164ba390a347ef0ac078afaa5cc67", "type": "eql", @@ -1311,30 +1749,44 @@ "version": 2 }, "28d39238-0c01-420a-b77a-24e5a7378663": { + "min_stack_version": "8.3", "rule_name": "Sudo Command Enumeration Detected", "sha256": "70ed05b5053d1ac43542f1f8ffef64b0cfb2cb35c0a94eb8be86882438034320", "type": "eql", "version": 5 }, "28f6f34b-8e16-487a-b5fd-9d22eb903db8": { + "min_stack_version": "8.6", "rule_name": "Shell Configuration Modification", "sha256": "1082bfbb3e988caa2fc49527f3dcd4024a4657a591fb5edc4d08e2ba311ca62c", "type": "new_terms", "version": 1 }, "29052c19-ff3e-42fd-8363-7be14d7c5469": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Security Group Configuration Change Detection", + "sha256": "6eafdfc2847d0f8150d36752200d76b3777de7dd46ac7d6c1dab97c2b6afaa67", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Security Group Configuration Change Detection", "sha256": "193c2c66e45942d40a519ed5a0c174f69daf4d7c4057ce0af2cc77baa1e9658c", "type": "query", "version": 206 }, "290aca65-e94d-403b-ba0f-62f320e63f51": { + "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", "sha256": "f64dc97be4c992f52e4ecf99c9d964a2d99544bea2d8d33d80ba5e96d62d8f80", "type": "eql", "version": 112 }, "2917d495-59bd-4250-b395-c29409b76086": { + "min_stack_version": "8.3", "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", "sha256": "28ea0bbb12cf1c1a72a0c1b87a80fea6c5d0e587cd14d5b24db0b2b9550f5efc", "type": "eql", @@ -1343,7 +1795,14 @@ "291a0de9-937a-4189-94c0-3e847c8b13e4": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "Enumeration of Privileged Local Groups Membership", + "sha256": "f1ce7be911b34a06915e3f07c41e6e91d314bf37dfb168fb109057d04b56b5c3", + "type": "eql", + "version": 108 + }, + "8.6": { "max_allowable_version": 310, "rule_name": "Enumeration of Privileged Local Groups Membership", "sha256": "4d67c645c194c7be0ae57c04360e2e8d9a4af8927da4a2dd4f0696029148e26d", @@ -1364,96 +1823,148 @@ "version": 1 }, "29ef5686-9b93-433e-91b5-683911094698": { + "min_stack_version": "8.6", "rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line", "sha256": "18bae187efca3e9942f377e9508ca6f0266f122ab379929ab8d6a0d22dc4a342", "type": "new_terms", "version": 1 }, "29f0cf93-d17c-4b12-b4f3-a433800539fa": { + "min_stack_version": "8.3", "rule_name": "Potential Linux SSH X11 Forwarding", "sha256": "359e41830e4fd4bfc9775176917b335b3c9188c05a983a056b52e796d20b6fd7", "type": "eql", "version": 3 }, "2a692072-d78d-42f3-a48a-775677d79c4e": { + "min_stack_version": "8.3", "rule_name": "Potential Code Execution via Postgresql", "sha256": "8bfe7f061ea6409e5ec8657a58cc81d8fd705e930ef358d31347a1ee67035391", "type": "eql", "version": 6 }, "2abda169-416b-4bb3-9a6b-f8d239fd78ba": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 199, + "rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume", + "sha256": "bd95cc69164fae41e991e31ae5435c01f2785e2c361dafea62766db0b0f66a10", + "type": "query", + "version": 101 + } + }, "rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume", "sha256": "2704808ccae32f5b44395171db755258b7e7a248df4bab32a33cddb2ac181df0", "type": "query", "version": 203 }, "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": { + "min_stack_version": "8.5", "rule_name": "ESXI Discovery via Grep", "sha256": "7f6bc06878f5c089508b21b556ed4a227c059d655b54717af4863db317dd6504", "type": "eql", "version": 6 }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { + "min_stack_version": "8.3", "rule_name": "Adobe Hijack Persistence", "sha256": "8cf9629ff73512110d78ffdd80f59c0e6d033ca48831d47133dee6dd51cb185d", "type": "eql", "version": 111 }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { + "min_stack_version": "8.3", "rule_name": "Windows Defender Exclusions Added via PowerShell", "sha256": "df6ed2953eabd8c292df3200fc51dd9222b2c0c3fd5b9174f66efb61a28bcd5b", "type": "eql", "version": 110 }, "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": { + "min_stack_version": "8.3", "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", "sha256": "de455f667043e9cf42dd5fe4ac1a588f29bf04c9e5ac3c78bf84f5849ae48494", "type": "eql", "version": 109 }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 203, + "rule_name": "Enumeration of Kernel Modules", + "sha256": "b3bad6443210cec62c090d0872efcafedb7565ac5fed882aa46afab6073c4e08", + "type": "eql", + "version": 105 + } + }, "rule_name": "Enumeration of Kernel Modules", "sha256": "4f8354117b7013f27de2b6338d831ecebb494b5dd5dc310f3d36de2e9df3e46e", "type": "new_terms", "version": 209 }, "2dd480be-1263-4d9c-8672-172928f6789a": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "Suspicious Process Access via Direct System Call", + "sha256": "9aa09b7a6367bc4d21531ae1e5860ac4f0f89b9a2331c0c63032d8fa85c753e5", + "type": "eql", + "version": 108 + } + }, "rule_name": "Suspicious Process Access via Direct System Call", "sha256": "aaba8635a16d40c33ab3f1e45cdefdd5afa1682b6b46e0a9e59bb5714053e328", "type": "eql", "version": 211 }, "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea": { + "min_stack_version": "8.3", "rule_name": "Potential SSH-IT SSH Worm Downloaded", "sha256": "b15d311e27e1605b59979cfacff8ed02534809f2ac3067c91d6f252b9c99532c", "type": "eql", "version": 3 }, "2de10e77-c144-4e69-afb7-344e7127abd0": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "O365 Excessive Single Sign-On Logon Errors", + "sha256": "6aafdc4d1c33f41d82f7a067cce68c407f9cc905aa5f0bcee8e8a3626f89a88e", + "type": "threshold", + "version": 107 + } + }, "rule_name": "O365 Excessive Single Sign-On Logon Errors", "sha256": "a6c2623e22edf439212d0065ea3329407e43fdc9756008e2a6cc39150c927f46", "type": "threshold", "version": 207 }, "2de87d72-ee0c-43e2-b975-5f0b029ac600": { + "min_stack_version": "8.3", "rule_name": "Wireless Credential Dumping using Netsh Command", "sha256": "469f29380de3612562dd52d96cf08b2590670a1f0ed5c09882c3caa6420fc78f", "type": "eql", "version": 8 }, "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { + "min_stack_version": "8.3", "rule_name": "Renamed AutoIt Scripts Interpreter", "sha256": "a23203b35000455d7e15f08f4aa4523ffb4cf37e6277c5ad2afff5dfb75f06d4", "type": "eql", "version": 110 }, "2e29e96a-b67c-455a-afe4-de6183431d0d": { + "min_stack_version": "8.3", "rule_name": "Potential Process Injection via PowerShell", "sha256": "81ff8ad3429868b3ae4e62b20cdf7861c5912ea5ea56a373eb053a9ba8cafb2d", "type": "query", "version": 110 }, "2e311539-cd88-4a85-a301-04f38795007c": { + "min_stack_version": "8.3", "rule_name": "Accessing Outlook Data Files", "sha256": "d2e5a15c87b68da8ded83c3f04fd1cc0b2f38a858d9d58825ea43aa5b4d13c9d", "type": "eql", @@ -1467,192 +1978,233 @@ "version": 1 }, "2e580225-2a58-48ef-938b-572933be06fe": { + "min_stack_version": "8.3", "rule_name": "Halfbaked Command and Control Beacon", "sha256": "67f17bb4543d663bbd223adf3ed78c7e8f5018d561d5600b0b835ed24d9a6174", "type": "query", "version": 104 }, "2edc8076-291e-41e9-81e4-e3fcbc97ae5e": { + "min_stack_version": "8.3", "rule_name": "Creation of a Hidden Local User Account", "sha256": "04e25e2a367da2d230efdd2c089caf2310ebc0b4555468d52654ae40cd73624f", "type": "eql", "version": 110 }, "2f0bae2d-bf20-4465-be86-1311addebaa3": { + "min_stack_version": "8.3", "rule_name": "GCP Kubernetes Rolebindings Created or Patched", "sha256": "bd0cfcd18ddea0b9730c52e91f2de67a9b343831ce2a5351233e44a328498830", "type": "query", "version": 101 }, "2f2f4939-0b34-40c2-a0a3-844eb7889f43": { + "min_stack_version": "8.3", "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", "sha256": "c854f417e250f05be348cb5bd38338d7abaf467dc4b5ab1ef0fd15c0fe00d652", "type": "query", "version": 110 }, "2f8a1226-5720-437d-9c20-e0029deb6194": { + "min_stack_version": "8.3", "rule_name": "Attempt to Disable Syslog Service", "sha256": "8780262dbf51119a57e1482fdc257e16b74e0e78063f08f70039f0e84bd8e10e", "type": "eql", "version": 109 }, "2f95540c-923e-4f57-9dae-de30169c68b9": { + "min_stack_version": "8.3", "rule_name": "Suspicious /proc/maps Discovery", "sha256": "ceb64517a4f38ec0b520e88bfd10c759040ae2fc573d8712c77889e56afddd93", "type": "eql", "version": 2 }, "2fba96c0-ade5-4bce-b92f-a5df2509da3f": { + "min_stack_version": "8.3", "rule_name": "Startup Folder Persistence via Unsigned Process", "sha256": "16889344ca9108bf590521debc5e7f4f79d260b86172b2f1df97f6014b9e5813", "type": "eql", "version": 109 }, "2ffa1f1e-b6db-47fa-994b-1512743847eb": { + "min_stack_version": "8.3", "rule_name": "Windows Defender Disabled via Registry Modification", "sha256": "c25dfc5c295e5fe0ef6c4bd03401308cc79d8069474d9a66e34a91f53a75d793", "type": "eql", "version": 111 }, "301571f3-b316-4969-8dd0-7917410030d3": { + "min_stack_version": "8.9", "rule_name": "Malicious Remote File Creation", "sha256": "3b64dae20a1caf09073534a22a7e22eb31c7ac6212a08748110048e1e2f0f2f0", "type": "eql", "version": 1 }, "30562697-9859-4ae0-a8c5-dab45d664170": { + "min_stack_version": "8.3", "rule_name": "GCP Firewall Rule Creation", "sha256": "bb0dfe6b9f2f4b9ceed60017b384a9ec5cdb5c52df95261b4b306681aa1f7a1e", "type": "query", "version": 104 }, "30bfddd7-2954-4c9d-bbc6-19a99ca47e23": { + "min_stack_version": "8.5", "rule_name": "ESXI Timestomping using Touch Command", "sha256": "3aded99ffea86675df0ab0f003bf86c0e5a794828e77b17812a3f979d0fb70ea", "type": "eql", "version": 8 }, "30e1e9f2-eb9c-439f-aff6-1e3068e99384": { + "min_stack_version": "8.3", "rule_name": "Suspicious Network Connection via Sudo Binary", "sha256": "7c7f71f10f08bbfa8f116046faf6e9487e82a654dc7c8ff4155bbb67fb267058", "type": "eql", "version": 2 }, "3115bd2c-0baa-4df0-80ea-45e474b5ef93": { + "min_stack_version": "8.3", "rule_name": "Agent Spoofing - Mismatched Agent ID", "sha256": "edb96a30a9a4b522b0f24c47e6c9e97132020bca3d111e9f0fb2478062ca5c46", "type": "query", "version": 101 }, "31295df3-277b-4c56-a1fb-84e31b4222a9": { + "min_stack_version": "8.3", "rule_name": "Inbound Connection to an Unsecure Elasticsearch Node", "sha256": "7aca9860d8b4e2d6a3c826f3c89aad15a3ccef60bdb18f3a6c0e5d9d5eb96446", "type": "query", "version": 104 }, "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { + "min_stack_version": "8.3", "rule_name": "Bypass UAC via Event Viewer", "sha256": "e6a2af9522e0e9af476dbdd8aacdf56e95e20a452abd93a0bbd42f622856b52c", "type": "eql", "version": 112 }, "3202e172-01b1-4738-a932-d024c514ba72": { + "min_stack_version": "8.3", "rule_name": "GCP Pub/Sub Topic Deletion", "sha256": "124b074b61fa892959b957078f6b0ce22d6fc14dfa12721b099e26e56784daa0", "type": "query", "version": 104 }, "32300431-c2d5-432d-8ec8-0e03f9924756": { + "min_stack_version": "8.6", "rule_name": "Network Connection from Binary with RWX Memory Region", "sha256": "2037bc6827adab74cd7f5d34cc9724885806f9d8b3ca6aad279ca53096b8b6f6", "type": "eql", "version": 1 }, "323cb487-279d-4218-bcbd-a568efe930c6": { + "min_stack_version": "8.3", "rule_name": "Azure Network Watcher Deletion", "sha256": "2639a17ce5e5d5cbfafd00c48a0d20d73a8f7fd26a389a962808a2d552c1cd1a", "type": "query", "version": 102 }, "32923416-763a-4531-bb35-f33b9232ecdb": { + "min_stack_version": "8.3", "rule_name": "RPC (Remote Procedure Call) to the Internet", "sha256": "7ca9c8daa861f8675fc6d90454ceb1fbbeb55621db753f0ffa615be1509581ea", "type": "query", "version": 103 }, "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { + "min_stack_version": "8.3", "rule_name": "Program Files Directory Masquerading", "sha256": "8cec03274c88dea9a86f4cc7af3af538103fe9b253736b1c5dd81848830076fa", "type": "eql", "version": 109 }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { + "min_stack_version": "8.3", "rule_name": "Suspicious MS Outlook Child Process", "sha256": "ab072081c0f447b8ae3f174016da6d44b3a3a21b5a3c6ca71506c4e0fd7246d3", "type": "eql", "version": 111 }, "333de828-8190-4cf5-8d7c-7575846f6fe0": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS IAM User Addition to Group", + "sha256": "02db7a25c54c4fbd473ce6ca4a124bfeaba29b63ff68e2d89d4cd27167d6ae7d", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS IAM User Addition to Group", "sha256": "5797f109e144dd874da2cd92796142c3e024058b0b7239fa006a719364423b46", "type": "query", "version": 209 }, "33a6752b-da5e-45f8-b13a-5f094c09522f": { + "min_stack_version": "8.5", "rule_name": "ESXI Discovery via Find", "sha256": "65285808d7e3a2abc4e4eafa9288e8e9c5d82f2dc7fd8f2cf160f7c224988f04", "type": "eql", "version": 6 }, "33f306e8-417c-411b-965c-c2812d6d3f4d": { + "min_stack_version": "8.3", "rule_name": "Remote File Download via PowerShell", "sha256": "a468cf285aeec523223067030229793d4769bc5659502779d939657e57a77976", "type": "eql", "version": 110 }, "342f834b-21a6-41bf-878c-87d116eba3ee": { + "min_stack_version": "8.8", "rule_name": "Modification of Dynamic Linker Preload Shared Object Inside A Container", "sha256": "80a1285a2fc10cd2a83830beb16066febaf04201e827216516c4e4dc9b47ade6", "type": "eql", "version": 1 }, "345889c4-23a8-4bc0-b7ca-756bd17ce83b": { + "min_stack_version": "8.3", "rule_name": "GitHub Repository Deleted", "sha256": "e9e82f5d7ee55a265684b97bea6518e4cefa09ffbe5466a156316ba98ba8c744", "type": "eql", "version": 2 }, "34fde489-94b0-4500-a76f-b8a157cf9269": { + "min_stack_version": "8.3", "rule_name": "Accepted Default Telnet Port Connection", "sha256": "5a1c81a6f5119308ed2c419c07cd7d61610c4bf863351341f4f1c5c3d54644b1", "type": "query", "version": 104 }, "35330ba2-c859-4c98-8b7f-c19159ea0e58": { + "min_stack_version": "8.3", "rule_name": "Execution via Electron Child Process Node.js Module", "sha256": "e62ff0708c98fc9c3f113e773084f58a137eabb8da806c25c3871f0131fd7934", "type": "query", "version": 106 }, "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { + "min_stack_version": "8.3", "rule_name": "Port Forwarding Rule Addition", "sha256": "6898cb41a0f614b74222c1863817dc993d7470c5953727d9199a63308685d9cd", "type": "eql", "version": 110 }, "35a3b253-eea8-46f0-abd3-68bdd47e6e3d": { + "min_stack_version": "8.9", "rule_name": "Spike in Bytes Sent to an External Device", "sha256": "67a35f156241abf955e83450c9f9e4de70743aa2b982ae6e96fe95b1734847ac", "type": "machine_learning", "version": 3 }, "35df0dd8-092d-4a83-88c1-5151a804f31b": { + "min_stack_version": "8.3", "rule_name": "Unusual Parent-Child Relationship", "sha256": "1984aac08fb341387ffbc60fed85f41724c02408e79a0837eebfaff0eea168c3", "type": "eql", "version": 111 }, "35f86980-1fb1-4dff-b311-3be941549c8d": { + "min_stack_version": "8.3", "rule_name": "Network Traffic to Rare Destination Country", "sha256": "599670166b519587f8e2c8712aaec4839a9edfbd71f94eef4d3ca35a4bff8e82", "type": "machine_learning", @@ -1665,36 +2217,51 @@ "version": 100 }, "3688577a-d196-11ec-90b0-f661ea17fbce": { + "min_stack_version": "8.3", "rule_name": "Process Started from Process ID (PID) File", "sha256": "299fc2aae27ca710fe1c8e92af61046ea6040c245173fc7572644fa2aa4a9b1e", "type": "eql", "version": 109 }, "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { + "min_stack_version": "8.3", "rule_name": "Suspicious ImagePath Service Creation", "sha256": "dd157344f60c0f8cdf534de6a25fd8ec70ae6b174250971f224102c56b1ed3d2", "type": "eql", "version": 107 }, "36c48a0c-c63a-4cbc-aee1-8cac87db31a9": { + "min_stack_version": "8.9", "rule_name": "High Mean of Process Arguments in an RDP Session", "sha256": "9fa7888003d814e16febe8363b55e5c5d98fbebc187b1134b988a70bfa227457", "type": "machine_learning", "version": 3 }, "3728c08d-9b70-456b-b6b8-007c7d246128": { + "min_stack_version": "8.3", "rule_name": "Potential Suspicious File Edit", "sha256": "ad661308418ae98d99acfbe93160fc7b79bd560af7e212b8b2d582ca93665254", "type": "eql", "version": 4 }, "378f9024-8a0c-46a5-aa08-ce147ac73a4e": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS RDS Security Group Creation", + "sha256": "5b75c7ff3b23af486b2a98aa509dba99b6e5935a1884bcf20ce26298c87a413a", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS RDS Security Group Creation", "sha256": "a980e64d0ef17442e319eed703e3dc756434170c637087afded818fc1942c2e0", "type": "query", "version": 206 }, "37994bca-0611-4500-ab67-5588afe73b77": { + "min_stack_version": "8.3", "rule_name": "Azure Active Directory High Risk Sign-in", "sha256": "81cfc0cf1d22eac182fb2dbed83295eb880bff4c46b583ac7a02667c2bd7140a", "type": "query", @@ -1707,6 +2274,16 @@ "version": 100 }, "37b211e8-4e2f-440f-86d8-06cc8f158cfa": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS Execution via System Manager", + "sha256": "2cbc10f8cfc4b487c2e60d03f65c07f3edfffcc2aff4715f233e6dc5d5164c60", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS Execution via System Manager", "sha256": "5262f35d3a77b7ea661f2c08269986f36b47c9e01836ec71acf45e6f3653b88e", "type": "query", @@ -1715,7 +2292,7 @@ "37f638ea-909d-4f94-9248-edd21e4a9906": { "min_stack_version": "8.11", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Finder Sync Plugin Registered and Enabled", "sha256": "b0d1702942012aaf400be87038c53cf2ccc337510f3956545d8344b96c98a598", @@ -1731,7 +2308,7 @@ "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 206, "rule_name": "Attempted Bypass of Okta MFA", "sha256": "f4d46f02451d1b387f81c66eaf2bac499ae2b55dab8b5ff072060d572c17bae2", @@ -1745,54 +2322,81 @@ "version": 207 }, "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { + "min_stack_version": "8.3", "rule_name": "Network Connection via Certutil", "sha256": "6f47f5ed6240c55d50a34719a69f8cc06e2e1a96b3d7dbf8caed23d34f6fb612", "type": "eql", "version": 111 }, "38948d29-3d5d-42e3-8aec-be832aaaf8eb": { + "min_stack_version": "8.7", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Prompt for Credentials with OSASCRIPT", + "sha256": "5b889bbfa953251d11d08f3f3b13847eb4b5f05777c8cc9d80806943bc1e3d08", + "type": "eql", + "version": 107 + } + }, "rule_name": "Prompt for Credentials with OSASCRIPT", "sha256": "3032a13d5103580a7a71c386fb3b0871d65a29e3b195d7c15ef594679579b277", "type": "eql", "version": 207 }, "38e5acdd-5f20-4d99-8fe4-f0a1a592077f": { + "min_stack_version": "8.3", "rule_name": "User Added as Owner for Azure Service Principal", "sha256": "0366d38e25390f27d5a88679fdeb1186fa00482024bab6e37b84f6d6ee4bdf2f", "type": "query", "version": 102 }, "38f384e0-aef8-11ed-9a38-f661ea17fbcc": { + "min_stack_version": "8.4", "rule_name": "External User Added to Google Workspace Group", "sha256": "5b576006ba63579d8d410c1b6a505b7129e0e534887b142f08e9778bab82d1a1", "type": "eql", "version": 2 }, "39144f38-5284-4f8e-a2ae-e3fd628d90b0": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS EC2 Network Access Control List Creation", + "sha256": "dea5a5643f79a683de4d055fc1e7c3f2444af041cad46e962eea1d3f5f8310d4", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS EC2 Network Access Control List Creation", "sha256": "e91381a670fa911026a21863f0f82af1de6b7d106b32bea4d783d4e2c8ceddee", "type": "query", "version": 206 }, "39157d52-4035-44a8-9d1a-6f8c5f580a07": { + "min_stack_version": "8.3", "rule_name": "Downloaded Shortcut Files", "sha256": "a78fe7706bba28d2e8916c6285d2aa614ab127534029912e8e9ad9ab133792dc", "type": "eql", "version": 2 }, "397945f3-d39a-4e6f-8bcb-9656c2031438": { + "min_stack_version": "8.3", "rule_name": "Persistence via Microsoft Outlook VBA", "sha256": "552ee91e75f7ccd44773852337f72d88a83bf6868aa5afbefe6ff4634db9fff3", "type": "eql", "version": 107 }, "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { + "min_stack_version": "8.3", "rule_name": "Potential DNS Tunneling via NsLookup", "sha256": "4a18eb2fad582229c98d6a037fd50e8c8c1ce71cc2a6442d5f73f60435460035", "type": "eql", "version": 110 }, "3a6001a0-0939-4bbe-86f4-47d8faeb7b97": { + "min_stack_version": "8.3", "rule_name": "Suspicious Module Loaded by LSASS", "sha256": "b774f07509146c401d27897d918bded4c1725c4bf5e8b457e9a749116e912d1f", "type": "eql", @@ -1805,48 +2409,56 @@ "version": 100 }, "3ad49c61-7adc-42c1-b788-732eda2f5abf": { + "min_stack_version": "8.3", "rule_name": "VNC (Virtual Network Computing) to the Internet", "sha256": "75c83bc25b63f6d009bfaa4c5ad8ac726f34d8463a71addc994107e75c6f41e3", "type": "query", "version": 104 }, "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": { + "min_stack_version": "8.3", "rule_name": "Azure Full Network Packet Capture Detected", "sha256": "5ff3c05e76cc5d8d9d4be4f532e57b7f4b864c7b441e409db8c6424396b0030d", "type": "query", "version": 103 }, "3af4cb9b-973f-4c54-be2b-7623c0e21b2b": { + "min_stack_version": "8.8", "rule_name": "First Occurrence of IP Address For GitHub User", "sha256": "4d1bb8c98fc64a88e74bb4e5379ca7a368d1223b9cfd87c6711e8cdb55b2e93a", "type": "new_terms", "version": 1 }, "3b382770-efbb-44f4-beed-f5e0a051b895": { + "min_stack_version": "8.3", "rule_name": "Malware - Prevented - Elastic Endgame", "sha256": "6f120439816dc0fbb5966bc6163654d86dd3d1325de8e31e9b58acc704fca442", "type": "query", "version": 103 }, "3b47900d-e793-49e8-968f-c90dc3526aa1": { + "min_stack_version": "8.3", "rule_name": "Unusual Parent Process for cmd.exe", "sha256": "b684f4c5fbb972a39c7c5707d9dd7519013e2a23854d99612acc986458b8327f", "type": "eql", "version": 110 }, "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { + "min_stack_version": "8.3", "rule_name": "NTDS or SAM Database File Copied", "sha256": "9b7f98ccce2835bb0f4a66f0d771402a60aa80c0516f3c461f25258464d92dde", "type": "eql", "version": 112 }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { + "min_stack_version": "8.3", "rule_name": "Unusual Linux Network Port Activity", "sha256": "a2800c6cc225debfe9958195da944e5b1ead6405ccad4dac405b7e7d337dade9", "type": "machine_learning", "version": 103 }, "3d00feab-e203-4acc-a463-c3e15b7e9a73": { + "min_stack_version": "8.3", "rule_name": "ScreenConnect Server Spawning Suspicious Processes", "sha256": "b8cf058fc04d31b542a9af0b67afca6876cd61ca3cbae997f11f1750d0e5c24c", "type": "eql", @@ -1855,7 +2467,7 @@ "3d3aa8f9-12af-441f-9344-9f31053e316d": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 104, "rule_name": "PowerShell Script with Log Clear Capabilities", "sha256": "89e12f38568452e05edf82a51f7ea6467b8b1350950e26a393767e49f1c702d0", @@ -1869,138 +2481,197 @@ "version": 105 }, "3e002465-876f-4f04-b016-84ef48ce7e5d": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS CloudTrail Log Updated", + "sha256": "c544d2bed3c1f0c3eb62422883fdd5c1a029d8a1e4ade88af0b3aaaa0955dc99", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS CloudTrail Log Updated", "sha256": "3f2192854f2b83093646d34a7cf62799413c920c797225c07eb86ab7f8021262", "type": "query", "version": 209 }, "3e0561b5-3fac-4461-84cc-19163b9aaa61": { + "min_stack_version": "8.9", "rule_name": "Spike in Number of Connections Made from a Source IP", "sha256": "e0f94b4cfe4ca344a1904651585a27509c31993709b1767adc5d92d1e020eb62", "type": "machine_learning", "version": 3 }, "3e0eeb75-16e8-4f2f-9826-62461ca128b7": { + "min_stack_version": "8.3", "rule_name": "Suspicious Execution via Windows Subsystem for Linux", "sha256": "2a6df6ecfdcec0cacd6cd3fbe669354f173ae5e52c45c067290621e97758d904", "type": "eql", "version": 6 }, "3e12a439-d002-4944-bc42-171c0dcb9b96": { + "min_stack_version": "8.3", "rule_name": "Kernel Driver Load", "sha256": "0d805e30368d7d1a1c774e0e29386cb807ff617bc0d294c11a6ecf97e9cf3bdc", "type": "eql", "version": 4 }, "3e3d15c6-1509-479a-b125-21718372157e": { + "min_stack_version": "8.3", "rule_name": "Suspicious Emond Child Process", "sha256": "7d78dc70f6217f921486f43f26839cb0fe33c9dcd5bfc983e0a3117ce260f1db", "type": "eql", "version": 106 }, "3e441bdb-596c-44fd-8628-2cfdf4516ada": { + "min_stack_version": "8.3", "rule_name": "Potential Remote File Execution via MSIEXEC", "sha256": "f427e7262f3caaa30fad3f63a14f32e77e72e8e8606381f64c7b2b3718fe7684", "type": "eql", "version": 3 }, "3ecbdc9e-e4f2-43fa-8cca-63802125e582": { + "min_stack_version": "8.3", "rule_name": "Privilege Escalation via Named Pipe Impersonation", "sha256": "f7be2ac3e9aac82f91122e2416bba98480072d50a299c9fb593ea60bf876b8d8", "type": "eql", "version": 110 }, "3ed032b2-45d8-4406-bc79-7ad1eabb2c72": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Suspicious Process Creation CallTrace", + "sha256": "ef3b36cfe9937ac9e94d85f43e7c8d1eb725f6edec2353a6c3df2745f5d06fbb", + "type": "eql", + "version": 107 + } + }, "rule_name": "Suspicious Process Creation CallTrace", "sha256": "198d879bb094b81e6bb30e836abf7c7c2a2d4b08cf6f8de140a531126de8f927", "type": "eql", "version": 208 }, "3efee4f0-182a-40a8-a835-102c68a4175d": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Potential Password Spraying of Microsoft 365 User Accounts", + "sha256": "6f5fb726f163898f2ca5b0b8de75a346cda8451de239adb986ada4f3128b4c67", + "type": "threshold", + "version": 107 + } + }, "rule_name": "Potential Password Spraying of Microsoft 365 User Accounts", "sha256": "3ee6a597bfe462c8b9132d7ca83768025a28634b18c009db462cb0c3bd7bfe39", "type": "threshold", "version": 207 }, "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": { + "min_stack_version": "8.3", "rule_name": "CyberArk Privileged Access Security Error", "sha256": "c386d6369ab49aa1ccb5c14a29f84d5f2856b09ca44e9d53418a1477ace1a37a", "type": "query", "version": 102 }, "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": { + "min_stack_version": "8.3", "rule_name": "Potential Protocol Tunneling via Chisel Client", "sha256": "506ac5257e3fbd5947ce89f51b4a1154eea0e4245f3b8d26f1579ed36d7de792", "type": "eql", "version": 5 }, "3f3f9fe2-d095-11ec-95dc-f661ea17fbce": { + "min_stack_version": "8.3", "rule_name": "Binary Executed from Shared Memory Directory", "sha256": "6fe016ba390e8dc87666f4ef0c548568711ad0404b3acab74fedccdc68e0880d", "type": "eql", "version": 110 }, "3f4d7734-2151-4481-b394-09d7c6c91f75": { + "min_stack_version": "8.3", "rule_name": "Process Discovery via Built-In Applications", "sha256": "a1d18add228db670e888de746acabb7856747a256b80bf999d0e0b8829193b07", "type": "eql", "version": 3 }, "3f4e2dba-828a-452a-af35-fe29c5e78969": { + "min_stack_version": "8.9", "rule_name": "Unusual Time or Day for an RDP Session", "sha256": "2d41f9c292e0cfb545738b9fefb92890c35a74f559c525d8882ff69abb589281", "type": "machine_learning", "version": 3 }, "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": { + "min_stack_version": "8.9", "rule_name": "Unusual Process Spawned by a User", "sha256": "605a890392cba9a22d8ca7c2285cf0fe0e562dfeccb201126b50540f02b6567b", "type": "machine_learning", "version": 4 }, "4030c951-448a-4017-a2da-ed60f6d14f4f": { + "min_stack_version": "8.3", "rule_name": "GitHub User Blocked From Organization", "sha256": "6f42e7b01599241829e9077f402bbf6ff1ee20d99e201fb4416aeb827edbcce6", "type": "eql", "version": 1 }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { + "min_stack_version": "8.3", "rule_name": "Unusual Persistence via Services Registry", "sha256": "ff437c6e2c47619b352ee9e1a2afc7a9efc07196a586924803b1daaf14e3c9d6", "type": "eql", "version": 108 }, "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 102, + "rule_name": "Suspicious Modprobe File Event", + "sha256": "57d346776e2d53dc371be91bf8eee48d1a5551497057024f0cba657e1b22f6d0", + "type": "eql", + "version": 4 + } + }, "rule_name": "Suspicious Modprobe File Event", "sha256": "2a6caaea58f921647c925b776c5a3263205f0e14402adfb96fe9784742822f0c", "type": "new_terms", "version": 107 }, "41284ba3-ed1a-4598-bfba-a97f75d9aba2": { + "min_stack_version": "8.3", "rule_name": "Unix Socket Connection", "sha256": "3205e8361a1f086b49b3af871c969ed11481015e0dff4ac8a9a0d72db9843e22", "type": "eql", "version": 2 }, "416697ae-e468-4093-a93d-59661fa619ec": { + "min_stack_version": "8.3", "rule_name": "Control Panel Process with Unusual Arguments", "sha256": "aa2506ef37c17be2ee06aaebfabb669748b8247f50e0664debb0e789db74ca71", "type": "eql", "version": 111 }, "41761cd3-380f-4d4d-89f3-46d6853ee35d": { + "min_stack_version": "8.8", "rule_name": "First Occurrence of User-Agent For a GitHub User", "sha256": "a9f5a86fb7a36ee7d65d9e567514f2f7240710d978434b414df63e8a2255365d", "type": "new_terms", "version": 1 }, "41824afb-d68c-4d0e-bfee-474dac1fa56e": { + "min_stack_version": "8.3", "rule_name": "EggShell Backdoor Execution", "sha256": "a000d7946f2d9c6608fef001a71aa8b626b93b668a56cb558aae7b94e49089cb", "type": "query", "version": 103 }, "41b638a1-8ab6-4f8e-86d9-466317ef2db5": { + "min_stack_version": "8.3", "rule_name": "Potential Hidden Local User Account Creation", "sha256": "41e2911f06e94357105e93c803ee44dbd7f4ec32bd8d4913fd5154123b4b677a", "type": "query", @@ -2014,6 +2685,7 @@ "version": 1 }, "420e5bb4-93bf-40a3-8f4a-4cc1af90eca1": { + "min_stack_version": "8.8", "rule_name": "Interactive Exec Command Launched Against A Running Container", "sha256": "3e2d9d02297e6659a2e22c12019c924caed14914e8e223416d9275a1c232f063", "type": "eql", @@ -2022,7 +2694,7 @@ "42bf698b-4738-445b-8231-c834ddefd8a0": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 206, "rule_name": "Okta Brute Force or Password Spraying Attack", "sha256": "882dcaea90df31c2153dbabfb17dc21bcc8f8866c862b5a02c20026eac301621", @@ -2036,108 +2708,126 @@ "version": 208 }, "42eeee3d-947f-46d3-a14d-7036b962c266": { + "min_stack_version": "8.3", "rule_name": "Process Creation via Secondary Logon", "sha256": "02389fa2b314a4c1b09a7516f22580f4b91f255f5f87e61cad90039acb6a26b0", "type": "eql", "version": 9 }, "4330272b-9724-4bc6-a3ca-f1532b81e5c2": { + "min_stack_version": "8.3", "rule_name": "Unusual Login Activity", "sha256": "178b730df2f0523fca5d50f1c7bfb91a3b574b4d6bfa9a475d11d6208ef93b2c", "type": "machine_learning", "version": 103 }, "43303fd4-4839-4e48-b2b2-803ab060758d": { + "min_stack_version": "8.3", "rule_name": "Web Application Suspicious Activity: No User Agent", "sha256": "dba7037fea9889f8f9bb14d8bc56ff2eb114acab0af17a595d777e53783c3919", "type": "query", "version": 101 }, "43d6ec12-2b1c-47b5-8f35-e9de65551d3b": { + "min_stack_version": "8.3", "rule_name": "Linux User Added to Privileged Group", "sha256": "3d53c3cf46875865535f808e7c6c2ef22a6d516d653fd23e37c8faaf4d477438", "type": "eql", "version": 6 }, "440e2db4-bc7f-4c96-a068-65b78da59bde": { + "min_stack_version": "8.3", "rule_name": "Startup Persistence by a Suspicious Process", "sha256": "83d79f7e35b069d84ce239901a6f3aaabd224e0494355f02c61e2650de4099c6", "type": "eql", "version": 110 }, "445a342e-03fb-42d0-8656-0367eb2dead5": { + "min_stack_version": "8.3", "rule_name": "Unusual Windows Path Activity", "sha256": "0c0dc0204bae57db331547a95b8be8a1a7a915fd32f0e9ed199b109a8418db7e", "type": "machine_learning", "version": 104 }, "4494c14f-5ff8-4ed2-8e99-bf816a1642fc": { + "min_stack_version": "8.3", "rule_name": "Potential Masquerading as VLC DLL", "sha256": "d9597f07d834346b49d0ec5d44b690415e313ac8d159ee72e5fa8335fd7e85fb", "type": "eql", "version": 3 }, "44fc462c-1159-4fa8-b1b7-9b6296ab4f96": { + "min_stack_version": "8.3", "rule_name": "Multiple Vault Web Credentials Read", "sha256": "24ee5dd513d2411aadcf6700b279d44bb0d803d6514f3d920e7071076e34d242", "type": "eql", "version": 10 }, "453183fa-f903-11ee-8e88-f661ea17fbce": { + "min_stack_version": "8.9", "rule_name": "Route53 Resolver Query Log Configuration Deleted", "sha256": "98d3f47b38a2e490eb32fe435fb1a3cdc74636dabc5fe7a97b731551b87ec8cd", "type": "query", "version": 1 }, "453f659e-0429-40b1-bfdb-b6957286e04b": { + "min_stack_version": "8.3", "rule_name": "Permission Theft - Prevented - Elastic Endgame", "sha256": "e125e05070fd9e4879366bc19b3262c739e7820cfa207a0de2ddd94c30c7459a", "type": "query", "version": 103 }, "45ac4800-840f-414c-b221-53dd36a5aaf7": { + "min_stack_version": "8.3", "rule_name": "Windows Event Logs Cleared", "sha256": "fc09cce15ed08c912228c02d8c8a913febbcfde1263a2410a281a5b780cbc1bd", "type": "query", "version": 108 }, "45d273fb-1dca-457d-9855-bcb302180c21": { + "min_stack_version": "8.3", "rule_name": "Encrypting Files with WinRar or 7z", "sha256": "b3b214a87a2d7efdda2a6e79454b84fdbae8dbfdb3834d1b51bdc0524f4e0b41", "type": "eql", "version": 111 }, "4630d948-40d4-4cef-ac69-4002e29bc3db": { + "min_stack_version": "8.3", "rule_name": "Adding Hidden File Attribute via Attrib", "sha256": "f28a8d21784231d74baa3c2c1bc50c52047b904b90baf5f454eff45f52d1ca07", "type": "eql", "version": 111 }, "4682fd2c-cfae-47ed-a543-9bed37657aa6": { + "min_stack_version": "8.3", "rule_name": "Potential Local NTLM Relay via HTTP", "sha256": "532a6ef376ad303e213a6c18952dbfd541118f748ed30402beff2be0870e927f", "type": "eql", "version": 109 }, "46f804f5-b289-43d6-a881-9387cf594f75": { + "min_stack_version": "8.3", "rule_name": "Unusual Process For a Linux Host", "sha256": "5fbea0760b51ff40b45435e9978a27fd21ee1b2a9792c2892ca01cc45f6dc782", "type": "machine_learning", "version": 104 }, "474fd20e-14cc-49c5-8160-d9ab4ba16c8b": { + "min_stack_version": "8.6", "rule_name": "Potential Persistence Through init.d Detected", "sha256": "cd769b23546bc7c66a492fb80d7c336f31823e527982f3185a9ad7b4c3686ee1", "type": "new_terms", "version": 9 }, "475b42f0-61fb-4ef0-8a85-597458bfb0a1": { + "min_stack_version": "8.8", "rule_name": "Sensitive Files Compression Inside A Container", "sha256": "4e4eac63997eab8b7b05da7301b3f3d904afbc53f9ac2c2789df7ff023df7939", "type": "eql", "version": 2 }, "47e22836-4a16-4b35-beee-98f6c4ee9bf2": { + "min_stack_version": "8.3", "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", "sha256": "78feac62454588684cd56fc409cf666bba314b8537b67f5c8c1ee01afada874f", "type": "eql", @@ -2150,186 +2840,244 @@ "version": 100 }, "47f76567-d58a-4fed-b32b-21f571e28910": { + "min_stack_version": "8.3", "rule_name": "Apple Script Execution followed by Network Connection", "sha256": "1e70613b9ab01d3e1eabe9dc9ec52bb46b06c551a2bd5f19bc437c35219afd3a", "type": "eql", "version": 106 }, "483c4daf-b0c6-49e0-adf3-0bfa93231d6b": { + "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", "sha256": "daa833de111fdd82adf05f6795ee87754f8dd5a0631fdc3857995779eeb0743e", "type": "eql", "version": 109 }, "48819484-9826-4083-9eba-1da74cd0eaf2": { + "min_stack_version": "8.8", + "previous": { + "8.6": { + "max_allowable_version": 104, + "rule_name": "Suspicious Microsoft 365 Mail Access by ClientAppId", + "sha256": "fadad966a91f932ed17c91f28dccd142d23d55cd4ae7ea7c57bdd1571b0c95ea", + "type": "new_terms", + "version": 5 + } + }, "rule_name": "Suspicious Microsoft 365 Mail Access by ClientAppId", "sha256": "25daf6eb0539fcc0694b22088a27dd0f67fcba06669cc69450e34b994cc642ea", "type": "new_terms", "version": 105 }, "48b3d2e3-f4e8-41e6-95e6-9b2091228db3": { + "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell", "sha256": "d2d12619cc88da5d442a1f223e4ccf1cdb06d037c5ab3440a7814cb9d6b11736", "type": "eql", "version": 8 }, "48b6edfc-079d-4907-b43c-baffa243270d": { + "min_stack_version": "8.3", "rule_name": "Multiple Logon Failure from the same Source Address", "sha256": "9ab25d365ce5c55e8b3447548326215241c5e3e269772cfda3d53460a796bd70", "type": "eql", "version": 9 }, "48d7f54d-c29e-4430-93a9-9db6b5892270": { + "min_stack_version": "8.3", "rule_name": "Unexpected Child Process of macOS Screensaver Engine", "sha256": "14e09fb223671c9a69d290403ce41fb14decb3fa7b322e5cdfee720edf523312", "type": "eql", "version": 107 }, "48ec9452-e1fd-4513-a376-10a1a26d2c83": { + "min_stack_version": "8.3", "rule_name": "Potential Persistence via Periodic Tasks", "sha256": "195c6ae2218bd1ce6a72411bb052c6c8be490604c24657b057699c3f7302aac6", "type": "query", "version": 106 }, "48f657ee-de4f-477c-aa99-ed88ee7af97a": { + "min_stack_version": "8.3", "rule_name": "Remote XSL Script Execution via COM", "sha256": "8dcdd68d3f519784397cb030a40cfccbf754fcc330df54ab782ff54a1bed69fc", "type": "eql", "version": 3 }, "493834ca-f861-414c-8602-150d5505b777": { + "min_stack_version": "8.3", "rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent", "sha256": "6928326257c9c13a06c0f1b72217966aa1141319570100427a2bc9edc41964c0", "type": "threshold", "version": 101 }, "494ebba4-ecb7-4be4-8c6f-654c686549ad": { + "min_stack_version": "8.3", "rule_name": "Potential Linux Backdoor User Account Creation", "sha256": "13db3c2d1fc38751e03a07125ee9720d077032ecc780b0474951dcffa438ece8", "type": "eql", "version": 6 }, "495e5f2e-2480-11ed-bea8-f661ea17fbce": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 103, + "rule_name": "Application Removed from Blocklist in Google Workspace", + "sha256": "e61b1bbcf81ae0a39c5740592307709fdd354ac9c7ca1cff724f403f2683e67e", + "type": "query", + "version": 5 + } + }, "rule_name": "Application Removed from Blocklist in Google Workspace", "sha256": "458d45e2d4ec3ad54e104516c1bf827f241392740f457d0b358ed439cea466f4", "type": "query", "version": 106 }, "4973e46b-a663-41b8-a875-ced16dda2bb0": { + "min_stack_version": "8.6", "rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable", "sha256": "9fa82ebadcb5c5f29578c49072ea5d921ce9a8af05291cd755e5c6aefcc422d7", "type": "eql", "version": 3 }, "4982ac3e-d0ee-4818-b95d-d9522d689259": { + "min_stack_version": "8.3", "rule_name": "Process Discovery Using Built-in Tools", "sha256": "3760e37b4f14a48147ffb42a0e6ac8615c7a41564dcffc483719244adf4aac52", "type": "eql", "version": 4 }, "4a4e23cf-78a2-449c-bac3-701924c269d3": { + "min_stack_version": "8.3", "rule_name": "Possible FIN7 DGA Command and Control Behavior", "sha256": "42113dd49a2b2df45e90301ac64feac172a5fe2d5ae21baddb22e62943b28082", "type": "query", "version": 105 }, "4a99ac6f-9a54-4ba5-a64f-6eb65695841b": { + "min_stack_version": "8.3", "rule_name": "Potential Unauthorized Access via Wildcard Injection Detected", "sha256": "ead602528c1e965f9015450bec41285bbba8c0d37139735cfbf3eb7e954067ea", "type": "eql", "version": 5 }, "4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": { + "min_stack_version": "8.3", "rule_name": "Potential Cross Site Scripting (XSS)", "sha256": "0ddba68a65a560e542542a531d9b0222a706b62e38442f5afb342b989f8d70fa", "type": "eql", "version": 1 }, "4b1a807a-4e7b-414e-8cea-24bf580f6fc5": { + "min_stack_version": "8.3", "rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process", "sha256": "a8340e173929cc26fccdb80d23355387d04d41b26c099412fc6542025089e982", "type": "eql", "version": 6 }, "4b438734-3793-4fda-bd42-ceeada0be8f9": { + "min_stack_version": "8.3", "rule_name": "Disable Windows Firewall Rules via Netsh", "sha256": "b071ea55c3cd817e5aec99970cd493053e2b94783f1aafb56e89004674a69b22", "type": "eql", "version": 110 }, "4b4e9c99-27ea-4621-95c8-82341bc6e512": { + "min_stack_version": "8.8", "rule_name": "Container Workload Protection", "sha256": "232d94bfc84f58f133c5ffa086853fc01f635acea7ff1d6298f9d781a383ed24", "type": "query", "version": 4 }, "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": { + "min_stack_version": "8.3", "rule_name": "ProxyChains Activity", "sha256": "2997e880be8be8e48bd8066e4736d34483677decfa5262604e7c884d9ff407d3", "type": "eql", "version": 4 }, "4b95ecea-7225-4690-9938-2a2c0bad9c99": { + "min_stack_version": "8.9", "rule_name": "Unusual Process Writing Data to an External Device", "sha256": "3659127431f2145c49922aa110bbe7be12f4776825ee1a24f2409945b3f414f0", "type": "machine_learning", "version": 3 }, "4bd1c1af-79d4-4d37-9efa-6e0240640242": { + "min_stack_version": "8.3", "rule_name": "Unusual Process Execution Path - Alternate Data Stream", "sha256": "8cd12a854dbd43e2cd0db12f9515413ced21fa11fbc405bf87983c4e4635ae45", "type": "eql", "version": 109 }, "4c59cff1-b78a-41b8-a9f1-4231984d1fb6": { + "min_stack_version": "8.3", "rule_name": "PowerShell Share Enumeration Script", "sha256": "95583fef64f6c5454d616320d43ceda2a467cb8e217231374faa423e8363fdf1", "type": "query", "version": 9 }, "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": { + "min_stack_version": "8.3", "rule_name": "Kernel Load or Unload via Kexec Detected", "sha256": "8cdb4afadd73272dc07ee9b31b8a8f1e2ab6d9ba07e75a228d827eb5cedf236e", "type": "eql", "version": 6 }, "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Management Console Brute Force of Root User Identity", + "sha256": "09c72f469d0aca040785500480c6c4086070ace209803e2f0b4f1d79de394a3f", + "type": "threshold", + "version": 106 + } + }, "rule_name": "AWS Management Console Brute Force of Root User Identity", "sha256": "64dc42dae58d6c7edafe597e4c2cf33845002b02ae71649f5f19a5efe11089c1", "type": "threshold", "version": 207 }, "4da13d6e-904f-4636-81d8-6ab14b4e6ae9": { + "min_stack_version": "8.3", "rule_name": "Attempt to Disable Gatekeeper", "sha256": "af8d10ad0bf3fd9de00ec04cf9ec8786a9deae55c4c5086fd8101b18e5ab22ba", "type": "query", "version": 106 }, "4de76544-f0e5-486a-8f84-eae0b6063cdc": { + "min_stack_version": "8.3", "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", "sha256": "8bf850df70b51fc76b714e18cd7a173376cb3f8b205d59d19bf4656ff704fada", "type": "eql", "version": 112 }, "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": { + "min_stack_version": "8.3", "rule_name": "Multiple Logon Failure Followed by Logon Success", "sha256": "8ed9b11012b3ceb54e839102d8ba6f90c8bc6f8e9c7d2069f8c01d504d8b13ce", "type": "eql", "version": 10 }, "4ec47004-b34a-42e6-8003-376a123ea447": { + "min_stack_version": "8.3", "rule_name": "Suspicious Process Spawned from MOTD Detected", "sha256": "5c74f520f2356f579a86fc666a87af41bd62c8e52f1edc1521b9f7bd58b3f461", "type": "eql", "version": 8 }, "4ed493fc-d637-4a36-80ff-ac84937e5461": { + "min_stack_version": "8.3", "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", "sha256": "46dc5171e6385fc71511dfe5c62bbfb3d211317614112565e2dbd8a177803a7b", "type": "eql", "version": 111 }, "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": { + "min_stack_version": "8.3", "rule_name": "Suspicious Script Object Execution", "sha256": "604ff31b37bb88ec61794d51e66317597ae32e1b24ffcd6bc110afddaf9259ed", "type": "eql", @@ -2338,7 +3086,7 @@ "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Unauthorized Access to an Okta Application", "sha256": "8e3e57e9dbe9ec6a8cc4673f80020513ca5a4c120e4a9efb9f8acc7a646de4c8", @@ -2359,6 +3107,7 @@ "version": 1 }, "4fe9d835-40e1-452d-8230-17c147cafad8": { + "min_stack_version": "8.3", "rule_name": "Execution via TSClient Mountpoint", "sha256": "7e36c4f41ffd47e55fb0504fb3dee66108c384d0a06ec60f2c6de1e2b5d702ef", "type": "eql", @@ -2372,78 +3121,109 @@ "version": 2 }, "51176ed2-2d90-49f2-9f3d-17196428b169": { + "min_stack_version": "8.3", "rule_name": "Windows System Information Discovery", "sha256": "e7f81d69a9300bde47134faf67e74e663bf52d62682494acfafebc8afa114273", "type": "eql", "version": 4 }, "5124e65f-df97-4471-8dcb-8e3953b3ea97": { + "min_stack_version": "8.3", "rule_name": "Hidden Files and Directories via Hidden Flag", "sha256": "997601d0253b1c3fc65712c6e0e2784ffba03a5f7b3926a5cf5e183aea3006d7", "type": "eql", "version": 2 }, "513f0ffd-b317-4b9c-9494-92ce861f22c7": { + "min_stack_version": "8.3", "rule_name": "Registry Persistence via AppCert DLL", "sha256": "0c9dc337aa75f6fa5139ce19167e415b0d8ecd48066d478250e49d78274e2ba1", "type": "eql", "version": 108 }, "514121ce-c7b6-474a-8237-68ff71672379": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", + "sha256": "a5c1852e0f0b5d54d522bc9d34146368b3966050fdbb0b514ad8a5c883a865c3", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", "sha256": "51cc46687ba4f2ec1ce8b6d3af9bcf1d8e6449e6300a2dfde2ec5442af150b87", "type": "query", "version": 206 }, "51859fa0-d86b-4214-bf48-ebb30ed91305": { + "min_stack_version": "8.3", "rule_name": "GCP Logging Sink Deletion", "sha256": "c9a8ece69b7f242aba612e1ba56c3839f13edb69babaff4ec9dd0f717dbcf827", "type": "query", "version": 104 }, "51a09737-80f7-4551-a3be-dac8ef5d181a": { + "min_stack_version": "8.3", "rule_name": "Tainted Out-Of-Tree Kernel Module Load", "sha256": "ade59253fc0de2627984007ba84a2d944a16000aa69c83193c63f1dda8b806fa", "type": "query", "version": 2 }, "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { + "min_stack_version": "8.3", "rule_name": "Incoming DCOM Lateral Movement with MMC", "sha256": "7592f24cbedd399be83dd10921cadbae21a7f07859288848bc34cce173c9a03a", "type": "eql", "version": 108 }, "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": { + "min_stack_version": "8.3", "rule_name": "Potential Successful Linux RDP Brute Force Attack Detected", "sha256": "3a3059d247c0e3ef2e352ab75eb703f91476c8c3f57f2b33c79c545cc0e34325", "type": "eql", "version": 7 }, "523116c0-d89d-4d7c-82c2-39e6845a78ef": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS GuardDuty Detector Deletion", + "sha256": "875d325d03aab871f3af655b2a4f09f60421b1863ada9a2e59e415560be70fa6", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS GuardDuty Detector Deletion", "sha256": "f4d0bc7c75781581ae0325bb506f235d080a25501776cac6a7268376499066ce", "type": "query", "version": 206 }, "52376a86-ee86-4967-97ae-1a05f55816f0": { + "min_stack_version": "8.3", "rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)", "sha256": "1bda048bcd9c1bf57b4b123d710a6c78eb505e8a06f8d13ced365be3a3abfa5d", "type": "eql", "version": 112 }, "5297b7f1-bccd-4611-93fa-ea342a01ff84": { + "min_stack_version": "8.3", "rule_name": "Execution via Microsoft DotNet ClickOnce Host", "sha256": "71ef45621a5ba89795ad23007d4a9f50038ad681e75b73c50d4f275e0cd848b7", "type": "eql", "version": 1 }, "52aaab7b-b51c-441a-89ce-4387b3aea886": { + "min_stack_version": "8.3", "rule_name": "Unusual Network Connection via RunDLL32", "sha256": "30b9af8ec0f1c7c96bfc668ec005cc11e6b68a9d649ea1270b7f576bc393b37b", "type": "eql", "version": 109 }, "52afbdc5-db15-485e-bc24-f5707f820c4b": { + "min_stack_version": "8.3", "rule_name": "Unusual Linux Network Activity", "sha256": "17357496d0db27a4d0ccddae1c436a5239eced079e597b6deaf8b586add984e7", "type": "machine_learning", @@ -2462,24 +3242,37 @@ "version": 100 }, "530178da-92ea-43ce-94c2-8877a826783d": { + "min_stack_version": "8.3", "rule_name": "Suspicious CronTab Creation or Modification", "sha256": "a7492fef4099c032e096729ad621e9e19ed59798e0df2a83ef45c381a4d821ab", "type": "eql", "version": 106 }, "53617418-17b4-4e9c-8a2c-8deb8086ca4b": { + "min_stack_version": "8.6", "rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", "sha256": "f88c3c6d45fbe0bb6e1869423ab9e7667f5019abcead82c85039f1775a2b37ca", "type": "new_terms", "version": 8 }, "536997f7-ae73-447d-a12d-bff1e8f5f0a0": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS EFS File System or Mount Deleted", + "sha256": "dea68832916d128880a091971ddca7401be50c5a91b85315b44276c17c34b3a2", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS EFS File System or Mount Deleted", "sha256": "f0730064c70db89a626831b93e76595c6003a60060e20198818f45aa1f710990", "type": "query", "version": 206 }, "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": { + "min_stack_version": "8.3", "rule_name": "Azure Diagnostic Settings Deletion", "sha256": "d8cf4f99c49156e9bc70819e7e213ddc8254034a37779b4650402dfe6597dce2", "type": "query", @@ -2493,18 +3286,21 @@ "version": 4 }, "53a26770-9cbd-40c5-8b57-61d01a325e14": { + "min_stack_version": "8.3", "rule_name": "Suspicious PDF Reader Child Process", "sha256": "e67568b9c981e928c8780997ad8a1ad3532c6816c7ba4e0eaf9b8b18c5f3923b", "type": "eql", "version": 110 }, "53dedd83-1be7-430f-8026-363256395c8b": { + "min_stack_version": "8.3", "rule_name": "Binary Content Copy via Cmd.exe", "sha256": "5932e2f55f6f1e70ca53785865b24d7c502633270fe5df05d898167c0c36ab43", "type": "eql", "version": 3 }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { + "min_stack_version": "8.3", "rule_name": "Uncommon Registry Persistence Change", "sha256": "62ae21bef70ecd1965d7f2e666f067077780c120bcbef93083911dea04b33b17", "type": "eql", @@ -2513,7 +3309,7 @@ "54a81f68-5f2a-421e-8eed-f888278bb712": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 107, "rule_name": "Exchange Mailbox Export via PowerShell", "sha256": "4a05779cfb9f68a05f85f4f67e3e5019e7ed90df2ad6d7626728154095aba9c2", @@ -2527,30 +3323,35 @@ "version": 108 }, "54c3d186-0461-4dc3-9b33-2dc5c7473936": { + "min_stack_version": "8.3", "rule_name": "Network Logon Provider Registry Modification", "sha256": "c432bc081898b9f4cbbf9aca1bfde2c778015db0534e78dddccc213f25c9ed59", "type": "eql", "version": 109 }, "55c2bf58-2a39-4c58-a384-c8b1978153c2": { + "min_stack_version": "8.3", "rule_name": "Windows Service Installed via an Unusual Client", "sha256": "522f9edf21b4768c2f43e0e448fb38e2603d76177730b764dd66e50b145aa56c", "type": "query", "version": 108 }, "55d551c6-333b-4665-ab7e-5d14a59715ce": { + "min_stack_version": "8.3", "rule_name": "PsExec Network Connection", "sha256": "b8614692008af5d487ed9f78c60675e92dacc3a24fce20a66b3c3b9fd0567f66", "type": "eql", "version": 109 }, "55f07d1b-25bc-4a0f-aa0c-05323c1319d0": { + "min_stack_version": "8.3", "rule_name": "Windows Installer with Suspicious Properties", "sha256": "ef9f5b3f0202dcd4e752c19f9ee8c807b55c72c653b8e1fa0399b2a0408c8753", "type": "eql", "version": 1 }, "56004189-4e69-4a39-b4a9-195329d226e9": { + "min_stack_version": "8.9", "rule_name": "Unusual Process Spawned by a Host", "sha256": "60181e72437ae398200e9082d83f05217fb1a24754604f6147a583f83048b853", "type": "machine_learning", @@ -2564,6 +3365,7 @@ "version": 1 }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { + "min_stack_version": "8.3", "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", "sha256": "aac24b839c4f5e1399effca0ee9a8800cd8ceebd4467a9a2785fab8cf4ae6576", "type": "query", @@ -2572,7 +3374,7 @@ "565c2b44-7a21-4818-955f-8d4737967d2e": { "min_stack_version": "8.11", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Potential Admin Group Account Addition", "sha256": "f0900e40693096576a20cfd51e40984df7b6149ec534b6d6e492162d871527e4", @@ -2586,12 +3388,14 @@ "version": 206 }, "565d6ca5-75ba-4c82-9b13-add25353471c": { + "min_stack_version": "8.3", "rule_name": "Dumping of Keychain Content via Security Command", "sha256": "ccf09271bdf9cd7de53d339b60a06f2e48c9a81fb9907a6f3d26b086d3e524fb", "type": "eql", "version": 107 }, "5663b693-0dea-4f2e-8275-f1ae5ff2de8e": { + "min_stack_version": "8.3", "rule_name": "GCP Logging Bucket Deletion", "sha256": "080210ccfb075c63c43cbbdd386dcf8857830563eb3757d61841656cf2099d2a", "type": "query", @@ -2600,7 +3404,7 @@ "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 209, "rule_name": "PowerShell PSReflect Script", "sha256": "65cd952645b44e0f83790a6d8175f52c74830218d8ebf22044c520c4176a4179", @@ -2614,156 +3418,218 @@ "version": 210 }, "56fdfcf1-ca7c-4fd9-951d-e215ee26e404": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 101, + "rule_name": "Execution of an Unsigned Service", + "sha256": "d6a1937f8097432a0d45cff0e4c52746877e8dfc576edec64a5e6235c80ca1bc", + "type": "eql", + "version": 2 + } + }, "rule_name": "Execution of an Unsigned Service", "sha256": "950af04b073c7a2de490bf6fe99a6aea6add2dc983a53d0882b4b3c7263fe0d9", "type": "new_terms", "version": 105 }, "5700cb81-df44-46aa-a5d7-337798f53eb8": { + "min_stack_version": "8.3", "rule_name": "VNC (Virtual Network Computing) from the Internet", "sha256": "08484b01efb6cd6e700e6ac39d1766a24491ac8d9aee3de5719c03ee0e204a06", "type": "query", "version": 104 }, "571afc56-5ed9-465d-a2a9-045f099f6e7e": { + "min_stack_version": "8.3", "rule_name": "Credential Dumping - Detected - Elastic Endgame", "sha256": "8bab78d440c061852a74557b6d3192c69d78b18dd0cabb79ef54bf9ae6f27234", "type": "query", "version": 103 }, "573f6e7a-7acf-4bcd-ad42-c4969124d3c0": { + "min_stack_version": "8.3", "rule_name": "Azure Virtual Network Device Modified or Deleted", "sha256": "fe8f8cc7acb845230d488c2148d4c27351978ae3582a05be60a1d7373afa9762", "type": "query", "version": 102 }, "577ec21e-56fe-4065-91d8-45eb8224fe77": { + "min_stack_version": "8.3", "rule_name": "PowerShell MiniDump Script", "sha256": "e3e3e2fe5144a3499378aee5b2b69396812d7753cec0e05000a5910187f5684b", "type": "query", "version": 108 }, "57bccf1d-daf5-4e1a-9049-ff79b5254704": { + "min_stack_version": "8.3", "rule_name": "File Staged in Root Folder of Recycle Bin", "sha256": "8529bac526d51a184db69b13d9f15bf676bc2b0c6152f40ae73019f4dc20c408", "type": "eql", "version": 3 }, "581add16-df76-42bb-af8e-c979bfb39a59": { + "min_stack_version": "8.3", "rule_name": "Deleting Backup Catalogs with Wbadmin", "sha256": "abc7e66357468013a69f39627f5e9976245ba741d55515881174e59942bf5edc", "type": "eql", "version": 111 }, "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { + "min_stack_version": "8.3", "rule_name": "RDP Enabled via Registry", "sha256": "509028755d9bbaaabe41c984eebff548de67f107f346e42b1b4ee27cd12d5fdb", "type": "eql", "version": 111 }, "58ac2aa5-6718-427c-a845-5f3ac5af00ba": { + "min_stack_version": "8.3", "rule_name": "Zoom Meeting with no Passcode", "sha256": "b3970e307a90b3715cd0032cccccfdf1b0a62c7e414d20462f6f5107916e4bff", "type": "query", "version": 103 }, "58bc134c-e8d2-4291-a552-b4b3e537c60b": { + "min_stack_version": "8.3", "rule_name": "Potential Lateral Tool Transfer via SMB Share", "sha256": "09b2312a59b33f13a4be41c88d7b5a3177bc1c158c0fa3c8118d4f33d7ccfe08", "type": "eql", "version": 108 }, "58c6d58b-a0d3-412d-b3b8-0981a9400607": { + "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via InstallerFileTakeOver", "sha256": "9bae02d3c566f254d62cde13db4662546fcab189c9f3296fa8c3eea79178eb13", "type": "eql", "version": 111 }, "5919988c-29e1-4908-83aa-1f087a838f63": { + "min_stack_version": "8.3", "rule_name": "File or Directory Deletion Command", "sha256": "2aba7007a379369ba83e88547ca03adac0f28e90a937244de77c2270f5babb4a", "type": "eql", "version": 3 }, "5930658c-2107-4afc-91af-e0e55b7f7184": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "O365 Email Reported by User as Malware or Phish", + "sha256": "6f1117902fd841998a715673511a3831fe99e7a953113854fd094e8aaf57d935", + "type": "query", + "version": 106 + } + }, "rule_name": "O365 Email Reported by User as Malware or Phish", "sha256": "a384ae4e6ee0a0f14a297dd9980b3aae52fcba5a63e3fca63e28559480b62bef", "type": "query", "version": 206 }, "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "AWS CloudTrail Log Created", + "sha256": "0ebf115d87113f0fb8cfb856cf09dd40a7bc00703443d8f5dc149be5cf2d7a26", + "type": "query", + "version": 106 + } + }, "rule_name": "AWS CloudTrail Log Created", "sha256": "04381b6679e1f47a0de7e904dda384c87aaf3b510c9aca6f2045b8f2c4014fa7", "type": "query", "version": 207 }, "59756272-1998-4b8c-be14-e287035c4d10": { + "min_stack_version": "8.3", "rule_name": "Unusual Linux User Discovery Activity", "sha256": "f22f060fba5f9de2376d38ce5ced5885370cdee60ce06026422199c3d3636225", "type": "machine_learning", "version": 104 }, "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { + "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", "sha256": "de3f257cc742ca2b940857157f38cb15c99e74a1a22250b9dff96d6e8a1685c4", "type": "eql", "version": 109 }, "5a3d5447-31c9-409a-aed1-72f9921594fd": { + "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Java", "sha256": "7679d1b0d0e253dc2747cdf1dff275208029db01cdbf4fd7e77f9070d56861a1", "type": "eql", "version": 8 }, "5ae02ebc-a5de-4eac-afe6-c88de696477d": { + "min_stack_version": "8.3", "rule_name": "Potential Chroot Container Escape via Mount", "sha256": "b49bf35138ec9338b49af77beb42c3d6ec44d6901dd364fe7aac536e60dfcbfc", "type": "eql", "version": 2 }, "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": { + "min_stack_version": "8.3", "rule_name": "Remote SSH Login Enabled via systemsetup Command", "sha256": "b1baf6af7bac12181427143fe903673699b5df38a14f3a8617a90c981cf52058", "type": "query", "version": 106 }, "5aee924b-6ceb-4633-980e-1bde8cdb40c5": { + "min_stack_version": "8.3", "rule_name": "Potential Secure File Deletion via SDelete Utility", "sha256": "b6aed219192c8865a107b6529d4d67d837edb4ed446fb8d026683108c4fbcd30", "type": "eql", "version": 109 }, "5b03c9fb-9945-4d2f-9568-fd690fee3fba": { + "min_stack_version": "8.3", "rule_name": "Virtual Machine Fingerprinting", "sha256": "bfc51d0f01ccf26b16f823ba658b02bf6e682d0262d9dfe410d1c9cb06d859c2", "type": "query", "version": 108 }, "5b06a27f-ad72-4499-91db-0c69667bffa5": { + "min_stack_version": "8.3", "rule_name": "SUID/SGUID Enumeration Detected", "sha256": "9374dc2038bb7999021a8e926287cd2cda2bd1abfa06f2f01d0af8be01679b40", "type": "eql", "version": 5 }, "5b18eef4-842c-4b47-970f-f08d24004bde": { + "min_stack_version": "8.3", "rule_name": "Suspicious which Enumeration", "sha256": "ffbcf6b936ee4ef4c9b312ca9bb5da9d942f9a8680301b5f0debf394ad42c5fa", "type": "eql", "version": 5 }, "5b9eb30f-87d6-45f4-9289-2bf2024f0376": { + "min_stack_version": "8.3", "rule_name": "Potential Masquerading as Browser Process", "sha256": "bd50fb4c4b5ec6a4ebd52c50a505e5dc1fe75637d51ad57a0f0e79dff682aea5", "type": "eql", "version": 4 }, "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { + "min_stack_version": "8.3", "rule_name": "Suspicious PrintSpooler Service Executable File Creation", "sha256": "2e72ae9c5ca64669617999cec691b8f282cbf159464363b5d821bdddd4edd5d3", "type": "eql", "version": 108 }, "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS WAF Rule or Rule Group Deletion", + "sha256": "353bb55da009500a46a3701adb0b1bb680c718959d2e5969960085c211562f98", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS WAF Rule or Rule Group Deletion", "sha256": "6c4d3ab01c67010c4dd017c06f34cc2bba3765dc79133e8d5ba8fb7ecd657aa0", "type": "query", @@ -2777,84 +3643,116 @@ "version": 2 }, "5c602cba-ae00-4488-845d-24de2b6d8055": { + "min_stack_version": "8.3", "rule_name": "PowerShell Script with Veeam Credential Access Capabilities", "sha256": "c0587692912a44911b8bcee6cdac91e78ac6b0129e9fbb395e8b9c0381312ad0", "type": "query", "version": 1 }, "5c6f4c58-b381-452a-8976-f1b1c6aa0def": { + "min_stack_version": "8.4", "rule_name": "FirstTime Seen Account Performing DCSync", "sha256": "efaf2b94fb44203864342cbbad263757cf61dfe7c9be647fe038694e810170f4", "type": "new_terms", "version": 10 }, "5c81fc9d-1eae-437f-ba07-268472967013": { + "min_stack_version": "8.3", "rule_name": "Segfault Detected", "sha256": "67588b53b3aa8fcb88b35baa601ae2d44b31ffc590864787f6a46c72bc5b4dc8", "type": "query", "version": 1 }, "5c895b4f-9133-4e68-9e23-59902175355c": { + "min_stack_version": "8.6", "rule_name": "Potential Meterpreter Reverse Shell", "sha256": "eba0d9a274b902396a98f70bf3464b3faba30514532b52d48f11de4f46572076", "type": "eql", "version": 6 }, "5c983105-4681-46c3-9890-0c66d05e776b": { + "min_stack_version": "8.3", "rule_name": "Unusual Linux Process Discovery Activity", "sha256": "e67ff82fd38ab4af435c7cd93dee29535aac33d0dca591dada0c896337e58380", "type": "machine_learning", "version": 103 }, "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": { + "min_stack_version": "8.3", "rule_name": "Potential Defense Evasion via PRoot", "sha256": "74391c2ea26988cdbabaf1fe4da29601278aaa13c64140b557c38e53265b33e4", "type": "eql", "version": 7 }, "5cd55388-a19c-47c7-8ec4-f41656c2fded": { + "min_stack_version": "8.3", "rule_name": "Outbound Scheduled Task Activity via PowerShell", "sha256": "63aa403181709c3d123a628bdd843aacbbc3fff0eca0f17fccf30788068d58ef", "type": "eql", "version": 108 }, "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": { + "min_stack_version": "8.3", "rule_name": "User Added to Privileged Group", "sha256": "b33d6cc34a4b101cc79bc0c7f84cb361bcd02e5318b2295a57ebf4505ef0824d", "type": "eql", "version": 109 }, "5cf6397e-eb91-4f31-8951-9f0eaa755a31": { + "min_stack_version": "8.3", "rule_name": "Persistence via PowerShell profile", "sha256": "63c2a0fb94471a31f7240d9055c159236c52f32dc1da1e3e4487dbf3479a6b60", "type": "eql", "version": 9 }, "5d0265bf-dea9-41a9-92ad-48a8dcd05080": { + "min_stack_version": "8.3", "rule_name": "Persistence via Login or Logout Hook", "sha256": "1c0e0922c06fa8aa81d5e8321d94552753e41e9f939f8cb35940afe5438945d8", "type": "eql", "version": 107 }, "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { + "min_stack_version": "8.3", "rule_name": "Suspicious Execution via Scheduled Task", "sha256": "4051d22fd7d1721a31073f7a8b1173bdced88d11e883da07bafb67030c11d4fd", "type": "eql", "version": 108 }, "5d9f8cfc-0d03-443e-a167-2b0597ce0965": { + "min_stack_version": "8.3", "rule_name": "Suspicious Automator Workflows Execution", "sha256": "8a91321d4c4824d08e1ec1d1f2db52ad985b859f4e5838169834aa4bbdfff906", "type": "eql", "version": 106 }, "5e161522-2545-11ed-ac47-f661ea17fbce": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 103, + "rule_name": "Google Workspace 2SV Policy Disabled", + "sha256": "ddbea6e8e6fead49ee6b7eb17b83de0996fdabfef882164c7f04a134f1438293", + "type": "query", + "version": 5 + } + }, "rule_name": "Google Workspace 2SV Policy Disabled", "sha256": "90ed7cc03c1d2f50cb22cde81cefe5234690d44b19be19c4b0029735fa3e4f3a", "type": "query", "version": 106 }, "5e552599-ddec-4e14-bad1-28aa42404388": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Teams Guest Access Enabled", + "sha256": "4e4a262b9c4e5ab8a6ad524df85e1f6b13bdcae8c45ccea1db5bb31e2acd028f", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Teams Guest Access Enabled", "sha256": "92a0588bb516c3bf59cc84e1a9a07051d183c3a54df36ce698c176fe0a02d838", "type": "query", @@ -2874,42 +3772,58 @@ "version": 1 }, "5f2f463e-6997-478c-8405-fb41cc283281": { + "min_stack_version": "8.3", "rule_name": "Potential File Download via a Headless Browser", "sha256": "30c24a512438771d6de13cf9fbc3b909d451f6017b033ea015c1a99fc779f8b5", "type": "eql", "version": 1 }, "60884af6-f553-4a6c-af13-300047455491": { + "min_stack_version": "8.3", "rule_name": "Azure Command Execution on Virtual Machine", "sha256": "7e3e549fc0541f65e9d0ee9df09e5453f76574a9d8b90a03c5b8f905ebe6ce12", "type": "query", "version": 102 }, "60b6b72f-0fbc-47e7-9895-9ba7627a8b50": { + "min_stack_version": "8.3", "rule_name": "Azure Service Principal Addition", "sha256": "786b2ddb2ad2584581e0eeea78d24c23a5647d0a32680f1fa9625b6c06ebbda2", "type": "query", "version": 105 }, "60f3adec-1df9-4104-9c75-b97d9f078b25": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Exchange DLP Policy Removed", + "sha256": "0886a8d4f32a069d4f64c2559bfc5d527f4a2d24045aab00ae97f1de9ad9efb7", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Exchange DLP Policy Removed", "sha256": "807f4b28328d1f7ad9211882227887a21f3d288a8ad35dd75b1e3578f37251e9", "type": "query", "version": 206 }, "610949a1-312f-4e04-bb55-3a79b8c95267": { + "min_stack_version": "8.3", "rule_name": "Unusual Process Network Connection", "sha256": "be0a23cd5db1b1e9744ba6f8cfcbf419e70e2759108952394b4fd53a17da615c", "type": "eql", "version": 108 }, "61336fe6-c043-4743-ab6e-41292f439603": { + "min_stack_version": "8.3", "rule_name": "New User Added To GitHub Organization", "sha256": "90e535bf6daf394c14fb7d463f3a44120bd3a7a8df82406b1481123c490c23e8", "type": "eql", "version": 1 }, "61766ef9-48a5-4247-ad74-3349de7eb2ad": { + "min_stack_version": "8.3", "rule_name": "Interactive Logon by an Unusual Process", "sha256": "371c92a53ff6fe2812871b685def6102afb58b89c536d718eb67344227d117d2", "type": "eql", @@ -2918,7 +3832,7 @@ "61ac3638-40a3-44b2-855a-985636ca985e": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 212, "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", "sha256": "9321d3196034baa0a52034b07bbccafb94712b2ff10a634a6a451b65d5c7a23e", @@ -2938,6 +3852,7 @@ "version": 100 }, "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": { + "min_stack_version": "8.3", "rule_name": "AdminSDHolder SDProp Exclusion Added", "sha256": "596066dff727c29d10294ff6d205113bf4bc37e185127d4586a4a53eb1ed9cb0", "type": "eql", @@ -2951,60 +3866,70 @@ "version": 1 }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { + "min_stack_version": "8.3", "rule_name": "Incoming DCOM Lateral Movement via MSHTA", "sha256": "1c55d7f1db000719100662727934048ed282c6ca81a2401c68eb6de8edb1d08e", "type": "eql", "version": 107 }, "62a70f6f-3c37-43df-a556-f64fa475fba2": { + "min_stack_version": "8.3", "rule_name": "Account Configured with Never-Expiring Password", "sha256": "bff6971b2108d22178fe7e1ba59610ea438646b4c81a203c7c85e90f0b42b640", "type": "query", "version": 108 }, "62b68eb2-1e47-4da7-85b6-8f478db5b272": { + "min_stack_version": "8.3", "rule_name": "Potential Non-Standard Port HTTP/HTTPS connection", "sha256": "cda94f2b58b70076662143a46548455aa8e987cf042b4b051776a276aa0c495f", "type": "eql", "version": 4 }, "63c05204-339a-11ed-a261-0242ac120002": { + "min_stack_version": "8.4", "rule_name": "Kubernetes Suspicious Assignment of Controller Service Account", "sha256": "c3c4f5b5422708679b68f0f2fd71e860e9abfdc466e25b9cd35498d8a45cbdab", "type": "query", "version": 6 }, "63c056a0-339a-11ed-a261-0242ac120002": { + "min_stack_version": "8.4", "rule_name": "Kubernetes Denied Service Account Request", "sha256": "c04f7a46cbbd448139cfef70f2eaf9331faae7a4a1ab9a4a721463034e513e86", "type": "query", "version": 5 }, "63c057cc-339a-11ed-a261-0242ac120002": { + "min_stack_version": "8.4", "rule_name": "Kubernetes Anonymous Request Authorized", "sha256": "124c7243234a6880e622f6d2f811edd502e2406e6c96ad7066a7306794ced4fd", "type": "query", "version": 6 }, "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { + "min_stack_version": "8.3", "rule_name": "Network Connection via Signed Binary", "sha256": "a46c6b82143566c72c64c8288c549942594363613f856106a1b1e22b529caf49", "type": "eql", "version": 108 }, "647fc812-7996-4795-8869-9c4ea595fe88": { + "min_stack_version": "8.3", "rule_name": "Anomalous Process For a Linux Population", "sha256": "83b053309247f90ea7bda7f3c8e474257fe61dec3fc68d387888dc2da6ccf096", "type": "machine_learning", "version": 104 }, "6482255d-f468-45ea-a5b3-d3a7de1331ae": { + "min_stack_version": "8.3", "rule_name": "Modification of Safari Settings via Defaults Command", "sha256": "d6366ceb829546de9ee9785b9be89d03ee27409be5ce45526d3c6041f107f012", "type": "query", "version": 106 }, "64cfca9e-0f6f-4048-8251-9ec56a055e9e": { + "min_stack_version": "8.3", "rule_name": "Network Connection via Recently Compiled Executable", "sha256": "602b297ae58effa807f0bca106916c4f1902c7fa8f5c62bfd282b5b65de72f7b", "type": "eql", @@ -3017,42 +3942,58 @@ "version": 100 }, "65f9bccd-510b-40df-8263-334f03174fed": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 199, + "rule_name": "Kubernetes Exposed Service Created With Type NodePort", + "sha256": "c6cf6184bd1e4f3add0ac786022ed97b13163f8ef7278c905b94bcea8447509f", + "type": "query", + "version": 101 + } + }, "rule_name": "Kubernetes Exposed Service Created With Type NodePort", "sha256": "06a18e9f45ffe718b0156f37a7f5dc289078a2410a0e6ecb968b500a0e55378e", "type": "query", "version": 203 }, "661545b4-1a90-4f45-85ce-2ebd7c6a15d0": { + "min_stack_version": "8.3", "rule_name": "Attempt to Mount SMB Share via Command Line", "sha256": "2c9e3ab0668460f3f7e260f9353b575c300c84e6f8cded54fc5d21d659f4dbc4", "type": "eql", "version": 107 }, "6641a5af-fb7e-487a-adc4-9e6503365318": { + "min_stack_version": "8.5", "rule_name": "Suspicious Termination of ESXI Process", "sha256": "fded063447d8a8cf285be279a1620dacabff131d93f8fe4836a029e9fedf3ce2", "type": "eql", "version": 6 }, "665e7a4f-c58e-4fc6-bc83-87a7572670ac": { + "min_stack_version": "8.3", "rule_name": "WebServer Access Logs Deleted", "sha256": "3d487bb5d79f8850a52e52a4d8158c8d8fd68de886f1709be2af9495356e8977", "type": "eql", "version": 105 }, "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": { + "min_stack_version": "8.3", "rule_name": "Potential Successful Linux FTP Brute Force Attack Detected", "sha256": "9727c97648fb4b3afac9d4f9c9f0004fc5c2c23794cdd3be99f8df2b6ba1192a", "type": "eql", "version": 7 }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { + "min_stack_version": "8.3", "rule_name": "Connection to Commonly Abused Web Services", "sha256": "fd8374f717cf2af735052c2e6070cf34a2f345ffc0817d3633deedef52e54e18", "type": "eql", "version": 113 }, "66c058f3-99f4-4d18-952b-43348f2577a0": { + "min_stack_version": "8.3", "rule_name": "Linux Process Hooking via GDB", "sha256": "fbf357ed1d47b111ab6c612f8c15fd075755ac177461906e07824d7a0df4061d", "type": "eql", @@ -3061,7 +4002,7 @@ "66da12b1-ac83-40eb-814c-07ed1d82b7b9": { "min_stack_version": "8.11", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Suspicious macOS MS Office Child Process", "sha256": "fa49c48190d30ef29a48b101b182660b4498f72ff588291a7c1121e01dc0d489", @@ -3075,6 +4016,7 @@ "version": 206 }, "670b3b5a-35e5-42db-bd36-6c5b9b4b7313": { + "min_stack_version": "8.3", "rule_name": "Modification of the msPKIAccountCredentials", "sha256": "9a207172558146d200bc0297376b645cc44023db1b7a8202a16c432936fad1ab", "type": "query", @@ -3083,7 +4025,7 @@ "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Attempt to Modify an Okta Policy", "sha256": "bcc00051e5ab5b70c88a4b1559e4edcff319d79f2bbe5bfcab404a3d63457d63", @@ -3097,6 +4039,16 @@ "version": 206 }, "675239ea-c1bc-4467-a6d3-b9e2cc7f676d": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "O365 Mailbox Audit Logging Bypass", + "sha256": "cac04714049b7a004fe00585d8cc3e351f442896feb07e367f5e3406853f595d", + "type": "query", + "version": 106 + } + }, "rule_name": "O365 Mailbox Audit Logging Bypass", "sha256": "a61d567175526ad5bc735b093f276d0725a0ca9784d8b72754091e0b9abf70bb", "type": "query", @@ -3105,7 +4057,7 @@ "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Attempt to Revoke Okta API Token", "sha256": "f58a59fe0d9f317a1998e97634f691d5f4b4b0dc6b79fc874df5f7b9185a9f93", @@ -3125,6 +4077,7 @@ "version": 100 }, "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": { + "min_stack_version": "8.3", "rule_name": "High Number of Process Terminations", "sha256": "d3bd89f023aef73df6cbe19662e02ef77275c87754f04ca44279e2d30f28c5b3", "type": "threshold", @@ -3137,12 +4090,23 @@ "version": 100 }, "6839c821-011d-43bd-bd5b-acff00257226": { + "min_stack_version": "8.3", "rule_name": "Image File Execution Options Injection", "sha256": "413e961dc4797bf3701be20c749258009705733592d081c9b030aed6a7b8e75c", "type": "eql", "version": 107 }, "684554fc-0777-47ce-8c9b-3d01f198d7f8": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "New or Modified Federation Domain", + "sha256": "c12b7d94ddd9ac7a54891cd86831775b8622d2c0681fcaf612e2842bed646cf6", + "type": "query", + "version": 106 + } + }, "rule_name": "New or Modified Federation Domain", "sha256": "0fad0589541a8950f5f88b2a261cb0045389b6c80956518f1a66aad4d72394a8", "type": "query", @@ -3151,7 +4115,7 @@ "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 204, "rule_name": "Okta ThreatInsight Threat Suspected Promotion", "sha256": "44208f997fe40e0ec5625789243073bee7f66e3d2be2ed117e69e6f9b6907a21", @@ -3165,162 +4129,252 @@ "version": 205 }, "68921d85-d0dc-48b3-865f-43291ca2c4f2": { + "min_stack_version": "8.3", "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", "sha256": "ca27a9f60eec10c769a8b530ccb040f0a6c4218b6af386a6daa5e6ffb6ca381f", "type": "eql", "version": 110 }, "68994a6c-c7ba-4e82-b476-26a26877adf6": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 203, + "rule_name": "Google Workspace Admin Role Assigned to a User", + "sha256": "a8a7d4e956c4cd2733f3d5e26871a367b937a0944420b3eaaca82370b8246a55", + "type": "query", + "version": 105 + } + }, "rule_name": "Google Workspace Admin Role Assigned to a User", "sha256": "6efdcc0936767be2538639bc2b7dfc028b4f7d02b590bbfac757314fcec9ce2a", "type": "query", "version": 206 }, "689b9d57-e4d5-4357-ad17-9c334609d79a": { + "min_stack_version": "8.3", "rule_name": "Scheduled Task Created by a Windows Script", "sha256": "9e2d92b09b248d78181d6b8283ed595c2560ea046d17365515a8e57f6cb1679c", "type": "eql", "version": 107 }, "68a7a5a5-a2fc-4a76-ba9f-26849de881b4": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS CloudWatch Log Group Deletion", + "sha256": "2e8fdc6b595399328a680fc066469a0edae5a41684f4190a837deaa8adf32ae4", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS CloudWatch Log Group Deletion", "sha256": "9cb4442436198c82ac0e0fefebd6627d23a5dcb0db8fc9088a51ab31fc9ea399", "type": "query", "version": 209 }, "68ad737b-f90a-4fe5-bda6-a68fa460044e": { + "min_stack_version": "8.3", "rule_name": "Suspicious Access to LDAP Attributes", "sha256": "307219345f44551ce020e8edcdc4a77f54cae4a0431f6fdd2dd7b9553c93519d", "type": "eql", "version": 1 }, "68d56fdc-7ffa-4419-8e95-81641bd6f845": { + "min_stack_version": "8.3", "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", "sha256": "0e58274266004591d50a31dccda8579c2e48897fecb54d3ff9aa6153e1b2f459", "type": "eql", "version": 109 }, "6951f15e-533c-4a60-8014-a3c3ab851a1b": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 104, + "rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", + "sha256": "1bcb655a06d0561e1f4f6e9466d148178ddf1edc310aa5b738f246db479c1afd", + "type": "query", + "version": 5 + } + }, "rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", "sha256": "6c3939d29a97cd2645ecc292c9f864da41ba0b3d159eec992c7ef6dec115d08e", "type": "query", "version": 106 }, "699e9fdb-b77c-4c01-995c-1c15019b9c43": { + "min_stack_version": "8.5", + "previous": { + "8.3": { + "max_allowable_version": 203, + "rule_name": "Threat Intel Filebeat Module (v8.x) Indicator Match", + "sha256": "32f01788e2000cbf97dfe76446aa173db05e8a73eac467ec634aec29072ba7e8", + "type": "threat_match", + "version": 105 + } + }, "rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match", "sha256": "323f4b02dcebb3ae76b6d959c325eb0da4b02ab1cf6d98b0437795dbcdd6eb85", "type": "threat_match", "version": 204 }, "69c251fb-a5d6-4035-b5ec-40438bd829ff": { + "min_stack_version": "8.3", "rule_name": "Modification of Boot Configuration", "sha256": "500524cf359e95ea7b5677b35a1d166b011fa0b33628d49b9e0ca3dcb7531525", "type": "eql", "version": 109 }, "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS IAM Password Recovery Requested", + "sha256": "d16a1105cf83086a436f452d32fd1564076c4a7425498c922ca33cdcd2246c17", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS IAM Password Recovery Requested", "sha256": "a1e54060fd73ea81b4a91323553b6cdec9bd5fb0b973ef8201983c73b45ac3df", "type": "query", "version": 206 }, "6a309864-fc3f-11ee-b8cc-f661ea17fbce": { + "min_stack_version": "8.9", "rule_name": "EC2 AMI Shared with Another Account", "sha256": "269a6ce9b13aedfce015a85a679e1a55ebf3974fdd7cb9b3c9f84411ed85cafc", "type": "query", "version": 1 }, "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": { + "min_stack_version": "8.3", "rule_name": "Unusual Service Host Child Process - Childless Service", "sha256": "0cbf30f69775dd636ba9c9be86e859682567566370db71ea6b1ebb0b4d69b38d", "type": "eql", "version": 110 }, "6aace640-e631-4870-ba8e-5fdda09325db": { + "min_stack_version": "8.3", "rule_name": "Exporting Exchange Mailbox via PowerShell", "sha256": "6fd173fa6170609a487f81b30491b79df555d458fe2738216aa9cd26b1bbc98f", "type": "eql", "version": 111 }, "6ace94ba-f02c-4d55-9f53-87d99b6f9af4": { + "min_stack_version": "8.3", "rule_name": "Suspicious Utility Launched via ProxyChains", "sha256": "d905f66dbe947bfcc9537eb0ce37abd9f10bf4effcffc43e454399feec107fb2", "type": "eql", "version": 7 }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Sensitive Files Compression", + "sha256": "271c0de47099ee8a5e049d68bf4d49801b884b81f673df03edceab970daebe19", + "type": "query", + "version": 106 + } + }, "rule_name": "Sensitive Files Compression", "sha256": "a50308d629258169646a68897f01fed70056c172b984b4d7b643f78da9835e50", "type": "new_terms", "version": 208 }, "6bed021a-0afb-461c-acbe-ffdb9574d3f3": { + "min_stack_version": "8.3", "rule_name": "Remote Computer Account DnsHostName Update", "sha256": "4a3308713c74898d9a52d894105c3a41556786008f169b725436c4dbc018ee99", "type": "eql", "version": 107 }, "6c6bb7ea-0636-44ca-b541-201478ef6b50": { + "min_stack_version": "8.8", "rule_name": "Container Management Utility Run Inside A Container", "sha256": "34ba8d894c34042f9a4c326daee9871fc209a1e209058b9f6a0f8ad30eeec04d", "type": "eql", "version": 2 }, "6cd1779c-560f-4b68-a8f1-11009b27fe63": { + "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", "sha256": "304d7c35a3c501afafb6d576d39db8a71ffa761de1d2e4ea5cf2ef4937b103ca", "type": "eql", "version": 108 }, "6cea88e4-6ce2-4238-9981-a54c140d6336": { + "min_stack_version": "8.3", "rule_name": "GitHub Repo Created", "sha256": "51c2e55a0721646f1d729d916086c9574f76dff3a8c826d5d3295432d0ed3b09", "type": "eql", "version": 1 }, "6d448b96-c922-4adb-b51c-b767f1ea5b76": { + "min_stack_version": "8.3", "rule_name": "Unusual Process For a Windows Host", "sha256": "f65a12afc06498c72c6fe35834ef48f2c6cee057748963b300cae83e7a411f78", "type": "machine_learning", "version": 107 }, "6d8685a1-94fa-4ef7-83de-59302e7c4ca8": { + "min_stack_version": "8.6", "rule_name": "Potential Privilege Escalation via CVE-2023-4911", "sha256": "43e59c39d821bf39fd6c407a1be82ae2dc2413f7e5cdf21020ca39f4579609c0", "type": "eql", "version": 4 }, "6e1a2cc4-d260-11ed-8829-f661ea17fbcc": { + "min_stack_version": "8.4", "rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution", "sha256": "296e88e08cfeb38dd5bfe7c3719ed7ce80f41022b51190abddbedacc66220afa", "type": "new_terms", "version": 5 }, "6e40d56f-5c0e-4ac6-aece-bee96645b172": { + "min_stack_version": "8.3", "rule_name": "Anomalous Process For a Windows Population", "sha256": "797cf8fc982536b11a0679348b4eca584db853de77646320ff0c146465196bcd", "type": "machine_learning", "version": 105 }, "6e9130a5-9be6-48e5-943a-9628bfc74b18": { + "min_stack_version": "8.3", "rule_name": "AdminSDHolder Backdoor", "sha256": "53f33d98ecca40d46328a7ff7593743ac0f62aefad6854a203355d59f240ece1", "type": "query", "version": 106 }, "6e9b351e-a531-4bdc-b73e-7034d6eed7ff": { + "min_stack_version": "8.7", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Enumeration of Users or Groups via Built-in Commands", + "sha256": "6b4e00cd0749f89148010473d62893477290a0438ab07894e38b445ce10c7b3e", + "type": "eql", + "version": 107 + } + }, "rule_name": "Enumeration of Users or Groups via Built-in Commands", "sha256": "3eb0d320290f508310e7c0efbd51d6f2caa9acc4ca1879e192e0cc53658e62bd", "type": "eql", "version": 207 }, "6ea41894-66c3-4df7-ad6b-2c5074eb3df8": { + "min_stack_version": "8.3", "rule_name": "Potential Windows Error Manager Masquerading", "sha256": "f66c92e627ba4aabff1fb546ee38cbdf15e88ad11a4e5fc9059ba9be41db31f3", "type": "eql", "version": 108 }, "6ea55c81-e2ba-42f2-a134-bccf857ba922": { + "min_stack_version": "8.3", "rule_name": "Security Software Discovery using WMIC", "sha256": "191d08e949cb9f57e2853a307b82f336896da072f4dea0054f301ee50bebfd89", "type": "eql", @@ -3333,6 +4387,7 @@ "version": 100 }, "6ee947e9-de7e-4281-a55d-09289bdf947e": { + "min_stack_version": "8.3", "rule_name": "Potential Linux Tunneling and/or Port Forwarding", "sha256": "e7974fdba41cd2ce4d8ff22447cfab64cec739f3dd5bc0ab0749e92fc578bcf8", "type": "eql", @@ -3352,6 +4407,16 @@ "version": 1 }, "6f435062-b7fc-4af9-acea-5b1ead65c5a5": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 202, + "rule_name": "Google Workspace Role Modified", + "sha256": "8917dd169608ea491ef3f4c15d53b08aa6747b200e3b62a4bc22da3afb71fc9a", + "type": "query", + "version": 104 + } + }, "rule_name": "Google Workspace Role Modified", "sha256": "cc27c5d907038ca85c5d0c991e541013163f6fccc0bf95c84ac0b4ed62175081", "type": "query", @@ -3364,66 +4429,113 @@ "version": 100 }, "7024e2a0-315d-4334-bb1a-441c593e16ab": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS CloudTrail Log Deleted", + "sha256": "e4aa3aadf0d7e757977d5c02a31cae6d4ece731bc3478fec172e92a10c8f3ee1", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS CloudTrail Log Deleted", "sha256": "f23d0872d802001bbc030b70a5f6be00760eb331e2c1ea06a5e57d15d2e336c9", "type": "query", "version": 209 }, "7024e2a0-315d-4334-bb1a-552d604f27bc": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS Config Resource Deletion", + "sha256": "e3f3358d38d5992c002d140012811e59a1ff80898107891dfbb67758d36adfc0", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS Config Resource Deletion", "sha256": "9e3a32ce84c33e0a345a34c6f398fb54f346bd1d0683e6a1dc87f8957b4b140f", "type": "query", "version": 209 }, "708c9d92-22a3-4fe0-b6b9-1f861c55502d": { + "min_stack_version": "8.3", "rule_name": "Suspicious Execution via MSIEXEC", "sha256": "2b0a113e37d67649e6f11b5bf035ca1a3a6649ad4996a27b1e788651ae11b846", "type": "eql", "version": 2 }, "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": { + "min_stack_version": "8.3", "rule_name": "Persistence via WMI Standard Registry Provider", "sha256": "db796cbae0d063b4f1a54079e8f00e82b333a78701059a9a9962630dd48cc857", "type": "eql", "version": 108 }, "70fa1af4-27fd-4f26-bd03-50b6af6b9e24": { + "min_stack_version": "8.3", "rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", "sha256": "0ac39c7e21a70ea619a342065d004f5c51d563df631af84fa09a327437843b47", "type": "query", "version": 106 }, "7164081a-3930-11ed-a261-0242ac120002": { + "min_stack_version": "8.4", "rule_name": "Kubernetes Container Created with Excessive Linux Capabilities", "sha256": "86bf8bc61640a49c610c81cef5cb6bd417d85a5160637971eb56c908af7a3bec", "type": "query", "version": 4 }, "717f82c2-7741-4f9b-85b8-d06aeb853f4f": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Modification of Dynamic Linker Preload Shared Object", + "sha256": "dc67793718c16d2d90d8be38bf310b0ce87c25f4e9c56a66f7a231b80d9922f0", + "type": "query", + "version": 107 + } + }, "rule_name": "Modification of Dynamic Linker Preload Shared Object", "sha256": "593012691955c843d367110658df0c195a220829f73a237e8fadc2d4b0ce1b40", "type": "new_terms", "version": 209 }, "71bccb61-e19b-452f-b104-79a60e546a95": { + "min_stack_version": "8.3", "rule_name": "Unusual File Creation - Alternate Data Stream", "sha256": "a3fdba9254d6e0decace5b3bbe34f7365bdb09fb0ab62ce49b0058dc63af0cbc", "type": "eql", "version": 114 }, "71c5cb27-eca5-4151-bb47-64bc3f883270": { + "min_stack_version": "8.3", "rule_name": "Suspicious RDP ActiveX Client Loaded", "sha256": "e9a9062beb0713d366bd638f7cf733c19ec8aed20b8603b3b0d460618a78aaa2", "type": "eql", "version": 109 }, "71d6a53d-abbd-40df-afee-c21fff6aafb0": { + "min_stack_version": "8.3", "rule_name": "Suspicious Passwd File Event Action", "sha256": "e030929c0ce21a679a3931586b3e70cecc18c849100b3ae52bc4374ca17cbcb2", "type": "eql", "version": 3 }, "721999d0-7ab2-44bf-b328-6e63367b9b29": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Potential ransomware activity", + "sha256": "065cd0cc51b5457baa9bc37901045907810e07d074eef16982399654fae10302", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Potential ransomware activity", "sha256": "c4aa9e181be0c938309c1841f3a5de34116bfe2a8a734e1a92fd928af5ef644f", "type": "query", @@ -3432,7 +4544,7 @@ "729aa18d-06a6-41c7-b175-b65b739b1181": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", "sha256": "c60bc906d469f3485ac3f4e2694f2ad9335dd69d76776d4a7604221cdc4bd77c", @@ -3452,18 +4564,21 @@ "version": 100 }, "72ed9140-fe9d-4a34-a026-75b50e484b17": { + "min_stack_version": "8.6", "rule_name": "Unusual Discovery Signal Alert with Unusual Process Executable", "sha256": "b904f25bf5bb414b7b11d0a216395926f40e0ee77abebc5f9b7d19b0e35837d9", "type": "new_terms", "version": 2 }, "730ed57d-ae0f-444f-af50-78708b57edd5": { + "min_stack_version": "8.3", "rule_name": "Suspicious JetBrains TeamCity Child Process", "sha256": "c9e084cfb0ca88c2cc8bfdeaeae122e26763a683878236cd17307ce5cabfe578", "type": "eql", "version": 1 }, "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { + "min_stack_version": "8.3", "rule_name": "Potential Modification of Accessibility Binaries", "sha256": "65d25ee5fe0482453ec857754eb6d2d3273c48bcef76cea6d9c3843f555d19eb", "type": "eql", @@ -3472,7 +4587,7 @@ "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": { "min_stack_version": "8.11", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Modification of Environment Variable via Launchctl", "sha256": "baaab449ef5b78ab10fc6dec249fb8d0f5ba0a06cd5c58df962d3b5c0683adeb", @@ -3486,168 +4601,232 @@ "version": 206 }, "745b0119-0560-43ba-860a-7235dd8cee8d": { + "min_stack_version": "8.3", "rule_name": "Unusual Hour for a User to Logon", "sha256": "8c8f1df8c5b78cb30de44700004958516615a323691d707eee2ed79b9a00424c", "type": "machine_learning", "version": 104 }, "746edc4c-c54c-49c6-97a1-651223819448": { + "min_stack_version": "8.3", "rule_name": "Unusual DNS Activity", "sha256": "b9ea779f9594e53247551940577acd651bc9971f972c085f9476e736de350577", "type": "machine_learning", "version": 103 }, "7592c127-89fb-4209-a8f6-f9944dfd7e02": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 102, + "rule_name": "Suspicious Sysctl File Event", + "sha256": "dc62f12237c63e7f170343cc5fcf2587a078f5af5e823d46e6545f8b11a01b90", + "type": "eql", + "version": 4 + } + }, "rule_name": "Suspicious Sysctl File Event", "sha256": "a98b507603e191d5d7b9018614f89020e94baf48aa9ab69666128517e8a282c8", "type": "new_terms", "version": 107 }, "75dcb176-a575-4e33-a020-4a52aaa1b593": { + "min_stack_version": "8.3", "rule_name": "Service Disabled via Registry Modification", "sha256": "3f012ac4ed80b6095b899a9a86d030257bd07875599655fa1d5ee4bb8297020a", "type": "eql", "version": 3 }, "75ee75d8-c180-481c-ba88-ee50129a6aef": { + "min_stack_version": "8.3", "rule_name": "Web Application Suspicious Activity: Unauthorized Method", "sha256": "6888bde4c516f00a56257eb9f46531d38dbadb83d316387c5e20af3390580961", "type": "query", "version": 102 }, "76152ca1-71d0-4003-9e37-0983e12832da": { + "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Sudoers File Modification", "sha256": "6dfec898ca5b57352a078ff6ea65a0452985eeac88bb6ca491399544d57be902", "type": "query", "version": 103 }, "764c8437-a581-4537-8060-1fdb0e92c92d": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 199, + "rule_name": "Kubernetes Pod Created With HostIPC", + "sha256": "88a76082a0b05f8b848047174d1517f7746506e91ed2bb2d203255a52f38a8e2", + "type": "query", + "version": 101 + } + }, "rule_name": "Kubernetes Pod Created With HostIPC", "sha256": "beed3f7f4d2a86f155bd96e2903ded43fe8eb75d27f85650778e44bdf7e50982", "type": "query", "version": 203 }, "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": { + "min_stack_version": "8.3", "rule_name": "Access to a Sensitive LDAP Attribute", "sha256": "1ae31d3cb536669955d44bdf92b5c53dfd9868ad3ff5813fe8acee8502eecc41", "type": "eql", "version": 10 }, "766d3f91-3f12-448c-b65f-20123e9e9e8c": { + "min_stack_version": "8.3", "rule_name": "Creation of Hidden Shared Object File", "sha256": "a747be0c57d2283c6230586562f1c075efb7f2962fafced613f3b2c9fb64b8fa", "type": "eql", "version": 110 }, "76ddb638-abf7-42d5-be22-4a70b0bf7241": { + "min_stack_version": "8.3", "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", "sha256": "77deaf0de198677613cb4ea5ded34296802b16789afb9856cbe3114220f9e4fb", "type": "eql", "version": 106 }, "76e4d92b-61c1-4a95-ab61-5fd94179a1ee": { + "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Suspicious Child Process", "sha256": "6ac453ec6132c64b8a4ca261bc2a4effcf46f9bae6fcc34c97984064110e2953", "type": "eql", "version": 9 }, "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { + "min_stack_version": "8.3", "rule_name": "Potential Remote Desktop Tunneling Detected", "sha256": "7aa6802a0f3b68b47c51cf9c2bf2173bd894ec4c8c10b615109d165e50bdfb33", "type": "eql", "version": 110 }, "770e0c4d-b998-41e5-a62e-c7901fd7f470": { + "min_stack_version": "8.3", "rule_name": "Enumeration Command Spawned via WMIPrvSE", "sha256": "8ad7865bb2ea255f74f4010cbc3df77b3480c3878500abf1c5ebf0b7c924a7cf", "type": "eql", "version": 111 }, "774f5e28-7b75-4a58-b94e-41bf060fdd86": { + "min_stack_version": "8.3", "rule_name": "User Added as Owner for Azure Application", "sha256": "b88d2f1b89f2bbf51454db3706d1461b08147f31841aea42ee15726e4632fa26", "type": "query", "version": 102 }, "7787362c-90ff-4b1a-b313-8808b1020e64": { + "min_stack_version": "8.6", "rule_name": "UID Elevation from Previously Unknown Executable", "sha256": "2b60afa9037795b630f1d33a76fcd68f49f3c1ccf9b0da8445765575a2508534", "type": "new_terms", "version": 2 }, "77a3c3df-8ec4-4da4-b758-878f551dee69": { + "min_stack_version": "8.3", "rule_name": "Adversary Behavior - Detected - Elastic Endgame", "sha256": "0ec924f52296fef94948482d51b8d533eee0455bd3bce573fa522ee3d1c9997d", "type": "query", "version": 104 }, "781f8746-2180-4691-890c-4c96d11ca91d": { + "min_stack_version": "8.3", "rule_name": "Potential Network Sweep Detected", "sha256": "a076fa96b47fb15ed66e6f90750fdc91ac7f7cf9e496f47150eba1253dcbc6db", "type": "threshold", "version": 5 }, "785a404b-75aa-4ffd-8be5-3334a5a544dd": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 202, + "rule_name": "Application Added to Google Workspace Domain", + "sha256": "7fa64b656ada94baa0a8d76c00231f99bfd63f0925722bdfeb6528ff90cdef76", + "type": "query", + "version": 104 + } + }, "rule_name": "Application Added to Google Workspace Domain", "sha256": "ad5d0246eae8608a0868956eb3e4b6b36c94a4180a1194ca35da083d3264ecb6", "type": "query", "version": 205 }, "7882cebf-6cf1-4de3-9662-213aa13e8b80": { + "min_stack_version": "8.3", "rule_name": "Azure Privilege Identity Management Role Modified", "sha256": "26c5f67d4d0a686a2580c9991b656cf39bca2ec927dd297487125907f961585e", "type": "query", "version": 105 }, "78d3d8d9-b476-451d-a9e0-7a5addd70670": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "Spike in AWS Error Messages", + "sha256": "333cdaf4a1706f9d4a7935d233bb7a28147712b8edf36e3500c61433a2cbee57", + "type": "machine_learning", + "version": 108 + } + }, "rule_name": "Spike in AWS Error Messages", "sha256": "b9c3990fedf14024b1c9c83464350edfd9ebd517c53d2aacebbb3a848d9740f2", "type": "machine_learning", "version": 208 }, "78de1aeb-5225-4067-b8cc-f4a1de8a8546": { + "min_stack_version": "8.3", "rule_name": "Suspicious ScreenConnect Client Child Process", "sha256": "3a5b48b246dc6b94292ab3d37f29c9ee4894804983a6c4e75b67a8c520f24ef0", "type": "eql", "version": 1 }, "78e9b5d5-7c07-40a7-a591-3dbbf464c386": { + "min_stack_version": "8.3", "rule_name": "Suspicious File Renamed via SMB", "sha256": "fc6be263784c700668a9eb4f67231f1786f1750bc929af29d6655989375915c0", "type": "eql", "version": 1 }, "78ef0c95-9dc2-40ac-a8da-5deb6293a14e": { + "min_stack_version": "8.4", "rule_name": "Unsigned DLL Loaded by Svchost", "sha256": "693613eaf1e2584a9bc56d598ff28225091c888aa886521384faf26f2cc43a45", "type": "eql", "version": 6 }, "79124edf-30a8-4d48-95c4-11522cad94b1": { + "min_stack_version": "8.3", "rule_name": "File Compressed or Archived into Common Format", "sha256": "75b814ddab9122b2dde8034d1daadc9731ff977dce815207b7565aad49cda555", "type": "eql", "version": 4 }, "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": { + "min_stack_version": "8.3", "rule_name": "Azure Key Vault Modified", "sha256": "79a68677542c96b2d8a804e552e8de37560ab6f599a24f9b828d0b1dbbee1a87", "type": "query", "version": 103 }, "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": { + "min_stack_version": "8.3", "rule_name": "Potential Masquerading as System32 Executable", "sha256": "a613c9495f4b8b1cd51df4eac684c578f26aceaa65e6d20faa875e280f3a0912", "type": "eql", "version": 4 }, "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": { + "min_stack_version": "8.3", "rule_name": "Potential File Transfer via Certreq", "sha256": "45f8eda9995222bc895d40fc9bab8fea41954def40702271c8a6b7af7bd09eef", "type": "eql", "version": 8 }, "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { + "min_stack_version": "8.3", "rule_name": "Potential Shadow Credentials added to AD Object", "sha256": "696545e871e59971a9c77d60fb7f5cb25cbbec8a62cdf6fd167b9ec939efa675", "type": "query", @@ -3660,12 +4839,14 @@ "version": 100 }, "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": { + "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation through Writable Docker Socket", "sha256": "59ad5257e309d3192fd55374ef9be4e2d1d4ce96fe0c5e6c568e86d22e05f9a2", "type": "eql", "version": 5 }, "7afc6cc9-8800-4c7f-be6b-b688d2dea248": { + "min_stack_version": "8.3", "rule_name": "Potential Execution via XZBackdoor", "sha256": "3b5e1d6fe931166937ac8b2540f9f001897d52336750147eef0f13925a5f0c39", "type": "eql", @@ -3678,36 +4859,69 @@ "version": 100 }, "7b3da11a-60a2-412e-8aa7-011e1eb9ed47": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS ElastiCache Security Group Created", + "sha256": "388613f453ad59a0b5a1346925a88c2ea72963b1a7a4ba77f510bdb527a655a4", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS ElastiCache Security Group Created", "sha256": "eef0353fa501c11cf2bcd5a6676496b4500dd9131341d9cf1578d8a9d51234f4", "type": "query", "version": 206 }, "7b8bfc26-81d2-435e-965c-d722ee397ef1": { + "min_stack_version": "8.3", "rule_name": "Windows Network Enumeration", "sha256": "76d42ebe68f574a31fb590b3d96321d2e8d048306a8159b2f0b36be83255e855", "type": "eql", "version": 111 }, "7ba58110-ae13-439b-8192-357b0fcfa9d7": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Suspicious LSASS Access via MalSecLogon", + "sha256": "cfb5125f0705e215f8dc00f7a38fe7454cf24077181b6b9c70068c7e46fbadb6", + "type": "eql", + "version": 106 + } + }, "rule_name": "Suspicious LSASS Access via MalSecLogon", "sha256": "fa0f15538180301dcc99fb3677d8ac7ad2d789d612e23c816f0908956028b3c1", "type": "eql", "version": 208 }, "7bcbb3ac-e533-41ad-a612-d6c3bf666aba": { + "min_stack_version": "8.3", "rule_name": "Tampering of Shell Command-Line History", "sha256": "106aa939e4c87db6570ee327ed6ca3e7f889aca17a71e09044b0b8dc3bed815c", "type": "eql", "version": 105 }, "7caa8e60-2df0-11ed-b814-f661ea17fbce": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 103, + "rule_name": "Google Workspace Bitlocker Setting Disabled", + "sha256": "b7f72377e6e5c62220a4932b83c0343a304f9e32c6f8df1a2320f97dc666d857", + "type": "query", + "version": 5 + } + }, "rule_name": "Google Workspace Bitlocker Setting Disabled", "sha256": "d876e552704f399012a35ef8ccd37653e6278d558e9904d895f023110f987c55", "type": "query", "version": 106 }, "7ceb2216-47dd-4e64-9433-cddc99727623": { + "min_stack_version": "8.3", "rule_name": "GCP Service Account Creation", "sha256": "0c8a23dace5a96a836f6a55bbc9dc2e64550d584c98257f3b7dbbaaf0d79805c", "type": "query", @@ -3720,66 +4934,104 @@ "version": 100 }, "7dfaaa17-425c-4fe7-bd36-83705fde7c2b": { + "min_stack_version": "8.3", "rule_name": "Suspicious Kworker UID Elevation", "sha256": "1073dde211174d3099a9b8a21931bf6531d2343d6b44d98c0ceabeecc3f29e8a", "type": "eql", "version": 2 }, "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { + "min_stack_version": "8.3", "rule_name": "Suspicious WMIC XSL Script Execution", "sha256": "d375afba7884212b8fe34d5179603d5a9a7a16f14ec76a18f89032b8ca01d5e2", "type": "eql", "version": 109 }, "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 100, + "rule_name": "Discovery of Internet Capabilities via Built-in Tools", + "sha256": "a411322e3fd22e1fe67ca9c54dd4c5ecb965751365aebb4c0c9d7b4e3aa67a66", + "type": "eql", + "version": 1 + } + }, "rule_name": "Discovery of Internet Capabilities via Built-in Tools", "sha256": "94bb175873a51e3ec94a3d92aec15accba931a59b2ccbcf01c9317f8a3d571ee", "type": "new_terms", "version": 102 }, "7fb500fa-8e24-4bd1-9480-2a819352602c": { + "min_stack_version": "8.6", "rule_name": "New Systemd Timer Created", "sha256": "c5bf7a856bf289f0687f5916c01098906650541047b786e7a120cd6ec3fbb948", "type": "new_terms", "version": 9 }, "80084fa9-8677-4453-8680-b891d3c0c778": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 102, + "rule_name": "Enumeration of Kernel Modules via Proc", + "sha256": "e8cbeafae45cf6592034b68de6f2166705890d49c7a6e5821b387dfa6c535dc9", + "type": "eql", + "version": 4 + } + }, "rule_name": "Enumeration of Kernel Modules via Proc", "sha256": "a673dd1c8988721179c42b0b788a1b229fce05298dfe5664b54ca535750e4587", "type": "new_terms", "version": 106 }, "800e01be-a7a4-46d0-8de9-69f3c9582b44": { + "min_stack_version": "8.3", "rule_name": "Unusual Process Extension", "sha256": "f2022485ae73360b81a2da1364f674781461b179fb259d9734ada6dbe226720a", "type": "eql", "version": 4 }, "808291d3-e918-4a3a-86cd-73052a0c9bdc": { + "min_stack_version": "8.3", "rule_name": "Suspicious Troubleshooting Pack Cabinet Execution", "sha256": "237bea63ac52782481baf16b92d59c08e0e799105d378bec92197c4ad8fad8b4", "type": "eql", "version": 2 }, "809b70d3-e2c3-455e-af1b-2626a5a1a276": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "Unusual City For an AWS Command", + "sha256": "51f5b37af37f1f4ec180b1de7aac38ca7d77afc0e1f44dfe6122eb8605e3adab", + "type": "machine_learning", + "version": 108 + } + }, "rule_name": "Unusual City For an AWS Command", "sha256": "d6cbad92730cf10d62df532e09bfef35bca6439b7ff5b0f34337bdda6ab38199", "type": "machine_learning", "version": 208 }, "80c52164-c82a-402c-9964-852533d58be1": { + "min_stack_version": "8.3", "rule_name": "Process Injection - Detected - Elastic Endgame", "sha256": "42f01902665c666c45de8cafd9cc39c80ab4e28cf87c1e13caab844668cb70be", "type": "query", "version": 103 }, "814d96c7-2068-42aa-ba8e-fe0ddd565e2e": { + "min_stack_version": "8.9", "rule_name": "Unusual Remote File Extension", "sha256": "e5eeb038f9aa39433fcea8c9410b24a6a1337512da397d2818fc96f5698f767b", "type": "machine_learning", "version": 3 }, "818e23e6-2094-4f0e-8c01-22d30f3506c6": { + "min_stack_version": "8.3", "rule_name": "PowerShell Script Block Logging Disabled", "sha256": "93f0d3a27ec93093c91f59d6a1bcd1a34b1f007ff0304b857a730c1c6c35f186", "type": "eql", @@ -3794,7 +5046,7 @@ "81fe9dc6-a2d7-4192-a2d8-eed98afc766a": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 210, "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", "sha256": "b37f48d5442be42df0d2783a9a8c3a2aa4e791636a90f115ebc567ee730ba2de", @@ -3808,6 +5060,7 @@ "version": 211 }, "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": { + "min_stack_version": "8.3", "rule_name": "Temporarily Scheduled Task Creation", "sha256": "b9eb095355ecc02a827ca56e41a3ccd5fd5fff3c57c2f1a1e16e0f32082bcd46", "type": "eql", @@ -3816,7 +5069,7 @@ "827f8d8f-4117-4ae4-b551-f56d54b9da6b": { "min_stack_version": "8.11", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 206, "rule_name": "Apple Scripting Execution with Administrator Privileges", "sha256": "c86e89c5415c3f38817090bc99e25901d75e58b5f7387022f61bd609df89272a", @@ -3830,12 +5083,14 @@ "version": 207 }, "835c0622-114e-40b5-a346-f843ea5d01f1": { + "min_stack_version": "8.3", "rule_name": "Potential Linux Local Account Brute Force Detected", "sha256": "7951c32071a4f27cf235f88d6d4af14655a24aca293681878a970dc3e3973c1f", "type": "eql", "version": 6 }, "83a1931d-8136-46fc-b7b9-2db4f639e014": { + "min_stack_version": "8.3", "rule_name": "Azure Kubernetes Pods Deleted", "sha256": "8c0f9a8ac544e84262204d80e667c90f7e1a0be582cea5152e2d44926f4e72a9", "type": "query", @@ -3848,84 +5103,143 @@ "version": 100 }, "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": { + "min_stack_version": "8.3", "rule_name": "Attempt to Disable IPTables or Firewall", "sha256": "1814e77d691d41da88a1ba4c922ef445c031e653b86b5dd166f99cba587157f1", "type": "eql", "version": 7 }, "8446517c-f789-11ee-8ad0-f661ea17fbce": { + "min_stack_version": "8.3", "rule_name": "AWS EC2 Admin Credential Fetch via Assumed Role", "sha256": "ca0cdbc0af36d4bf4a78a1a5f82fca391580b9507566dd67dd281c61cd510c7a", "type": "new_terms", "version": 2 }, "846fe13f-6772-4c83-bd39-9d16d4ad1a81": { + "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Transport Agent Install Script", "sha256": "6c50456e5c405b545f31c8c93d71b2f1614b64bd732ca548127db4db6230c412", "type": "query", "version": 5 }, "84d1f8db-207f-45ab-a578-921d91c23eb2": { + "min_stack_version": "8.3", "rule_name": "Potential Upgrade of Non-interactive Shell", "sha256": "c13baf680022d32581c0780e31d4ade6009c93d1be12624a3d30060da764f759", "type": "eql", "version": 3 }, "84da2554-e12a-11ec-b896-f661ea17fbcd": { + "min_stack_version": "8.3", "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", "sha256": "7a9ce57d7b2a5c723facc456a26c549cb5acacc09fe4844360c1af34366c0744", "type": "eql", "version": 110 }, "850d901a-2a3c-46c6-8b22-55398a01aad8": { + "min_stack_version": "8.3", "rule_name": "Potential Remote Credential Access via Registry", "sha256": "a0cd73a2f83a6c1f8fe970bb6a7fab8656fe9e3d8c51d5a9dda9efb1db69ba32", "type": "eql", "version": 111 }, "852c1f19-68e8-43a6-9dce-340771fe1be3": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "Suspicious PowerShell Engine ImageLoad", + "sha256": "765d2c6702b22d625ca9fac30e74684428f6d6a852dd200dff84851fe76dda47", + "type": "eql", + "version": 108 + } + }, "rule_name": "Suspicious PowerShell Engine ImageLoad", "sha256": "8fb4c5a6040d9edf0a32b6e6fd809d366eea096495438e323e148d684c871404", "type": "new_terms", "version": 210 }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS EC2 Network Access Control List Deletion", + "sha256": "196c1626443f797df1670e37fe56629d8da2a1b61087cac2f3fab49bd64b5113", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS EC2 Network Access Control List Deletion", "sha256": "4f9d972be95e23e9ad2c127a00b66165c3f6c1105dcfef9a0e85a70d2d22b006", "type": "query", "version": 206 }, "863cdf31-7fd3-41cf-a185-681237ea277b": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS RDS Security Group Deletion", + "sha256": "f46878044473b51688032f8944026be841032d83fbab53ebccb6f3bd1056f1a7", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS RDS Security Group Deletion", "sha256": "3815b7cf0e4aeef5cd0350a18c0f8a1f751b8c21d728875a7268a075a70e2ad9", "type": "query", "version": 206 }, "867616ec-41e5-4edc-ada2-ab13ab45de8a": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS IAM Group Deletion", + "sha256": "950ae30d904242ba798eb1658f1e238720d404743585e155f030dda45d0e05f6", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS IAM Group Deletion", "sha256": "b52937ff4f6af1e5ccf8b52bf8d378468fdac5dfd53a8b3217833c005c5fa781", "type": "query", "version": 206 }, "86c3157c-a951-4a4f-989b-2f0d0f1f9518": { + "min_stack_version": "8.3", "rule_name": "Potential Linux Reverse Connection through Port Knocking", "sha256": "b4f46ff74a8794d66683aa38de698de5e35a091b48d03ffa0d9181a578899ddc", "type": "eql", "version": 1 }, "870aecc0-cea4-4110-af3f-e02e9b373655": { + "min_stack_version": "8.3", "rule_name": "Security Software Discovery via Grep", "sha256": "de3ae123fbc7d0cb0596b3c5cc6467fdf51f545053665c4f5afdeb758983bc76", "type": "eql", "version": 109 }, "871ea072-1b71-4def-b016-6278b505138d": { + "min_stack_version": "8.3", "rule_name": "Enumeration of Administrator Accounts", "sha256": "6a87be3b93e4a75c3dbfeba82b7aaa420dd43f042ec1bc9641d5649f8f6850b5", "type": "eql", "version": 112 }, "87594192-4539-4bc4-8543-23bc3d5bd2b4": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS EventBridge Rule Disabled or Deleted", + "sha256": "81d56536a960fa83385df001b8186c6a129128d000278be5586476a6d4b9e19b", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS EventBridge Rule Disabled or Deleted", "sha256": "2a49cf8319bd2a5a16d2286014217d41ffe4680b5e7a367b131ebf7124853339", "type": "query", @@ -3938,30 +5252,53 @@ "version": 100 }, "884e87cc-c67b-4c90-a4ed-e1e24a940c82": { + "min_stack_version": "8.6", "rule_name": "Potential Suspicious Clipboard Activity Detected", "sha256": "0177e89bdd890b3651f0d3bc7bb08aa7a71cc97d95e6f965d2131a132599a839", "type": "new_terms", "version": 4 }, "88671231-6626-4e1b-abb7-6e361a171fbb": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Global Administrator Role Assigned", + "sha256": "bb6703bc49a5b12297b62e2aa1b7a9e5f01ce6108eabbd1d541ec655dd35ac50", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Global Administrator Role Assigned", "sha256": "1bc2ee513c9a3702d258107ccaa36ce6f728f37804a83afe41ec0386f3386f66", "type": "query", "version": 206 }, "88817a33-60d3-411f-ba79-7c905d865b2a": { + "min_stack_version": "8.3", "rule_name": "Sublime Plugin or Application Script Modification", "sha256": "e1e70345125002f7b837c9c87a54b449497d0b8a5d4f32f30e24b28185445925", "type": "eql", "version": 107 }, "88fdcb8c-60e5-46ee-9206-2663adf1b1ce": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 102, + "rule_name": "Potential Sudo Hijacking Detected", + "sha256": "28eba13edb2d9454c08d86938d6bf41ed614c2c32879ec8719cd571c0c9cbef5", + "type": "eql", + "version": 3 + } + }, "rule_name": "Potential Sudo Hijacking Detected", "sha256": "3d49290bdfa2269196ce840768887b0c20588d07f406eef1f33e10c6117246e0", "type": "new_terms", "version": 105 }, "891cb88e-441a-4c3e-be2d-120d99fe7b0d": { + "min_stack_version": "8.3", "rule_name": "Suspicious WMI Image Load from MS Office", "sha256": "ce3fa8639f8be47fdbd516d085eb1359d5c76c41cc11e38b92a58495b3340443", "type": "eql", @@ -3974,24 +5311,28 @@ "version": 100 }, "897dc6b5-b39f-432a-8d75-d3730d50c782": { + "min_stack_version": "8.3", "rule_name": "Kerberos Traffic from Unusual Process", "sha256": "2013e3e6c582953aa80b60a4839fd4a71480f61227c7c5eea6a58e6835031b50", "type": "eql", "version": 110 }, "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { + "min_stack_version": "8.3", "rule_name": "Command Prompt Network Connection", "sha256": "85227491b3d44bf45d31d60e2dd5bfe543b04cc13549ad5abd43164d69fbe271", "type": "eql", "version": 108 }, "89fa6cb7-6b53-4de2-b604-648488841ab8": { + "min_stack_version": "8.3", "rule_name": "Persistence via DirectoryService Plugin Modification", "sha256": "7e7bfe7e3320055b9e14c1193bb2f5ecf812a4611d29fb12f0f07137bb6dd03b", "type": "query", "version": 106 }, "8a024633-c444-45c0-a4fe-78128d8c1ab6": { + "min_stack_version": "8.3", "rule_name": "Suspicious Symbolic Link Created", "sha256": "6041852ef2da176bb02a69879e30441c9842802e2b5e06678aaca5653322cf32", "type": "eql", @@ -4005,18 +5346,21 @@ "version": 3 }, "8a0fd93a-7df8-410d-8808-4cc5e340f2b9": { + "min_stack_version": "8.3", "rule_name": "GitHub PAT Access Revoked", "sha256": "2da8385cb4225c3a080f85def407322ed423d41cdeaec25622ddcced2bad28a4", "type": "eql", "version": 1 }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { + "min_stack_version": "8.3", "rule_name": "Setuid / Setgid Bit Set via chmod", "sha256": "9c15ba48b9d09639823c4d9695769a98190668b5a82f91664552b3a1d00134d5", "type": "query", "version": 103 }, "8a1d4831-3ce6-4859-9891-28931fa6101d": { + "min_stack_version": "8.3", "rule_name": "Suspicious Execution from a Mounted Device", "sha256": "78673e3f95e690470a888733b99665c1ceb566b839d08ffa96c74f670db2afb3", "type": "eql", @@ -4025,7 +5369,7 @@ "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Attempt to Deactivate an Okta Network Zone", "sha256": "f01b127b08601cf43cda877946ee97bf4bc51e4cff8f27b3e3dc4a809a3bf009", @@ -4039,120 +5383,149 @@ "version": 206 }, "8acb7614-1d92-4359-bfcf-478b6d9de150": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "Suspicious JAVA Child Process", + "sha256": "c0f26a306606e4329dc19352d7f927e70467ccc86747f18345aefcf194110e16", + "type": "eql", + "version": 105 + } + }, "rule_name": "Suspicious JAVA Child Process", "sha256": "c73d3fa21849f702bf7a08d4182ce1e62bbf2096eef54418fd5faf94e042da75", "type": "new_terms", "version": 208 }, "8af5b42f-8d74-48c8-a8d0-6d14b4197288": { + "min_stack_version": "8.3", "rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287", "sha256": "9f1d8eb4a1676be7fbf66706cbd1e8a9eec262049a93bfc3e771c3d33033f140", "type": "eql", "version": 4 }, "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { + "min_stack_version": "8.3", "rule_name": "Executable File Creation with Multiple Extensions", "sha256": "bccda8eb5129b06f4f741772f5096f1be5c8365b976b07a61c32e442f9138298", "type": "eql", "version": 108 }, "8b4f0816-6a65-4630-86a6-c21c179c0d09": { + "min_stack_version": "8.3", "rule_name": "Enable Host Network Discovery via Netsh", "sha256": "78eb240c8eeeb4d9df8d9454ba4f91306bbffcdf8b395c3a62c87009f89504de", "type": "eql", "version": 109 }, "8b64d36a-1307-4b2e-a77b-a0027e4d27c8": { + "min_stack_version": "8.3", "rule_name": "Azure Kubernetes Events Deleted", "sha256": "8a4def186433798cec337c4f9e6b8b1ac62a38ad3789dd570670d22444e74fb9", "type": "query", "version": 102 }, "8c1bdde8-4204-45c0-9e0c-c85ca3902488": { + "min_stack_version": "8.3", "rule_name": "RDP (Remote Desktop Protocol) from the Internet", "sha256": "97a0561922556e3ced27828faed777dc5a0ab1da7843bfef7c19929702a26f4b", "type": "query", "version": 103 }, "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": { + "min_stack_version": "8.3", "rule_name": "Unusual Child Process of dns.exe", "sha256": "a6ecf9a561d41bac0bb75fbf33f868dc71ed4fc5e07f914780fd73c29dcdb1ba", "type": "eql", "version": 110 }, "8c81e506-6e82-4884-9b9a-75d3d252f967": { + "min_stack_version": "8.3", "rule_name": "Potential SharpRDP Behavior", "sha256": "133e1acd35b1b06ce036bf672f04203863a4f2e1c535cc722321f198d71bffda", "type": "eql", "version": 106 }, "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": { + "min_stack_version": "8.3", "rule_name": "Ransomware - Detected - Elastic Endgame", "sha256": "b84c5e839efdbf68fe7169726ffe8ce015b356dfe0ea25b276db55b22b85d8f2", "type": "query", "version": 103 }, "8cb84371-d053-4f4f-bce0-c74990e28f28": { + "min_stack_version": "8.3", "rule_name": "Potential Successful SSH Brute Force Attack", "sha256": "eb0397acce03ec5fcb5a10ba7467e1b55e0f73f4a401dfe97878133f487f4483", "type": "eql", "version": 11 }, "8d366588-cbd6-43ba-95b4-0971c3f906e5": { + "min_stack_version": "8.3", "rule_name": "File with Suspicious Extension Downloaded", "sha256": "c9d44fd0d41abacd96c54ff4dc4f7a22c34b77b8c64245a7856f8ea12ed3d0b0", "type": "eql", "version": 3 }, "8d3d0794-c776-476b-8674-ee2e685f6470": { + "min_stack_version": "8.8", "rule_name": "Suspicious Interactive Shell Spawned From Inside A Container", "sha256": "98d9856fbf5ecafe5dad0a89fd9c9d5281e1c02fee5b91a84b352c727f87441e", "type": "eql", "version": 2 }, "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": { + "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via PKEXEC", "sha256": "a9c592609916001eeb489115d3ab416659f25485e68e33061d9b0e8903972698", "type": "eql", "version": 108 }, "8ddab73b-3d15-4e5d-9413-47f05553c1d7": { + "min_stack_version": "8.3", "rule_name": "Azure Automation Runbook Deleted", "sha256": "6c88b863fccfcdd4aa41e1c790530f97914dc652a10e9121e26a28194746179c", "type": "query", "version": 102 }, "8e39f54e-910b-4adb-a87e-494fbba5fb65": { + "min_stack_version": "8.3", "rule_name": "Potential Outgoing RDP Connection by Unusual Process", "sha256": "e724d32f7d8923ac1608a48ba78404bda59c6db4b1475a392ad766f4e0853459", "type": "eql", "version": 3 }, "8eec4df1-4b4b-4502-b6c3-c788714604c9": { + "min_stack_version": "8.3", "rule_name": "Bitsadmin Activity", "sha256": "39ca4c3ed7500f428501bf32d7b5361c687e94b712b9d7742406bb4c804bb53b", "type": "eql", "version": 2 }, "8f242ffb-b191-4803-90ec-0f19942e17fd": { + "min_stack_version": "8.3", "rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation", "sha256": "60451d80b47ef91bfe8095934b32b4899ae705a33e3df155894a58dc67c97ce6", "type": "eql", "version": 1 }, "8f3e91c7-d791-4704-80a1-42c160d7aa27": { + "min_stack_version": "8.3", "rule_name": "Potential Port Monitor or Print Processor Registration Abuse", "sha256": "bb44b0120653077a52d8fbfb935aa73998db23fe25b3c188024f3a96b09b8e4c", "type": "eql", "version": 106 }, "8f919d4b-a5af-47ca-a594-6be59cd924a4": { + "min_stack_version": "8.3", "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", "sha256": "feec1ce2bdf4dbddf251d9f16a07f5123eb30116c1ee43415fafe3390499db68", "type": "eql", "version": 107 }, "8fb75dda-c47a-4e34-8ecd-34facf7aad13": { + "min_stack_version": "8.3", "rule_name": "GCP Service Account Deletion", "sha256": "3c8184358856969e1362e374b7c72a678a3df1dc9ae082111b0ba80d01a44dcb", "type": "query", @@ -4165,24 +5538,37 @@ "version": 100 }, "90169566-2260-4824-b8e4-8615c3b4ed52": { + "min_stack_version": "8.3", "rule_name": "Hping Process Activity", "sha256": "59016f24c9fb4a9e0120058222b3dccfbc94b5d0316a6762207a6eb3fc312a0c", "type": "eql", "version": 108 }, "9055ece6-2689-4224-a0e0-b04881e1f8ad": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Deletion of RDS Instance or Cluster", + "sha256": "637b97f8e4d2c60b80d6427cd89d111d077543e2103cb3a96f9e35e577bd9caa", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Deletion of RDS Instance or Cluster", "sha256": "123109fe70f635c2d9a5bae3df07789309b38a6d09b1d892aa2df1bdba5ad241", "type": "query", "version": 206 }, "9092cd6c-650f-4fa3-8a8a-28256c7489c9": { + "min_stack_version": "8.3", "rule_name": "Keychain Password Retrieval via Command Line", "sha256": "d0daaa99eff7d2f0f8a96916e7c4220209cc9015faebc9be56268cf601ac36b3", "type": "eql", "version": 108 }, "90babaa8-5216-4568-992d-d4a01a105d98": { + "min_stack_version": "8.3", "rule_name": "InstallUtil Activity", "sha256": "b3e654521bd77a07433f951786a8b37f3f4bb9ef9459f8cbfd080af927ebf5f9", "type": "eql", @@ -4195,36 +5581,51 @@ "version": 100 }, "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": { + "min_stack_version": "8.3", "rule_name": "GCP Virtual Private Cloud Route Creation", "sha256": "ef3f13ea53f5eeca327dcdcd4a456b5375942dc90208cc6bced56c5c208eeb79", "type": "query", "version": 104 }, "91d04cd4-47a9-4334-ab14-084abe274d49": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS WAF Access Control List Deletion", + "sha256": "4d59ddb17973a139d9be0a601ce33dda6071ea802724f0bd0333d7db8722280c", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS WAF Access Control List Deletion", "sha256": "7bcb7719e201f748986a026ff97c52bfce72b11730f1c15a39516be29c7fe7a1", "type": "query", "version": 206 }, "91f02f01-969f-4167-8d77-07827ac4cee0": { + "min_stack_version": "8.3", "rule_name": "Unusual Web User Agent", "sha256": "085e5fd9bc868b88d70882d6ff9ad8cd88277bde6a5536d032d204050b191347", "type": "machine_learning", "version": 103 }, "91f02f01-969f-4167-8f55-07827ac3acc9": { + "min_stack_version": "8.3", "rule_name": "Unusual Web Request", "sha256": "ca0f4d650120d7af5f5c1b882104229c33beac3e20991c9c22403a8a79b89ae1", "type": "machine_learning", "version": 103 }, "91f02f01-969f-4167-8f66-07827ac3bdd9": { + "min_stack_version": "8.3", "rule_name": "DNS Tunneling", "sha256": "30ea79771106d5283bb2b93e9376e9b56ebb99c37ef021f485fdc2ea17c783ea", "type": "machine_learning", "version": 103 }, "929223b4-fba3-4a1c-a943-ec4716ad23ec": { + "min_stack_version": "8.3", "rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account", "sha256": "dfae7535f5caafed8358bc16a68a6a501122ec05eae29c1f291da2416cad5ca9", "type": "threshold", @@ -4233,7 +5634,7 @@ "92984446-aefb-4d5e-ad12-598042ca80ba": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 107, "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", "sha256": "2f82ee830e43259016d4adf959d1c08b65e5c44f66accebde1c7a3aece556548", @@ -4247,102 +5648,173 @@ "version": 108 }, "92a6faf5-78ec-4e25-bea1-73bacc9b59d9": { + "min_stack_version": "8.3", "rule_name": "A scheduled task was created", "sha256": "d54ac464d0549dec4468d4706dfce032e2e8bed176f5ece56f3c6430378aff76", "type": "eql", "version": 8 }, "92d3a04e-6487-4b62-892d-70e640a590dc": { + "min_stack_version": "8.3", "rule_name": "Potential Evasion via Windows Filtering Platform", "sha256": "1985305e54165a73be2bdfd8d6de615ed21edde213a17f11911f0a25cdd28c0c", "type": "eql", "version": 3 }, "93075852-b0f5-4b8b-89c3-a226efae5726": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Security Token Service (STS) AssumeRole Usage", + "sha256": "2e6053408cd8709eca1ec8f67f1435cba0deae2486a175e0943f710e9ee4e2b3", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Security Token Service (STS) AssumeRole Usage", "sha256": "b0f5b4e396353924df242d69030559c5fd2dab01d092d3573750a4611ce59860", "type": "query", "version": 206 }, "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 202, + "rule_name": "Sudoers File Modification", + "sha256": "61b18d5eee007e352b11ee5d0b8cd560ef127b7ca4a6704381e1b1f0bfe6e1ef", + "type": "query", + "version": 103 + } + }, "rule_name": "Sudoers File Modification", "sha256": "f4d948d4c06ecb8fae9ce5be98bc19d8200ccb0e271913c4b2c41c01a45233b2", "type": "new_terms", "version": 204 }, "9395fd2c-9947-4472-86ef-4aceb2f7e872": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS VPC Flow Logs Deletion", + "sha256": "f3c39ae72c93e6c08f938d780fc70f56119ce17eb3ef31cf7645331efed700c3", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS VPC Flow Logs Deletion", "sha256": "25e4d08e828c9f763d9f42004a1d8bb865f62993bd8f235e95fc5513208e03a6", "type": "query", "version": 209 }, "93b22c0a-06a0-4131-b830-b10d5e166ff4": { + "min_stack_version": "8.3", "rule_name": "Suspicious SolarWinds Child Process", "sha256": "6f65d57f4b54ada16ae7a6bf781a64d84a83409df693cadbcf9a736633154606", "type": "eql", "version": 110 }, "93c1ce76-494c-4f01-8167-35edfb52f7b1": { + "min_stack_version": "8.3", "rule_name": "Encoded Executable Stored in the Registry", "sha256": "d3a171c7ed51757d8f3f02d63a51e5a37f3a6d639b0766a24c42f22c01c87851", "type": "eql", "version": 107 }, "93e63c3e-4154-4fc6-9f86-b411e0987bbf": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 202, + "rule_name": "Google Workspace Admin Role Deletion", + "sha256": "723578f77b081beb3b8a8da703208e1279aa15eba410de837d67b390c4334bbe", + "type": "query", + "version": 104 + } + }, "rule_name": "Google Workspace Admin Role Deletion", "sha256": "cab219f6e8b4ccaf91b7f6190f1d098c08ddc5b898d2e1566965ba6039a72657", "type": "query", "version": 205 }, "93f47b6f-5728-4004-ba00-625083b3dcb0": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 203, + "rule_name": "Modification of Standard Authentication Module or Configuration", + "sha256": "db86c17797a8d52db5ea04999393ce5c37395cc6a46b34ec1cd0da3f02d0435f", + "type": "query", + "version": 104 + } + }, "rule_name": "Modification of Standard Authentication Module or Configuration", "sha256": "1e01d9186d48db4667fa030761b3f63e12f70737f7fb423eb05d385ad1e6db30", "type": "new_terms", "version": 204 }, "947827c6-9ed6-4dec-903e-c856c86e72f3": { + "min_stack_version": "8.3", "rule_name": "Creation of Kernel Module", "sha256": "567ba4167bba7fcade95c2541b715738b5656e11712923c258d65bf3dc1dd533", "type": "eql", "version": 3 }, "94a401ba-4fa2-455c-b7ae-b6e037afc0b7": { + "min_stack_version": "8.3", "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", "sha256": "31677cdb4cb00d90106a66e1b086ad61ada306117acf7b0af9e17d13a96b91f0", "type": "eql", "version": 8 }, "9510add4-3392-11ed-bd01-f661ea17fbce": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 103, + "rule_name": "Google Workspace Custom Gmail Route Created or Modified", + "sha256": "0c7bcbc73caec8df64f6e5d9c2430357baaef7371ef1f47b25b5f5bd7f6edf7f", + "type": "query", + "version": 5 + } + }, "rule_name": "Google Workspace Custom Gmail Route Created or Modified", "sha256": "13c2c8915478dad932a8b2375537e1960622c8dde7a6ac83375802a12c539fe1", "type": "query", "version": 106 }, "951779c2-82ad-4a6c-82b8-296c1f691449": { + "min_stack_version": "8.3", "rule_name": "Potential PowerShell Pass-the-Hash/Relay Script", "sha256": "7675d578e4dd24bc57bd2bbf670bfc9415f87ba8a2f3ddf8e8a7c00d3641d5f6", "type": "query", "version": 1 }, "954ee7c8-5437-49ae-b2d6-2960883898e9": { + "min_stack_version": "8.3", "rule_name": "Remote Scheduled Task Creation", "sha256": "efc5bf9425039882bd50862795a48859ffe194bee570ae43e2268a9fbea9fe80", "type": "eql", "version": 108 }, "959a7353-1129-4aa7-9084-30746b256a70": { + "min_stack_version": "8.3", "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", "sha256": "ec182387ccb79ee33c05281674fdc60fea9112866634a0782d814363c238711c", "type": "query", "version": 108 }, "9661ed8b-001c-40dc-a777-0983b7b0c91a": { + "min_stack_version": "8.8", "rule_name": "Sensitive Keys Or Passwords Searched For Inside A Container", "sha256": "54b3d3c9b093b147b2a9544592815de34c26f37b971ca155743f92fafcd674b9", "type": "eql", "version": 2 }, "968ccab9-da51-4a87-9ce2-d3c9782fd759": { + "min_stack_version": "8.3", "rule_name": "File made Immutable by Chattr", "sha256": "c2d2cfe2f74f7c4a8901ab56d95245ba900ce8e18c828bf0a2ad894b6260731e", "type": "eql", @@ -4351,7 +5823,7 @@ "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 204, "rule_name": "Attempt to Create Okta API Token", "sha256": "14b3f9e9b5e605ca66fa3d7115e312ba72ced80772e0d51928496be9202b6353", @@ -4365,30 +5837,53 @@ "version": 205 }, "96d11d31-9a79-480f-8401-da28b194608f": { + "min_stack_version": "8.6", "rule_name": "Potential Persistence Through MOTD File Creation Detected", "sha256": "bc9916d1a1cd785c77d6f24073b3b607cdcefc196480e1f09e5e734866ac7fb1", "type": "new_terms", "version": 9 }, "96e90768-c3b7-4df6-b5d9-6237f8bc36a8": { + "min_stack_version": "8.7", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Access to Keychain Credentials Directories", + "sha256": "2860753d4532b37b174d6b8e3e1314b0a7a0b3f54b74a7899205e53bacbae0de", + "type": "eql", + "version": 107 + } + }, "rule_name": "Access to Keychain Credentials Directories", "sha256": "a4bde834d3628dca2daee592ed3741c7ccd55a25840f58603fdccb98e7368d63", "type": "eql", "version": 207 }, "97020e61-e591-4191-8a3b-2861a2b887cd": { + "min_stack_version": "8.3", "rule_name": "SeDebugPrivilege Enabled by a Suspicious Process", "sha256": "a3cff32c0bdbd78533b034070c4a270116087312c08ff8511d9bfd520be44f36", "type": "eql", "version": 7 }, "97314185-2568-4561-ae81-f3e480e5e695": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification", + "sha256": "5e3900d8aa0de4868a0980ccd44983433b4f857bddf099cf73275a57e5145c8f", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification", "sha256": "9c1981f0822634de6f020d5301b100c703d19724dd486e288398596ff23b18e6", "type": "query", "version": 206 }, "97359fd8-757d-4b1d-9af1-ef29e4a8680e": { + "min_stack_version": "8.3", "rule_name": "GCP Storage Bucket Configuration Modification", "sha256": "8898fb2725e12947da9bb2c12a300e9093f6eef9c309b3ff30af48d018501dd6", "type": "query", @@ -4402,6 +5897,16 @@ "version": 1 }, "979729e7-0c52-4c4c-b71e-88103304a79f": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS SAML Activity", + "sha256": "5ccb2e9205c690a15eeb580f91fbced1746f6a12cd487ec983e1bdb8b5f7b33d", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS SAML Activity", "sha256": "37af41b152c5085758547bee67d9f0387f5f07fcba690c925338905f100cc43d", "type": "query", @@ -4410,7 +5915,7 @@ "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 206, "rule_name": "Potential Abuse of Repeated MFA Push Notifications", "sha256": "c65175629b87978771837a807d4ff8b51d3ae081548603d49475754979b246b4", @@ -4424,6 +5929,7 @@ "version": 209 }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { + "min_stack_version": "8.3", "rule_name": "Suspicious Zoom Child Process", "sha256": "5cefb7cdb856211a9d1070aa4ef9637c41633768b6b8b4d92c520b3d0544b976", "type": "eql", @@ -4436,6 +5942,7 @@ "version": 100 }, "97db8b42-69d8-4bf3-9fd4-c69a1d895d68": { + "min_stack_version": "8.5", "rule_name": "Suspicious Renaming of ESXI Files", "sha256": "134cc7f77ddd008b061f698e64cd7b3c5fc67db9adca8e3ecc35436d6136bc39", "type": "eql", @@ -4448,108 +5955,169 @@ "version": 100 }, "97fc44d3-8dae-4019-ae83-298c3015600f": { + "min_stack_version": "8.3", "rule_name": "Startup or Run Key Registry Modification", "sha256": "361fc9bece9212d2816e83198a13e6951dc8e63c878162f552778218c8711684", "type": "eql", "version": 111 }, "980b70a0-c820-11ed-8799-f661ea17fbcc": { + "min_stack_version": "8.4", "rule_name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User", "sha256": "bca34a9cc93d913e9dd7b38378787f84bffb714c7a1ff0e76fe33c0b81cce627", "type": "eql", "version": 3 }, "98843d35-645e-4e66-9d6a-5049acd96ce1": { + "min_stack_version": "8.3", "rule_name": "Indirect Command Execution via Forfiles/Pcalua", "sha256": "1a205cf65c5d3958f5a75ef9944f9e7c7f8edc9dce54de95c5cc236303ed1416", "type": "eql", "version": 2 }, "9890ee61-d061-403d-9bf6-64934c51f638": { + "min_stack_version": "8.3", "rule_name": "GCP IAM Service Account Key Deletion", "sha256": "f6e73ab78ecb9bdcafce24cf4de95c3ad91c3b9f84ebde53d8a1184c1145cbff", "type": "query", "version": 104 }, "98995807-5b09-4e37-8a54-5cae5dc932d7": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Exchange Management Group Role Assignment", + "sha256": "a8d4e67d87194878313ca642bb0cfef0c9fc3750c6cf26a8b74eeac52d8a0c9e", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Exchange Management Group Role Assignment", "sha256": "e5669429abd5547d912048bcc97739ccf3bfa45d4d74e324d1ab2bfd2076322c", "type": "query", "version": 206 }, "98fd7407-0bd5-5817-cda0-3fcc33113a56": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS EC2 Snapshot Activity", + "sha256": "ed1f4e4296f79824714df9f3010887d3ecd69c44ffbf728bed8d47197ea5e08e", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS EC2 Snapshot Activity", "sha256": "0bcbd76d8bc2c0abdaa12111fbc563952e549b58223fb5c1376a1f268453a2c1", "type": "query", "version": 209 }, "990838aa-a953-4f3e-b3cb-6ddf7584de9e": { + "min_stack_version": "8.3", "rule_name": "Process Injection - Prevented - Elastic Endgame", "sha256": "a02da9b5d7a30fe8e11ecdc06e8302ca4077986141d830dffc5a3ea2af2180fa", "type": "query", "version": 103 }, "99239e7d-b0d4-46e3-8609-acafcf99f68c": { + "min_stack_version": "8.3", "rule_name": "MacOS Installer Package Spawns Network Event", "sha256": "a13a4be8fd4f869d6387397192b1e56e6ff008c345ae84e5fafd4a4d28697584", "type": "eql", "version": 107 }, "994e40aa-8c85-43de-825e-15f665375ee8": { + "min_stack_version": "8.9", "rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", "sha256": "482926261657f74d6e44dd1fcdcd25df11184139e079a28e9558d172a94bc94f", "type": "eql", "version": 4 }, "9960432d-9b26-409f-972b-839a959e79e2": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Potential Credential Access via LSASS Memory Dump", + "sha256": "51227a6967396d84ff70c0b13a8a92fe16f45b0f6824b1cafb1b648ea5d5fddd", + "type": "eql", + "version": 106 + } + }, "rule_name": "Potential Credential Access via LSASS Memory Dump", "sha256": "2a6ab34b2777b1c0c5811839d0fb72b2778f887ef1ff8f877e8c2a1d8158a292", "type": "eql", "version": 209 }, "99dcf974-6587-4f65-9252-d866a3fdfd9c": { + "min_stack_version": "8.3", "rule_name": "Spike in Failed Logon Events", "sha256": "1a2c14a7384dc942a3ff18edf7acc8a80867ba7213895616cb80e917fa985a6f", "type": "machine_learning", "version": 104 }, "9a1a2dae-0b5f-4c3d-8305-a268d404c306": { + "min_stack_version": "8.3", "rule_name": "Endpoint Security", "sha256": "3ae0acbbd3b1f49e9a79f6db57b01b04ec80eb8493223e6baa3db0f545a5512d", "type": "query", "version": 103 }, "9a3884d0-282d-45ea-86ce-b9c81100f026": { + "min_stack_version": "8.3", "rule_name": "Unsigned BITS Service Client Process", "sha256": "6c6b0a4cca70f6f55c5b73ca65607b2b546521f99bef8c3eeec5a873a4cebdcf", "type": "eql", "version": 2 }, "9a3a3689-8ed1-4cdb-83fb-9506db54c61f": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 104, + "rule_name": "Potential Shadow File Read via Command Line Utilities", + "sha256": "956ccfb72b0b0545eedcac7869c1de45bcdc05490d5bf7c07da51f94442f4cf8", + "type": "eql", + "version": 6 + }, + "8.4": { + "max_allowable_version": 207, + "rule_name": "Potential Shadow File Read via Command Line Utilities", + "sha256": "25484718086d5b02486408a92befb4c3f5ad9114ca059168686f84ada6efb1c0", + "type": "new_terms", + "version": 108 + } + }, "rule_name": "Potential Shadow File Read via Command Line Utilities", "sha256": "6d3b04cf53c9662f1a011b9b8d0b412aa1fb0f3bfe1771f6a1807b4bf76c1780", "type": "new_terms", "version": 208 }, "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": { + "min_stack_version": "8.3", "rule_name": "Suspicious Explorer Child Process", "sha256": "73643376218cb6a9dc9c17dcbc0e1e2a68c19dba4b20e180663b4a7c2a5953b7", "type": "eql", "version": 109 }, "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { + "min_stack_version": "8.3", "rule_name": "Scheduled Tasks AT Command Enabled", "sha256": "70c14e4efec28255020d7227acf60ade921f89c6f4f6f20df7eefe9f083993ce", "type": "eql", "version": 109 }, "9b343b62-d173-4cfd-bd8b-e6379f964ca4": { + "min_stack_version": "8.3", "rule_name": "GitHub Owner Role Granted To User", "sha256": "a4b8ee93d7e52d2b59d4df47a27d69a9e5fba2c405d327006dddd367e0aedf2c", "type": "eql", "version": 3 }, "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { + "min_stack_version": "8.3", "rule_name": "Persistence via WMI Event Subscription", "sha256": "36be7f5bc34d95f4e0db0866f200db91e20c57104c47535e70c0579f42c47d7c", "type": "eql", @@ -4563,30 +6131,44 @@ "version": 2 }, "9c260313-c811-4ec8-ab89-8f6530e0246c": { + "min_stack_version": "8.3", "rule_name": "Hosts File Modified", "sha256": "9857acc6de8b05c65a249bb32fb2aa5bb50283f5ac6aa34dfc4285a8a1abb5e2", "type": "eql", "version": 108 }, "9c865691-5599-447a-bac9-b3f2df5f9a9d": { + "min_stack_version": "8.3", "rule_name": "Remote Scheduled Task Creation via RPC", "sha256": "0f64c28a181949a1efa09b4f30225af7c831dc379510fde5484cb91ebbe9059e", "type": "eql", "version": 8 }, "9c951837-7d13-4b0c-be7a-f346623c8795": { + "min_stack_version": "8.3", "rule_name": "Potential Enumeration via Active Directory Web Service", "sha256": "8e3c38ce419b110b9a63f544e1faf01b054304e08d40cb4e20a08b87e0ef44c1", "type": "eql", "version": 2 }, "9ccf3ce0-0057-440a-91f5-870c6ad39093": { + "min_stack_version": "8.3", "rule_name": "Command Shell Activity Started via RunDLL32", "sha256": "c9b88b1d61f94153253dffb64b83381cc6f37396d6969056f29e0e983d7f0057", "type": "eql", "version": 110 }, "9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 103, + "rule_name": "Google Workspace User Group Access Modified to Allow External Access", + "sha256": "4ca64be8b81634872abafdfb31ec9ad8ac4825ceb19369bc47a5f59f0cd15968", + "type": "query", + "version": 5 + } + }, "rule_name": "Google Workspace User Group Access Modified to Allow External Access", "sha256": "3de5e59006729a058c18b93a17cacead586bbf1a2893756ce0951d59aa5bfdfd", "type": "query", @@ -4599,168 +6181,248 @@ "version": 100 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "Microsoft Build Engine Started by a Script Process", + "sha256": "a7dda34610cf31fe8bd552ca7b1be438b979f718bba2f25c1bfbe2dcf6e399c2", + "type": "eql", + "version": 105 + } + }, "rule_name": "Microsoft Build Engine Started by a Script Process", "sha256": "927ea94b2491233b45213f4d45a252a511d8929778022d54b8ce9c55b572508c", "type": "new_terms", "version": 209 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { + "min_stack_version": "8.3", "rule_name": "Microsoft Build Engine Started by a System Process", "sha256": "c485e1358f4158ae03a14255b6d46e7c55467c0fadf17bb618b1ea57366ef1e1", "type": "eql", "version": 110 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { + "min_stack_version": "8.3", "rule_name": "Microsoft Build Engine Using an Alternate Name", "sha256": "9821305b0eebf7cd0540a8a4af112f0cb88abf4dc3bbbe323ade7a203ccf4b08", "type": "eql", "version": 112 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { + "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Trusted Developer Utility", "sha256": "b1e378c91ed40734538a8f0ef48435f4f5e8446ac71e923e12737fe89f84b8c5", "type": "eql", "version": 110 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft Build Engine Started an Unusual Process", + "sha256": "a31248c2a77ee248c66bc397338932837d26cb27e8d0fe2ecc59cb2fd6705d5d", + "type": "eql", + "version": 106 + } + }, "rule_name": "Microsoft Build Engine Started an Unusual Process", "sha256": "88f6d6c995a534b5becc1676681e9c43a25e4a30332448f195ec5ae641b8b870", "type": "new_terms", "version": 211 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { + "min_stack_version": "8.3", "rule_name": "Process Injection by the Microsoft Build Engine", "sha256": "91a18c0e34d966e4822caade08e77bf1677f953f76672f72c51ed95c86968438", "type": "query", "version": 106 }, "9d19ece6-c20e-481a-90c5-ccca596537de": { + "min_stack_version": "8.3", "rule_name": "LaunchDaemon Creation or Modification and Immediate Loading", "sha256": "7320bfb081717b130f02dbd9cf9b41a6d9df14eeb6eadaa18a986b64c7a798f8", "type": "eql", "version": 106 }, "9d302377-d226-4e12-b54c-1906b5aec4f6": { + "min_stack_version": "8.3", "rule_name": "Unusual Linux Process Calling the Metadata Service", "sha256": "a8ec37b93c67426decc04bb1828dece6c21599efba58c2bcbdba4de0db24d7e5", "type": "machine_learning", "version": 103 }, "9f1c4ca3-44b5-481d-ba42-32dc215a2769": { + "min_stack_version": "8.3", "rule_name": "Potential Protocol Tunneling via EarthWorm", "sha256": "0acdc01e1894806e1b2e1a96df91a299f0324172f6e08fa06b75cb6244675079", "type": "eql", "version": 110 }, "9f962927-1a4f-45f3-a57b-287f2c7029c1": { + "min_stack_version": "8.3", "rule_name": "Potential Credential Access via DCSync", "sha256": "d4d6d4838b5cf551986e8f7b4335f15eb0910a85ed8f40f695e52e1141147407", "type": "eql", "version": 113 }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "File Permission Modification in Writable Directory", + "sha256": "6c93604ac3f7c4e56ba67f913a4b594887a31706b87f87c25ce6fe48e9608fc3", + "type": "eql", + "version": 106 + } + }, "rule_name": "File Permission Modification in Writable Directory", "sha256": "bb48a554acead2212b1c7f843dc9352b7f546a24999c026f249e82bfb88acd46", "type": "new_terms", "version": 210 }, "a00681e3-9ed6-447c-ab2c-be648821c622": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Access Secret in Secrets Manager", + "sha256": "8a809b35c09aae82a1f066892fa5746325703203ff96d57019f0c0566dc602fe", + "type": "query", + "version": 106 + }, + "8.6": { + "max_allowable_version": 307, + "rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", + "sha256": "a470900ff108beb4fc2bd4b7b585eab94d9c4069ec2fdc41e3d7b241c6fd4263", + "type": "new_terms", + "version": 208 + } + }, "rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", "sha256": "378a46774155bf6146f1d357c4e693e994e2122c127ec368b79c9186c4eea17e", "type": "new_terms", "version": 310 }, "a02cb68e-7c93-48d1-93b2-2c39023308eb": { + "min_stack_version": "8.3", "rule_name": "A scheduled task was updated", "sha256": "f72866c48ccae69c487c9485afbf8ca05fc67403d5bda38d738920206c830645", "type": "eql", "version": 8 }, "a0ddb77b-0318-41f0-91e4-8c1b5528834f": { + "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Python cap_setuid", "sha256": "9771d73d6839772917b03b85707c361b758e7dd2ca3ae4daa997d9f3494564a3", "type": "eql", "version": 3 }, "a10d3d9d-0f65-48f1-8b25-af175e2594f5": { + "min_stack_version": "8.3", "rule_name": "GCP Pub/Sub Topic Creation", "sha256": "d1f3342fcfc31b466666d2653d511406c8d7118d669a1c5a031be8300152cc93", "type": "query", "version": 105 }, "a13167f1-eec2-4015-9631-1fee60406dcf": { + "min_stack_version": "8.3", "rule_name": "InstallUtil Process Making Network Connections", "sha256": "f8829b614b96a55bdf35e84d28329b3efdbd1d18224ab1987b6e6dc5aabea65f", "type": "eql", "version": 107 }, "a1329140-8de3-4445-9f87-908fb6d824f4": { + "min_stack_version": "8.3", "rule_name": "File Deletion via Shred", "sha256": "7cceb36ddd019047252c9fdd913eef7af8d679620d610af2da4243906b976b48", "type": "eql", "version": 109 }, "a16612dd-b30e-4d41-86a0-ebe70974ec00": { + "min_stack_version": "8.3", "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", "sha256": "90670896181f2ae7afdbd86f7ba48b393d39687df3d9ff84a3061265a8c90486", "type": "eql", "version": 106 }, "a1699af0-8e1e-4ed0-8ec1-89783538a061": { + "min_stack_version": "8.3", "rule_name": "Windows Subsystem for Linux Distribution Installed", "sha256": "45960ca284b367be8f1699088f866e56e2c72c2a5205c1c1ac4a309354ab6119", "type": "eql", "version": 7 }, "a17bcc91-297b-459b-b5ce-bc7460d8f82a": { + "min_stack_version": "8.3", "rule_name": "GCP Virtual Private Cloud Route Deletion", "sha256": "5830a379ffe8c72546a1ff07b39d70c6d196815e08f8e584828c81640426aa99", "type": "query", "version": 104 }, "a198fbbd-9413-45ec-a269-47ae4ccf59ce": { + "min_stack_version": "8.7", "rule_name": "My First Rule", "sha256": "0357b6b5d11fb9734295241301e64ac5a4ad73f8fe8919c4fc846366ddc3aa29", "type": "threshold", "version": 3 }, "a1a0375f-22c2-48c0-81a4-7c2d11cc6856": { + "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell Activity via Terminal", "sha256": "abc7a656bb0d4f63a1a6e01241d5070bd79d95767ddf50a96416c4cb1e21c0ea", "type": "eql", "version": 108 }, "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": { + "min_stack_version": "8.3", "rule_name": "Linux Group Creation", "sha256": "7fc88cc105fb44e6b06fe74f60102105a5d43b6174d0e52f9dafb31eda5b1bb7", "type": "eql", "version": 5 }, "a22a09c2-2162-4df0-a356-9aacbeb56a04": { + "min_stack_version": "8.3", "rule_name": "DNS-over-HTTPS Enabled via Registry", "sha256": "6c0ebc416f6fb4c7549a97d6a862ad6d780640637db60c907841fa20c7c70d8a", "type": "eql", "version": 109 }, "a2795334-2499-11ed-9e1a-f661ea17fbce": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 103, + "rule_name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App", + "sha256": "337d1765f1495c27d1a5daf28740c34409d3a57bbf7be559211000d47dd66469", + "type": "query", + "version": 5 + } + }, "rule_name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App", "sha256": "89b0c47b77b31a2b7c84dfe6195e371e6678e7153a116dd44c14e22eae50b16c", "type": "query", "version": 106 }, "a2d04374-187c-4fd9-b513-3ad4e7fdd67a": { + "min_stack_version": "8.3", "rule_name": "PowerShell Mailbox Collection Script", "sha256": "9da52a8d28edcb2f709109145e35bbb279d16227c6d4836c727a6764e3fffd58", "type": "query", "version": 7 }, "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { + "min_stack_version": "8.3", "rule_name": "Execution via local SxS Shared Module", "sha256": "68739f82fe835d6e8e546e396bd6b7166cab6ffb7af01ccc3d402c7b23ab1525", "type": "eql", "version": 108 }, "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": { + "min_stack_version": "8.3", "rule_name": "Windows Registry File Creation in SMB Share", "sha256": "e99c94faaac0789d4c0eb4168bdc6ce7813ec01a2cecbf150147733d63850942", "type": "eql", @@ -4773,6 +6435,7 @@ "version": 100 }, "a52a9439-d52c-401c-be37-2785235c6547": { + "min_stack_version": "8.8", "rule_name": "Netcat Listener Established Inside A Container", "sha256": "8f9886fc92a4c69f14005790f8fdaab0b79bfd94930a6aaadc156c7b8a78e146", "type": "eql", @@ -4786,78 +6449,100 @@ "version": 2 }, "a5eb21b7-13cc-4b94-9fe2-29bb2914e037": { + "min_stack_version": "8.6", "rule_name": "Potential Reverse Shell via UDP", "sha256": "1576ee101633693a68c7a223bc0bf033bf243cde11d3831ca0ba638c6761c681", "type": "eql", "version": 6 }, "a5f0d057-d540-44f5-924d-c6a2ae92f045": { + "min_stack_version": "8.3", "rule_name": "Potential SSH Brute Force Detected on Privileged Account", "sha256": "38d14b033e79ccc9d9cf97555e15e5132aaa6d8ca72e05d65885ee7bcc2feb22", "type": "eql", "version": 5 }, "a60326d7-dca7-4fb7-93eb-1ca03a1febbd": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS IAM Assume Role Policy Update", + "sha256": "76387a6bb7b623af513d1e3379567e01c3efd70a0fbf651fb1361a6a3fb63075", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS IAM Assume Role Policy Update", "sha256": "232deeb70c03fe09805ae4aedeb77133435af63645bd9833c8d0b945b1f950df", "type": "query", "version": 209 }, "a605c51a-73ad-406d-bf3a-f24cc41d5c97": { + "min_stack_version": "8.3", "rule_name": "Azure Active Directory PowerShell Sign-in", "sha256": "d50d23ae4c7359047320934418d1041ff10666e02a6ed8bc287366745ae74372", "type": "query", "version": 105 }, "a61809f3-fb5b-465c-8bff-23a8a068ac60": { + "min_stack_version": "8.5", "rule_name": "Threat Intel Windows Registry Indicator Match", "sha256": "498e400e2ab211c23df18b38f3485b255be2cf09808ae8221fc1f70ecfd680b6", "type": "threat_match", "version": 6 }, "a624863f-a70d-417f-a7d2-7a404638d47f": { + "min_stack_version": "8.3", "rule_name": "Suspicious MS Office Child Process", "sha256": "255c381e83fba4080d9c7a3ab7f1997d7a8cb5d664c64a8cd19f0be970ca8ae4", "type": "eql", "version": 112 }, "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": { + "min_stack_version": "8.3", "rule_name": "Emond Rules Creation or Modification", "sha256": "279439946377684a1551b3d271e82b7225b1323b970f0e63c7a12fc2ba805287", "type": "eql", "version": 107 }, "a74c60cb-70ee-4629-a127-608ead14ebf1": { + "min_stack_version": "8.9", "rule_name": "High Mean of RDP Session Duration", "sha256": "22baca917bf8d8852f30384b7d4813aa7a370126e0338be3886963d94f2e6b8a", "type": "machine_learning", "version": 3 }, "a7ccae7b-9d2c-44b2-a061-98e5946971fa": { + "min_stack_version": "8.3", "rule_name": "Suspicious Print Spooler SPL File Created", "sha256": "ee29d9d05c756fbec35c09510be9ed92564671e5159b5e4afe4d9c4ff65d31ef", "type": "eql", "version": 111 }, "a7e7bfa3-088e-4f13-b29e-3986e0e756b8": { + "min_stack_version": "8.3", "rule_name": "Credential Acquisition via Registry Hive Dumping", "sha256": "09276f9e697db4a2e29daddbecd34ad8fae5dcd59a2a81e1f5ef2bcfe9c3ba02", "type": "eql", "version": 110 }, "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": { + "min_stack_version": "8.3", "rule_name": "Web Application Suspicious Activity: POST Request Declined", "sha256": "ebfc9e780da093a1ff6bd51cae7eafadee5cf30f6044a85add7779f17d924a88", "type": "query", "version": 102 }, "a8afdce2-0ec1-11ee-b843-f661ea17fbcd": { + "min_stack_version": "8.3", "rule_name": "Suspicious File Downloaded from Google Drive", "sha256": "3d43bb8629f6abf3044732ac8445f0e4aff8492b8f21845bf1d349e73ab15295", "type": "eql", "version": 3 }, "a8d35ca0-ad8d-48a9-9f6c-553622dca61a": { + "min_stack_version": "8.9", "rule_name": "High Variance in RDP Session Duration", "sha256": "0c85e6c7047aef4143e8ed835f2d0fcafad301de7eb334082e04ff5a498e5539", "type": "machine_learning", @@ -4870,126 +6555,183 @@ "version": 100 }, "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled", + "sha256": "6414cc66c7c80d4240492b269f8c591d61734d2cec368c51642c367fcb0a0fda", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled", "sha256": "3d299427823ca14b62de2ac6ceb1e378df0601897aea618d82aaf2ac27a5b9e2", "type": "query", "version": 206 }, "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 202, + "rule_name": "Google Workspace Password Policy Modified", + "sha256": "6b7426c4610c0d99417b08152597279e42d5e7fb9b2a510913b106dddafe7abb", + "type": "query", + "version": 104 + } + }, "rule_name": "Google Workspace Password Policy Modified", "sha256": "de0ced40cd29bb489ca1a27d785bb3d66ba4d0711f5d8d42268c9f8cab7c7df9", "type": "query", "version": 205 }, "a9b05c3b-b304-4bf9-970d-acdfaef2944c": { + "min_stack_version": "8.3", "rule_name": "Persistence via Hidden Run Key Detected", "sha256": "269e37223d35d504bd02023f1fc605e200979bbabb0ee082953950adaf35c4fd", "type": "eql", "version": 108 }, "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": { + "min_stack_version": "8.3", "rule_name": "IPSEC NAT Traversal Port Activity", "sha256": "8dcd8a517f60e962d4ebf18984358abb4a22823f7b32a4e918d1aa3645fa0fee", "type": "query", "version": 104 }, "aa8007f0-d1df-49ef-8520-407857594827": { + "min_stack_version": "8.3", "rule_name": "GCP IAM Custom Role Creation", "sha256": "46fafcee6069a185beb2d0fc77d3f39e53b9ec3412f9afdef0e7b642b48e296f", "type": "query", "version": 104 }, "aa895aea-b69c-4411-b110-8d7599634b30": { + "min_stack_version": "8.3", "rule_name": "System Log File Deletion", "sha256": "88dcf75e81a5a91c9684e0298310a93c5b5106d24091836c69728729c85e6246", "type": "eql", "version": 110 }, "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { + "min_stack_version": "8.3", "rule_name": "Remotely Started Services via RPC", "sha256": "e72234fda58c725e6bbfb3c02d000a1276fc1ff4868a63532863b43b2780d3f8", "type": "eql", "version": 112 }, "aaab30ec-b004-4191-95e1-4a14387ef6a6": { + "min_stack_version": "8.3", "rule_name": "Veeam Backup Library Loaded by Unusual Process", "sha256": "fae7ffc9ed0b702935ff7bccd87d6ddec3d54d21ce22d4aedb1cbb41d4e584c3", "type": "eql", "version": 2 }, "aab184d3-72b3-4639-b242-6597c99d8bca": { + "min_stack_version": "8.5", "rule_name": "Threat Intel Hash Indicator Match", "sha256": "fabef06c8a2e4298330aaf2e04e9c55737a516954c890d808e5d4a901aace9fe", "type": "threat_match", "version": 7 }, "ab75c24b-2502-43a0-bf7c-e60e662c811e": { + "min_stack_version": "8.3", "rule_name": "Remote Execution via File Shares", "sha256": "8f4c528243e4b7fe54e84e7f66324d47f06fa299e52a0069c9f5d1cdea337050", "type": "eql", "version": 111 }, "abae61a8-c560-4dbd-acca-1e1438bff36b": { + "min_stack_version": "8.3", "rule_name": "Unusual Windows Process Calling the Metadata Service", "sha256": "ac1ddf7a6cff4d90ca970314e03ccc69c8b2c416130ed735e10bbaf12458ff51", "type": "machine_learning", "version": 103 }, "ac412404-57a5-476f-858f-4e8fbb4f48d8": { + "min_stack_version": "8.3", "rule_name": "Potential Persistence via Login Hook", "sha256": "c757a8d19345f645690ffb8634527ad84b35d0195fe82d9ca81ccf57eaf2eef9", "type": "query", "version": 108 }, "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { + "min_stack_version": "8.3", "rule_name": "Suspicious WerFault Child Process", "sha256": "f629cc7dcdd6c44a3cfdd1ee14a69394676bb2d7612c1cf102e2378dc225e2bf", "type": "eql", "version": 112 }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "Unusual AWS Command for a User", + "sha256": "9f57306030e5ba60d653be67aa9384950045aa7df06b096ce123ae72771cd11a", + "type": "machine_learning", + "version": 108 + } + }, "rule_name": "Unusual AWS Command for a User", "sha256": "17d74013b573ef431a61391d055df4a9ab5851741a17e466a651c3a1f13efb49", "type": "machine_learning", "version": 208 }, "ac8805f6-1e08-406c-962e-3937057fa86f": { + "min_stack_version": "8.3", "rule_name": "Potential Protocol Tunneling via Chisel Server", "sha256": "be005130100c74d62f0ae093ffaceedaf8ea816f88d721e2dd68dbaca2bd46c9", "type": "eql", "version": 6 }, "ac96ceb8-4399-4191-af1d-4feeac1f1f46": { + "min_stack_version": "8.3", "rule_name": "Potential Invoke-Mimikatz PowerShell Script", "sha256": "e7b750985f6d8f290b5b3c9331448fc6c0e52c65dfa753ddf117fd70bd624e21", "type": "query", "version": 108 }, "acbc8bb9-2486-49a8-8779-45fb5f9a93ee": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 202, + "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", + "sha256": "9977bfb82687f6ee557f2f9474b1cac3eb4b8c16af795908ef9b4a20ab600653", + "type": "query", + "version": 104 + } + }, "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", "sha256": "dff7c67640bd01423d897e090d914f6661f2ccbd00d363315a58d011cac71b65", "type": "query", "version": 205 }, "acd611f3-2b93-47b3-a0a3-7723bcc46f6d": { + "min_stack_version": "8.3", "rule_name": "Potential Command and Control via Internet Explorer", "sha256": "4e05c9f350a2bf4380ddc180a068d6803b859a53e35e93b341397855f28c5924", "type": "eql", "version": 106 }, "ace1e989-a541-44df-93a8-a8b0591b63c0": { + "min_stack_version": "8.3", "rule_name": "Potential macOS SSH Brute Force Detected", "sha256": "95cd29a163e6b0b1ffbed68a23beef7033446cdbce973aa1bac75d9a31a944d9", "type": "threshold", "version": 108 }, "acf738b5-b5b2-4acc-bad9-1e18ee234f40": { + "min_stack_version": "8.3", "rule_name": "Suspicious Managed Code Hosting Process", "sha256": "fe186a9faacc6e9e3e6491c59ba7d7f453f702cf162e0e4ae49354149e80326a", "type": "eql", "version": 108 }, "ad0d2742-9a49-11ec-8d6b-acde48001122": { + "min_stack_version": "8.3", "rule_name": "Signed Proxy Execution via MS Work Folders", "sha256": "692d68785822926e449adf234c3a45035f0a8e73dd87386acac77931c9491543", "type": "eql", @@ -5002,96 +6744,121 @@ "version": 100 }, "ad3f2807-2b3e-47d7-b282-f84acbbe14be": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 202, + "rule_name": "Google Workspace Custom Admin Role Created", + "sha256": "e28b9f491eae0c8a606f9d315389ac4a117e5d30674f8e4f4e1d3be16bc8d9c4", + "type": "query", + "version": 104 + } + }, "rule_name": "Google Workspace Custom Admin Role Created", "sha256": "d1699c4738c1bd1387584e6a38c367c2f869b0045f7b6e2c635535f2dded6307", "type": "query", "version": 205 }, "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { + "min_stack_version": "8.3", "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", "sha256": "d2271c15f1bcae13cb2632e4449638ff23a1e373ff5e0cd32c8722354646975d", "type": "query", "version": 110 }, "ad88231f-e2ab-491c-8fc6-64746da26cfe": { + "min_stack_version": "8.3", "rule_name": "Kerberos Cached Credentials Dumping", "sha256": "b487d846e3b3cce77ab546dffaa06a50544f53ec03293a3bf6ef529123497ae6", "type": "query", "version": 106 }, "ad959eeb-2b7b-4722-ba08-a45f6622f005": { + "min_stack_version": "8.3", "rule_name": "Suspicious APT Package Manager Execution", "sha256": "9cbc1daea47fb821c72c3e512bbb09b857e9a4b44454631dfe45b495c8adc9fa", "type": "eql", "version": 2 }, "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { + "min_stack_version": "8.3", "rule_name": "File Transfer or Listener Established via Netcat", "sha256": "f27e0f720407692607f6eb75d893c29b6331360fec5838edbff6739eea960584", "type": "eql", "version": 110 }, "adbfa3ee-777e-4747-b6b0-7bd645f30880": { + "min_stack_version": "8.3", "rule_name": "Suspicious Communication App Child Process", "sha256": "da78216a16bc023bec70850e08c999466fb372bf4f11fd44445aaed67089a16c", "type": "eql", "version": 4 }, "ae343298-97bc-47bc-9ea2-5f2ad831c16e": { + "min_stack_version": "8.3", "rule_name": "Suspicious File Creation via Kworker", "sha256": "80da89056385e4d385d191289e923d9442a852f1c96b7aeb235b36a9e4a0ca35", "type": "eql", "version": 3 }, "ae8a142c-6a1d-4918-bea7-0b617e99ecfa": { + "min_stack_version": "8.3", "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", "sha256": "6fce50e87a921fa949cd422fb8a0d0e0232051f30329df181dbebb37b5e5a184", "type": "eql", "version": 5 }, "aebaa51f-2a91-4f6a-850b-b601db2293f4": { + "min_stack_version": "8.6", "rule_name": "Shared Object Created or Changed by Previously Unknown Process", "sha256": "d43a905984d229cdcd4e06eb6b7f44f165c335ebfb4840dde015f22b680c1f92", "type": "new_terms", "version": 7 }, "afa135c0-a365-43ab-aa35-fd86df314a47": { + "min_stack_version": "8.3", "rule_name": "Unusual User Privilege Enumeration via id", "sha256": "bd4da735535155bf2aaee82b58ad81ff85b1d638c319cf8afe1df6d4bd616123", "type": "eql", "version": 4 }, "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { + "min_stack_version": "8.3", "rule_name": "Local Scheduled Task Creation", "sha256": "5291c4a420b199ea0cda7c00ad93a5114d95d9fcd73a07e12060d164eb0601e6", "type": "eql", "version": 107 }, "afd04601-12fc-4149-9b78-9c3f8fe45d39": { + "min_stack_version": "8.3", "rule_name": "Network Activity Detected via cat", "sha256": "61ed9cf042140481d4d3863f69481333d94ea25e480a8ddd95a5e38cd2fcacb6", "type": "eql", "version": 6 }, "afe6b0eb-dd9d-4922-b08a-1910124d524d": { + "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Container Misconfiguration", "sha256": "934babb371893cc423e2cc180a7b9c4e145c3477e29880463dee746c5b419b19", "type": "eql", "version": 5 }, "b0046934-486e-462f-9487-0d4cf9e429c6": { + "min_stack_version": "8.3", "rule_name": "Timestomping using Touch Command", "sha256": "b076ae4e19a317fab6eb05472220dd936a4a3ea6852be8a783f28615c9f21de4", "type": "eql", "version": 106 }, "b00bcd89-000c-4425-b94c-716ef67762f6": { + "min_stack_version": "8.3", "rule_name": "TCC Bypass via Mounted APFS Snapshot Access", "sha256": "5a871527957ab53227a0f5f906053deded0b332d6195c3e6cfbe9622601b646f", "type": "query", "version": 106 }, "b0638186-4f12-48ac-83d2-47e686d08e82": { + "min_stack_version": "8.3", "rule_name": "Netsh Helper DLL", "sha256": "5019bcc4c8001cf98d0d6df1626edce949e6bd8d7c18fbbc38b2a53cf847a5a9", "type": "eql", @@ -5111,66 +6878,95 @@ "version": 100 }, "b2318c71-5959-469a-a3ce-3a0768e63b9c": { + "min_stack_version": "8.3", "rule_name": "Potential Network Share Discovery", "sha256": "fda7288ed57e11d03d2af7b74755b704d96c32f3c69abe245de1378438bd144f", "type": "eql", "version": 3 }, "b240bfb8-26b7-4e5e-924e-218144a3fa71": { + "min_stack_version": "8.3", "rule_name": "Spike in Network Traffic", "sha256": "36d61f7dbb342836f5db53ce1a06141cecfee9ba6d09cbb69983df79202257e6", "type": "machine_learning", "version": 103 }, "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": { + "min_stack_version": "8.3", "rule_name": "Remote File Copy via TeamViewer", "sha256": "f9c74dae522f96b99ef91c8690d3294d5bb57ed3568290e9c6c2b4877c99bbd4", "type": "eql", "version": 111 }, "b2951150-658f-4a60-832f-a00d1e6c6745": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Unusual Volume of File Deletion", + "sha256": "0e2607bb68d167a217bd28be737c707eb6729cb8c449efd2f3c45064ba35fb07", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Unusual Volume of File Deletion", "sha256": "1dbef7993a821421fc2fa12a51dab4936081be0382afeb3ebd8f36b93c07bdcf", "type": "query", "version": 206 }, "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { + "min_stack_version": "8.3", "rule_name": "Network Connection via Compiled HTML File", "sha256": "0c4011e34ae723b0d5fbd00bd1e354badeb76adb69e7c4a44dd7e7cb1acc480b", "type": "eql", "version": 108 }, "b347b919-665f-4aac-b9e8-68369bf2340c": { + "min_stack_version": "8.3", "rule_name": "Unusual Linux Username", "sha256": "fe769843cd4082749444ae077951c9a8e2bfe4d74ba57fd091eacee470975016", "type": "machine_learning", "version": 103 }, "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { + "min_stack_version": "8.3", "rule_name": "Suspicious Endpoint Security Parent Process", "sha256": "01e8d9f7974e3c66e2916edad7f04fe3fbd842ed064a7ac1067df9d6d61ecadf", "type": "eql", "version": 111 }, "b43570de-a908-4f7f-8bdb-b2df6ffd8c80": { + "min_stack_version": "8.3", "rule_name": "Code Signing Policy Modification Through Built-in tools", "sha256": "204caab60a2c4641de7b31aaedca2147bb76d02c5e8bae82907f04607536563e", "type": "eql", "version": 7 }, "b4449455-f986-4b5a-82ed-e36b129331f7": { + "min_stack_version": "8.3", "rule_name": "Potential Persistence via Atom Init Script Modification", "sha256": "c504a9e2929d88a06087ed97f63cef00dc04803abda6cfbe448c6c7c5a3d9900", "type": "query", "version": 106 }, "b45ab1d2-712f-4f01-a751-df3826969807": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS STS GetSessionToken Abuse", + "sha256": "270622c32893a7ed8bb7c39017bb09133147e3b8af1c8844d93f0150447134ba", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS STS GetSessionToken Abuse", "sha256": "8d815943419b48862fd4b4d8bf7e7415b72bff58fb7dc7299a2548453ffd2670", "type": "query", "version": 206 }, "b483365c-98a8-40c0-92d8-0458ca25058a": { + "min_stack_version": "8.3", "rule_name": "At.exe Command Lateral Movement", "sha256": "041e17a0cd55085d79466cf06aaa8ca81ef2b30a9e42291395534ce27ba0062a", "type": "eql", @@ -5179,7 +6975,7 @@ "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Attempt to Delete an Okta Policy", "sha256": "c3fda77e2d67870f675065527fb363156e723e6bc1090d9bdda28d930d7f3d04", @@ -5193,42 +6989,49 @@ "version": 206 }, "b51dbc92-84e2-4af1-ba47-65183fcd0c57": { + "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via OverlayFS", "sha256": "58bcb45f4849adaa8d78a19d8a371830c27498740c55f3af585b223cd3043f93", "type": "eql", "version": 5 }, "b5877334-677f-4fb9-86d5-a9721274223b": { + "min_stack_version": "8.3", "rule_name": "Clearing Windows Console History", "sha256": "0d87128fdfdcb58febe6605148de68b8ab413e129191227eca12360248a76681", "type": "eql", "version": 111 }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { + "min_stack_version": "8.3", "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", "sha256": "7a7554033f500cdd7964ffd328c581dfbdd9b26c040569d42581504a70e468d3", "type": "eql", "version": 111 }, "b627cd12-dac4-11ec-9582-f661ea17fbcd": { + "min_stack_version": "8.3", "rule_name": "Elastic Agent Service Terminated", "sha256": "8abfc44bc5f8a00effd8c97c81a841dcc2cbe6cd3e2da51a5b277f96c2baf671", "type": "eql", "version": 106 }, "b64b183e-1a76-422d-9179-7b389513e74d": { + "min_stack_version": "8.3", "rule_name": "Windows Script Interpreter Executing Process via WMI", "sha256": "1e8be0b94b78d86bb0d30e6a4e6d28c81c9c5bdf2b9494ac9c0d7fb465491bae", "type": "eql", "version": 109 }, "b661f86d-1c23-4ce7-a59e-2edbdba28247": { + "min_stack_version": "8.3", "rule_name": "Potential Veeam Credential Access Command", "sha256": "e589053c5a7013b3bb2c3d76d1617fcdda617b6aa8dbfa31adf5e34b95f095d2", "type": "eql", "version": 1 }, "b6dce542-2b75-4ffb-b7d6-38787298ba9d": { + "min_stack_version": "8.3", "rule_name": "Azure Event Hub Authorization Rule Created or Updated", "sha256": "a4d9380d9e964e50c7845854fa02ca808976bf2d52c4cb73dd90ed4e9439ae09", "type": "query", @@ -5237,7 +7040,7 @@ "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Attempt to Deactivate an Okta Policy", "sha256": "48e769c5aedb715bdbc0f990b68ced02323c1eef17b02595550b368f66a3c9c8", @@ -5251,6 +7054,7 @@ "version": 206 }, "b7c05aaf-78c2-4558-b069-87fa25973489": { + "min_stack_version": "8.3", "rule_name": "Potential Buffer Overflow Attack Detected", "sha256": "3e26fdf6574102a4aa2b239c1e4420684c6f3527b1aca67cf62cc4b42858a6f4", "type": "threshold", @@ -5259,7 +7063,7 @@ "b8075894-0b62-46e5-977c-31275da34419": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 204, "rule_name": "Administrator Privileges Assigned to an Okta Group", "sha256": "8d9fe19feb7f250c14755465615f7a3fb4f831e20ba19b6ba0eeec6637d056e3", @@ -5273,132 +7077,190 @@ "version": 205 }, "b81bd314-db5b-4d97-82e8-88e3e5fc9de5": { + "min_stack_version": "8.3", "rule_name": "Linux System Information Discovery", "sha256": "25a7750edeab372fb60402e82e49e3e259e8b0b077e85b3ecc8af17ef77deb61", "type": "eql", "version": 3 }, "b8386923-b02c-4b94-986a-d223d9b01f88": { + "min_stack_version": "8.3", "rule_name": "PowerShell Invoke-NinjaCopy script", "sha256": "40c977b1f7dad3726a8f0c97749e00256994f75580fd498135538a04857e663d", "type": "query", "version": 5 }, "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { + "min_stack_version": "8.3", "rule_name": "Creation or Modification of Domain Backup DPAPI private key", "sha256": "e7c8ba3a35c054655d550038f664cb613343ad804cc463f1d4b90aa0a0d23d93", "type": "eql", "version": 108 }, "b86afe07-0d98-4738-b15d-8d7465f95ff5": { + "min_stack_version": "8.3", "rule_name": "Network Connection via MsXsl", "sha256": "97661aa1f38ec86767f0b0059ad5aab142c0f1dfcfe79c093165e0dcd8ef1266", "type": "eql", "version": 106 }, "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": { + "min_stack_version": "8.3", "rule_name": "Kirbi File Creation", "sha256": "d4daec4cc60bd33718968bd73ffc21fabf7d837ae866f7a7fcabf5d7d039655f", "type": "eql", "version": 5 }, "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { + "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", "sha256": "06cd8a9c2cc711c339f9e9c86a0b0e31950b1620f3c927162433104d644a4a8d", "type": "eql", "version": 109 }, "b910f25a-2d44-47f2-a873-aabdc0d355e6": { + "min_stack_version": "8.3", "rule_name": "Chkconfig Service Add", "sha256": "762949859141699af6a491db1a4f5b059db590cbadd27aa2267653760c23d23d", "type": "eql", "version": 111 }, "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": { + "min_stack_version": "8.3", "rule_name": "Discovery of Domain Groups", "sha256": "6858329aa178170f3a6900b8d4233573f6741d68814c2b5ac702c5d76e3ee677", "type": "eql", "version": 2 }, "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": { + "min_stack_version": "8.3", "rule_name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host", "sha256": "b83cfd125f81b6526b23aac2a53cc883827934288f3bb4ae9a000c705c69cd7c", "type": "threshold", "version": 4 }, "b9554892-5e0e-424b-83a0-5aef95aa43bf": { + "min_stack_version": "8.3", "rule_name": "Group Policy Abuse for Privilege Addition", "sha256": "7e1d07811eee139eca2af001c453e529a605e642fafc1cadfeac9817862c3f0c", "type": "query", "version": 109 }, "b9666521-4742-49ce-9ddc-b8e84c35acae": { + "min_stack_version": "8.3", "rule_name": "Creation of Hidden Files and Directories via CommandLine", "sha256": "bbdba9f735a270571a5a0f1df636cdd573417d76ebf91c3ee006046ae88f685d", "type": "eql", "version": 110 }, "b9960fef-82c6-4816-befa-44745030e917": { + "min_stack_version": "8.3", "rule_name": "SolarWinds Process Disabling Services via Registry", "sha256": "6cf76bf28c6818bd0c1e9cacc68a44909ca3c50f197b96e96bd34ffd2f935ec8", "type": "eql", "version": 109 }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { + "min_stack_version": "8.3", "rule_name": "Unusual Windows Network Activity", "sha256": "061e957d07cb102889f0ff1a1f4fa80b4f22eeefc5aad74fd2544ccf0852d5ad", "type": "machine_learning", "version": 103 }, "ba81c182-4287-489d-af4d-8ae834b06040": { + "min_stack_version": "8.3", "rule_name": "Kernel Driver Load by non-root User", "sha256": "8c938c1fdbabd146fcde85cf8129c9bd1bcf1dd989aaf68650cd11bf09181844", "type": "eql", "version": 3 }, "baa5d22c-5e1c-4f33-bfc9-efa73bb53022": { + "min_stack_version": "8.3", "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", "sha256": "e224bdce56aa39ba7fca19f483ee4080daea489a943e6211cb1ec88aa1754671", "type": "eql", "version": 109 }, "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": { + "min_stack_version": "8.3", "rule_name": "Azure Resource Group Deletion", "sha256": "d6e81ca3325b8461c497b7a0edcb7ba2a438aaadc2af98f490696891126c3576", "type": "query", "version": 102 }, "bb9b13b2-1700-48a8-a750-b43b0a72ab69": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS EC2 Encryption Disabled", + "sha256": "2e9848fe420de87afde4a086d63bb5d02bb91f3da348bd0eed54b6f7993a85cd", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS EC2 Encryption Disabled", "sha256": "8d31ea9768807181a7d1aca8eb47a8f3c015b3412c46ccf6963c5e06b676e834", "type": "query", "version": 206 }, "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "OneDrive Malware File Upload", + "sha256": "4f273dae13ee4bb9564a60c6771439fc10cd7f3357de2aa65839ff10d4cde814", + "type": "query", + "version": 106 + } + }, "rule_name": "OneDrive Malware File Upload", "sha256": "b2abdce89d919f7eaeb571349e52d6d14eac86020237f33d935576d9f83954aa", "type": "query", "version": 206 }, "bbaa96b9-f36c-4898-ace2-581acb00a409": { + "min_stack_version": "8.3", "rule_name": "Potential SYN-Based Network Scan Detected", "sha256": "8413e204b3d4d4145ea9cfe859daf5ecaf39fd776bf87f7090a82205de0b5b52", "type": "threshold", "version": 5 }, "bbd1a775-8267-41fa-9232-20e5582596ac": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed", + "sha256": "f4f0da241f45040111a47879928011d3b90da922010348154b5cb1c44d2f24ee", + "type": "query", + "version": 107 + } + }, "rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed", "sha256": "bfeee6d64b53fd5857ae139679a0455df0d0127f55134eadfdf8053869f558f3", "type": "query", "version": 207 }, "bc0c6f0d-dab0-47a3-b135-0925f0a333bc": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS Root Login Without MFA", + "sha256": "40f1b53ce3bb3464e8d8bbad167820d4d5b70e24358eef7c18c72fcdaf161f26", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS Root Login Without MFA", "sha256": "82c85c3ffc9f5335daf17ae1f400177234e73823fc5f5c563c9c6285a03f1157", "type": "query", "version": 209 }, "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": { + "min_stack_version": "8.3", "rule_name": "GCP Storage Bucket Deletion", "sha256": "56e79003e4ad65163eb8f9aaf96239590b6a756222a60be2d8115a39b4c1a54d", "type": "query", @@ -5412,168 +7274,223 @@ "version": 2 }, "bc1eeacf-2972-434f-b782-3a532b100d67": { + "min_stack_version": "8.3", "rule_name": "Attempt to Install Root Certificate", "sha256": "903b93770a64c71465333adf2e585d4931a592eccfe4eb954cadab052441c972", "type": "query", "version": 106 }, "bc48bba7-4a23-4232-b551-eca3ca1e3f20": { + "min_stack_version": "8.3", "rule_name": "Azure Conditional Access Policy Modified", "sha256": "cfacc3ddc30a65458618914bcd492cf9fbb25d104b2271afdb3ff3fef7bf0c0c", "type": "query", "version": 102 }, "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": { + "min_stack_version": "8.3", "rule_name": "Potential Non-Standard Port SSH connection", "sha256": "68365d0090a647d05f3396ace9d86f2c79f607bef610741ce9c4240ccfa0de26", "type": "eql", "version": 5 }, "bc9e4f5a-e263-4213-a2ac-1edf9b417ada": { + "min_stack_version": "8.3", "rule_name": "File and Directory Permissions Modification", "sha256": "7952e5bdcb6bd4b0314d08e1b8ab86c34ce066c95e0bbe8a056527df93794139", "type": "eql", "version": 2 }, "bca7d28e-4a48-47b1-adb7-5074310e9a61": { + "min_stack_version": "8.3", "rule_name": "GCP Service Account Disabled", "sha256": "10252c6946a904bb799ac153943817d274319179587022f10240f3e65af79ace", "type": "query", "version": 104 }, "bcaa15ce-2d41-44d7-a322-918f9db77766": { + "min_stack_version": "8.9", "rule_name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain", "sha256": "37e01c0b463876a5acee70bb565d205c8a2e8c5a7b3d99a24e16939f97360a9f", "type": "query", "version": 3 }, "bd2c86a0-8b61-4457-ab38-96943984e889": { + "min_stack_version": "8.3", "rule_name": "PowerShell Keylogging Script", "sha256": "92008de004bfec5733b4d1f7cd48ddbe75ac79f7f3c92d54d71bd7f5447d260d", "type": "query", "version": 112 }, "bd3d058d-5405-4cee-b890-337f09366ba2": { + "min_stack_version": "8.3", "rule_name": "Potential Defense Evasion via CMSTP.exe", "sha256": "f9a5163bfb60ec1ac26ac681518a193a85b03a87dac342a3579a7b2ae3628e0b", "type": "eql", "version": 2 }, "bd7eefee-f671-494e-98df-f01daf9e5f17": { + "min_stack_version": "8.3", "rule_name": "Suspicious Print Spooler Point and Print DLL", "sha256": "6214fb2abc887c66d7d514ccfc914faf98cb9befe4cb35f2f58a0e300787eb5c", "type": "eql", "version": 106 }, "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": { + "min_stack_version": "8.3", "rule_name": "Potential Pspy Process Monitoring Detected", "sha256": "3ebba1b3c0653e611e5c1abc4e917c868371220b6fb55954eafa7a8d7c6cf5fe", "type": "eql", "version": 7 }, "bdcf646b-08d4-492c-870a-6c04e3700034": { + "min_stack_version": "8.3", "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", "sha256": "c437d0e4938701b867702b775bb69d57f44e45a03be5d63d90f0dcde14ccbf39", "type": "eql", "version": 108 }, "bdfebe11-e169-42e3-b344-c5d2015533d3": { + "min_stack_version": "8.9", "rule_name": "Suspicious Windows Process Cluster Spawned by a Host", "sha256": "84baf4890842c179a0724a3835388a16dedfe1046dfd94a9b617aa56b37a7a2f", "type": "machine_learning", "version": 4 }, "be4c5aed-90f5-4221-8bd5-7ab3a4334751": { + "min_stack_version": "8.9", "rule_name": "Unusual Remote File Directory", "sha256": "f6b1ce1e97f8a9dd95bb99809d5d9a7bab6a0922fb0861afadc24970477e3b3f", "type": "machine_learning", "version": 3 }, "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { + "min_stack_version": "8.3", "rule_name": "Searching for Saved Credentials via VaultCmd", "sha256": "a22b02dc207eed11a68b3bf9569d0f06d0bfcc3b14a71b32fc505ee86b53aed4", "type": "eql", "version": 109 }, "bf1073bf-ce26-4607-b405-ba1ed8e9e204": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS RDS Snapshot Restored", + "sha256": "aa3da4102533524658662c93b127d4c25ca56ed19c01be2a8904cd695347b3d6", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS RDS Snapshot Restored", "sha256": "867302d2c993c7e6bb06acb3bb9784e8de51117e6d0fdd1a5a8e040e24fab59f", "type": "query", "version": 206 }, "bf8c007c-7dee-4842-8e9a-ee534c09d205": { + "min_stack_version": "8.3", "rule_name": "System Owner/User Discovery Linux", "sha256": "b8fb8512af046215fe23d076d16414d669430c692eb57d16eba03ea13e2e03df", "type": "eql", "version": 3 }, "bfba5158-1fd6-4937-a205-77d96213b341": { + "min_stack_version": "8.9", "rule_name": "Potential Data Exfiltration Activity to an Unusual Region", "sha256": "385716bc0770d6b023580d5b0a92a34581e351560a3bd43bd4ce2b3b01ef84c1", "type": "machine_learning", "version": 3 }, "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { + "min_stack_version": "8.3", "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", "sha256": "630b95897e137de2d3ff315926d388d39ed6ad5c19948a8fe0cb4c564d32b99e", "type": "eql", "version": 111 }, "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { + "min_stack_version": "8.3", "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", "sha256": "5443c5577d436ff7ea5d9802accfe2fff6ea50813a238c85ff0b60dc1a102579", "type": "eql", "version": 107 }, "c0429aa8-9974-42da-bfb6-53a0a515a145": { + "min_stack_version": "8.3", "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", "sha256": "8020f015d723e31af612bbc7e570f0f7a2bf57c3cc13447eb5bccd3e39385ca8", "type": "eql", "version": 109 }, "c0b9dc99-c696-4779-b086-0d37dc2b3778": { + "min_stack_version": "8.3", "rule_name": "Memory Dump File with Unusual Extension", "sha256": "647f3ad965f3c8ae1c09160f3cfab647649612e66c8bb2dd746309e241322f1c", "type": "eql", "version": 2 }, "c0be5f31-e180-48ed-aa08-96b36899d48f": { + "min_stack_version": "8.3", "rule_name": "Credential Manipulation - Detected - Elastic Endgame", "sha256": "5bcb1915b28b6a1282d3b512b13b559f6d0256da8db229d9210b4a03f2fe6af3", "type": "query", "version": 103 }, "c125e48f-6783-41f0-b100-c3bf1b114d16": { + "min_stack_version": "8.5", "rule_name": "Suspicious Renaming of ESXI index.html File", "sha256": "5e8b6b9370d7f11367a4da3f7d0911702117a24814ab84a0bf12ae972ff4c2aa", "type": "eql", "version": 6 }, "c1812764-0788-470f-8e74-eb4a14d47573": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS EC2 Full Network Packet Capture Detected", + "sha256": "c8fb1a9316a7bc5541a685e19440d21f4c158350903c4e21b6225360fee8258d", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS EC2 Full Network Packet Capture Detected", "sha256": "c3267472104e0888d5c9e55574ae19d07c39c00e8c6a76a01fc766fbb0689f63", "type": "query", "version": 206 }, "c20cd758-07b1-46a1-b03f-fa66158258b8": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 100, + "rule_name": "Unsigned DLL Loaded by a Trusted Process", + "sha256": "bb5c65b28dc087548516c6b186539ffc5f02db3440942a539777c49bd9e1e878", + "type": "eql", + "version": 1 + } + }, "rule_name": "Unsigned DLL Loaded by a Trusted Process", "sha256": "0b870b52c44ffcdcdcf7c0775290f7446486c04dc8890ea633df8c1ba33f8a43", "type": "eql", "version": 102 }, "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { + "min_stack_version": "8.3", "rule_name": "Microsoft IIS Connection Strings Decryption", "sha256": "03334e1d43f8d53c06b92628435b5af954f2211ff41ff4ed7467bf8a8065cdef", "type": "eql", "version": 110 }, "c28c4d8c-f014-40ef-88b6-79a1d67cd499": { + "min_stack_version": "8.3", "rule_name": "Unusual Linux Network Connection Discovery", "sha256": "197e0ebe16417250c895c6ab8ef0894bdebdd8535da44dc8426106a4eb63b02d", "type": "machine_learning", "version": 103 }, "c292fa52-4115-408a-b897-e14f684b3cb7": { + "min_stack_version": "8.3", "rule_name": "Persistence via Folder Action Script", "sha256": "8249dd1544fa4a71d15bdd5d893422c51458d358b8c77ac350b3d7b9ad0d2cfa", "type": "eql", @@ -5587,96 +7504,112 @@ "version": 2 }, "c2d90150-0133-451c-a783-533e736c12d7": { + "min_stack_version": "8.3", "rule_name": "Mshta Making Network Connections", "sha256": "7b3bec275d247d0cc1c4772be5f41fcfca282df6146f830777ed87b4c663f7e5", "type": "eql", "version": 107 }, "c3167e1b-f73c-41be-b60b-87f4df707fe3": { + "min_stack_version": "8.3", "rule_name": "Permission Theft - Detected - Elastic Endgame", "sha256": "bc09245f3bf048bc8d9e4f1ca381711fc8fa9d71f6533673b7f573f84061f6d5", "type": "query", "version": 103 }, "c3b915e0-22f3-4bf7-991d-b643513c722f": { + "min_stack_version": "8.3", "rule_name": "Persistence via BITS Job Notify Cmdline", "sha256": "54084b270ff6d62016cb72d63b981f4db5bac2d188dd59aa5079986bd918e156", "type": "eql", "version": 107 }, "c3f5e1d8-910e-43b4-8d44-d748e498ca86": { + "min_stack_version": "8.3", "rule_name": "Potential JAVA/JNDI Exploitation Attempt", "sha256": "0776cc8251cdbd9e2e2060a17b2300834a0ed4a49489a105abb3c0dd75b19cc8", "type": "eql", "version": 104 }, "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": { + "min_stack_version": "8.3", "rule_name": "Mounting Hidden or WebDav Remote Shares", "sha256": "a814b9dc474566b81d9b80f83a1fbb21d506490be5d1a791c6a040402576193e", "type": "eql", "version": 109 }, "c4818812-d44f-47be-aaef-4cfb2f9cc799": { + "min_stack_version": "8.3", "rule_name": "Suspicious Print Spooler File Deletion", "sha256": "6764db9d99a9d2a1bce0efae356412f7b62f66204dfe3496cf5d8e142aa916ff", "type": "eql", "version": 107 }, "c4e9ed3e-55a2-4309-a012-bc3c78dad10a": { + "min_stack_version": "8.3", "rule_name": "Windows System Network Connections Discovery", "sha256": "9f1ea7adcf3b05426387f5598da3b596e34f4fc1553a4ed33b48ec687a455ed4", "type": "eql", "version": 4 }, "c55badd3-3e61-4292-836f-56209dc8a601": { + "min_stack_version": "8.3", "rule_name": "Attempted Private Key Access", "sha256": "92447cf8bb6de4a626ecd420b9c64922484cb49f216d13292e833c1abdb4786c", "type": "eql", "version": 3 }, "c5677997-f75b-4cda-b830-a75920514096": { + "min_stack_version": "8.3", "rule_name": "Service Path Modification via sc.exe", "sha256": "6d70ac346b080bca5ad2083c56ff66bd01f63204483b047353855e7898b39862", "type": "eql", "version": 3 }, "c57f8579-e2a5-4804-847f-f2732edc5156": { + "min_stack_version": "8.3", "rule_name": "Potential Remote Desktop Shadowing Activity", "sha256": "2d3a93d4e613dace19446854539467cead96901968f44270796ce546beeb940a", "type": "eql", "version": 109 }, "c58c3081-2e1d-4497-8491-e73a45d1a6d6": { + "min_stack_version": "8.3", "rule_name": "GCP Virtual Private Cloud Network Deletion", "sha256": "7f47bc00b67f2997890fd47eff9350e23e6effea54914edcbb180c321a553276", "type": "query", "version": 104 }, "c5c9f591-d111-4cf8-baec-c26a39bc31ef": { + "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", "sha256": "bd759b2a552a5ce6a16e041b6708cf7215821c978d6c820100f29ff8567b357f", "type": "eql", "version": 108 }, "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { + "min_stack_version": "8.3", "rule_name": "Installation of Custom Shim Databases", "sha256": "7ea702b1b6d7a8309d8d11e16505cb9ca2a3b1c906e7aeadacdefea24d0397b6", "type": "eql", "version": 108 }, "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { + "min_stack_version": "8.3", "rule_name": "Microsoft Build Engine Started by an Office Application", "sha256": "a8e1a000f912f5f42f3894fdca0458d10666994f165781a4fbd5db031f5a6712", "type": "eql", "version": 110 }, "c5f81243-56e0-47f9-b5bb-55a5ed89ba57": { + "min_stack_version": "8.3", "rule_name": "CyberArk Privileged Access Security Recommended Monitor", "sha256": "13f4c23dbe61be7af51b9b4e4a27b192c9305f1caa67119f4ea89ac89792737f", "type": "query", "version": 102 }, "c6453e73-90eb-4fe7-a98c-cde7bbfc504a": { + "min_stack_version": "8.3", "rule_name": "Remote File Download via MpCmdRun", "sha256": "3338fefccfc7c7d86404c1a054f09f2b43fdbeadba93b27dcfe7c04d6994303f", "type": "eql", @@ -5691,7 +7624,7 @@ "c749e367-a069-4a73-b1f2-43a3798153ad": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Attempt to Delete an Okta Network Zone", "sha256": "fdb6f5c18f3893647e63e19723c1ad7c3f352be39e233b1273d08b6cd09edd5a", @@ -5707,7 +7640,7 @@ "c74fd275-ab2c-4d49-8890-e2943fa65c09": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 204, "rule_name": "Attempt to Modify an Okta Application", "sha256": "d467d49b83c884e4c1d43dc2f0e1dc879ceda77762f45968124a97e4fbacd2b0", @@ -5721,48 +7654,65 @@ "version": 205 }, "c7894234-7814-44c2-92a9-f7d851ea246a": { + "min_stack_version": "8.3", "rule_name": "Unusual Network Connection via DllHost", "sha256": "5bffb108e728d78c04b4974f087af87b6352942f82977a580fcc749a742fffc6", "type": "eql", "version": 107 }, "c7908cac-337a-4f38-b50d-5eeb78bdb531": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 199, + "rule_name": "Kubernetes Privileged Pod Created", + "sha256": "e431240326e0ddb66017b695a15db0269ad7b4e5bde7cf37b10f01159fb9da19", + "type": "query", + "version": 101 + } + }, "rule_name": "Kubernetes Privileged Pod Created", "sha256": "276c33d57b4e3046ff3bf3eab838110627d9f8d9214a01036a62561084c6073a", "type": "query", "version": 203 }, "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { + "min_stack_version": "8.3", "rule_name": "Unusual File Modification by dns.exe", "sha256": "b865aba340d622e5f6840586849e814be1e565d1c59e1fcba5509683315c91cf", "type": "eql", "version": 110 }, "c7db5533-ca2a-41f6-a8b0-ee98abe0f573": { + "min_stack_version": "8.3", "rule_name": "Spike in Network Traffic To a Country", "sha256": "93087ad72f05b99dd3bc9858cd5edfd5ed9d21a4afa6e01d0d798e78b4e9ab61", "type": "machine_learning", "version": 104 }, "c81cefcb-82b9-4408-a533-3c3df549e62d": { + "min_stack_version": "8.3", "rule_name": "Persistence via Docker Shortcut Modification", "sha256": "8e087bd16e3f663e5c0dd49d81cd2d8d302ffeabec5dc9bc31693752e7e6ed37", "type": "query", "version": 107 }, "c82b2bd8-d701-420c-ba43-f11a155b681a": { + "min_stack_version": "8.3", "rule_name": "SMB (Windows File Sharing) Activity to the Internet", "sha256": "6420c0fe2bee67b51779e539f2cfe3b480539c36abf148d1d69db79d6f2e8f67", "type": "query", "version": 103 }, "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": { + "min_stack_version": "8.3", "rule_name": "Direct Outbound SMB Connection", "sha256": "a30cf230b1215a2e0fd884167dfbb8fd92e5b63fa7a5cb2c9e9a8a306316de4d", "type": "eql", "version": 110 }, "c85eb82c-d2c8-485c-a36f-534f914b7663": { + "min_stack_version": "8.3", "rule_name": "Virtual Machine Fingerprinting via Grep", "sha256": "a8a7e92874d6888c32575ca236fb263ec128596d8a4d510a265b8fad36cb1827", "type": "eql", @@ -5775,48 +7725,65 @@ "version": 100 }, "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": { + "min_stack_version": "8.3", "rule_name": "Parent Process PID Spoofing", "sha256": "43c26bdd413e7e6c52b50b9c579663b2ab48285b83a1f794fd636727baf21733", "type": "eql", "version": 106 }, "c8935a8b-634a-4449-98f7-bb24d3b2c0af": { + "min_stack_version": "8.3", "rule_name": "Potential Linux Ransomware Note Creation Detected", "sha256": "a6ee22bb7fef22f21c9792186337bc557bd1aaba670d4de8d077fd7892d46ad2", "type": "eql", "version": 8 }, "c8b150f0-0164-475b-a75e-74b47800a9ff": { + "min_stack_version": "8.3", "rule_name": "Suspicious Startup Shell Folder Modification", "sha256": "a3f4ddc31c6570250920dc60269e68ec6344884c88aba870fb9998c5c1fb5319", "type": "eql", "version": 110 }, "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { + "min_stack_version": "8.3", "rule_name": "Disabling Windows Defender Security Settings via PowerShell", "sha256": "2326092f64de27cbf684cdd4130d6f8695d0a42277b02fff7ebcc62350e56411", "type": "eql", "version": 110 }, "c9482bfa-a553-4226-8ea2-4959bd4f7923": { + "min_stack_version": "8.3", "rule_name": "Potential Masquerading as Communication Apps", "sha256": "b8c86e533a37c36a2eaef8f1d48ca8aa5a24b6665dc2328de3b3cc5eb1d2ad51", "type": "eql", "version": 5 }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { + "min_stack_version": "8.3", "rule_name": "Credential Manipulation - Prevented - Elastic Endgame", "sha256": "0c167eb4f05fabb720f52a987923b25796c8f0a3bffbd753aa699a1c8a8e26b3", "type": "query", "version": 103 }, "ca79768e-40e1-4e45-a097-0e5fbc876ac2": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification", + "sha256": "fdddb91dc8eaf01e3cca5626ab5e3b2c4ef51e15a8544385057399574b3d9b3b", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification", "sha256": "35f6d54b3e3c26169e00e55122b6e68ac8018946a2b9dd31d26fdb36faa90d82", "type": "query", "version": 206 }, "ca98c7cf-a56e-4057-a4e8-39603f7f0389": { + "min_stack_version": "8.4", "rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder", "sha256": "6b71d73f704e96ab028ab9aa5fef9a3b487e35fe5cc322c1a118c9102720af9a", "type": "eql", @@ -5829,18 +7796,39 @@ "version": 100 }, "cac91072-d165-11ec-a764-f661ea17fbce": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Abnormal Process ID or Lock File Created", + "sha256": "6ab73acfdcd8636a87c0fd8b1342d5e96de8cbd74ed0e4f4dbb689c32a3cbffa", + "type": "eql", + "version": 108 + } + }, "rule_name": "Abnormal Process ID or Lock File Created", "sha256": "b4f2c9fe5dcc43eb113d00600fc6a7ca5091c0957af96c084ee2d9a790aa3a2a", "type": "new_terms", "version": 213 }, "cad4500a-abd7-4ef3-b5d3-95524de7cfe1": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Google Workspace MFA Enforcement Disabled", + "sha256": "a8e10bb292478990aa0c82694fcd3621b81383a8058b87a25449238641d59e3b", + "type": "query", + "version": 107 + } + }, "rule_name": "Google Workspace MFA Enforcement Disabled", "sha256": "8a1f92b90737453373b48d24dd4dfd6e29615794a9ccaf5df7ba1a0ecf5d5e2a", "type": "query", "version": 207 }, "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": { + "min_stack_version": "8.3", "rule_name": "Suspicious Calendar File Modification", "sha256": "662489a94a180344e4b3e1c2aa679d4fe1ec51f91387a216835b0e11a14db9da", "type": "query", @@ -5853,6 +7841,7 @@ "version": 100 }, "cc2fd2d0-ba3a-4939-b87f-2901764ed036": { + "min_stack_version": "8.3", "rule_name": "Attempt to Enable the Root Account", "sha256": "c2c3f92e6fb953e4f0338ffe25751df1ae713c9f7e8460ce2addfd9d8bf8e59d", "type": "query", @@ -5866,18 +7855,30 @@ "version": 2 }, "cc653d77-ddd2-45b1-9197-c75ad19df66c": { + "min_stack_version": "8.9", "rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address", "sha256": "fe1015d6d9d15270cdedd676b577c3057d2552db4ce585e3c82437e7999cc037", "type": "machine_learning", "version": 3 }, "cc6a8a20-2df2-11ed-8378-f661ea17fbce": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 103, + "rule_name": "Google Workspace User Organizational Unit Changed", + "sha256": "50eab7a58d52dc1eb0e8d8af2d5ca140762dfdf60970d1e7d5fcbf80aff362f4", + "type": "query", + "version": 5 + } + }, "rule_name": "Google Workspace User Organizational Unit Changed", "sha256": "98638b8378e232c3d8a54f3b4ec12fa3eae908ba56a658c7557b22c25766b823", "type": "query", "version": 106 }, "cc89312d-6f47-48e4-a87c-4977bd4633c3": { + "min_stack_version": "8.3", "rule_name": "GCP Pub/Sub Subscription Deletion", "sha256": "be76246406041025864af7eeea3c9600ab406bf778763b00a6ea6e6489240408", "type": "query", @@ -5886,7 +7887,7 @@ "cc92c835-da92-45c9-9f29-b4992ad621a0": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 206, "rule_name": "Attempt to Deactivate an Okta Policy Rule", "sha256": "ed2062f991db0a0dce267846fe8363883628421221166f8246b4924828f02999", @@ -5900,6 +7901,7 @@ "version": 207 }, "ccc55af4-9882-4c67-87b4-449a7ae8079c": { + "min_stack_version": "8.3", "rule_name": "Potential Process Herpaderping Attempt", "sha256": "7358d900c0332bbc2ea6bd00db02a9d7ce7199fcbd5ffea5cce60caf11cc99c2", "type": "eql", @@ -5908,7 +7910,7 @@ "cd16fb10-0261-46e8-9932-a0336278cdbe": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", "sha256": "32c09cb649d10eb0d58645624f6534db9c40073e42552b0381f5b414e9c58bb6", @@ -5928,18 +7930,21 @@ "version": 100 }, "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": { + "min_stack_version": "8.3", "rule_name": "Anomalous Linux Compiler Activity", "sha256": "ac7fe1661692762ebf3969e3980d674808ea8cf32e188619fd6e08de268af793", "type": "machine_learning", "version": 103 }, "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { + "min_stack_version": "8.3", "rule_name": "Kernel Module Removal", "sha256": "8e7fd75b780b1265825a7a783ea3000b983acf3ce3100a49edb797139b01e31f", "type": "eql", "version": 109 }, "cd82e3d6-1346-4afd-8f22-38388bbf34cb": { + "min_stack_version": "8.3", "rule_name": "Downloaded URL Files", "sha256": "1a31489f793c58d433963910d8327747a3e7824bf11685358836a38183e8aca0", "type": "eql", @@ -5948,7 +7953,7 @@ "cd89602e-9db0-48e3-9391-ae3bf241acd8": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Attempt to Deactivate MFA for an Okta User Account", "sha256": "173487533fb84ffd2bbd8598bf0ac4f518f295cc6715c381743a3fe6d0f14ec7", @@ -5964,7 +7969,7 @@ "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 206, "rule_name": "Okta User Session Impersonation", "sha256": "36a5fb5b929045a84f302c057459e3b5e6eb50cb409fc5a9edf6cdcd47f30ee5", @@ -5980,7 +7985,7 @@ "cde1bafa-9f01-4f43-a872-605b678968b0": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 110, "rule_name": "Potential PowerShell HackTool Script by Function Names", "sha256": "e4ac68b4b9ff58cc55eedd8f6d7ef11a2ddc48c4f339955ad2f2ecf0e531e8aa", @@ -5994,84 +7999,107 @@ "version": 111 }, "ce08b55a-f67d-4804-92b5-617b0fe5a5b5": { + "min_stack_version": "8.8", "rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)", "sha256": "557be18d473f0dab21314e36e19724bf288eed2289446960d75923b23429b4ca", "type": "new_terms", "version": 1 }, "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { + "min_stack_version": "8.3", "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", "sha256": "38c701cbddca58faa29370862beddbbc9839ee8f8ef4985c006e2f03acecfdb7", "type": "eql", "version": 109 }, "cf53f532-9cc9-445a-9ae7-fced307ec53c": { + "min_stack_version": "8.3", "rule_name": "Cobalt Strike Command and Control Beacon", "sha256": "ddb4b9d7e2f95d26c85ab37fb9696c58aa1f937e5f4788214b8711b988206967", "type": "query", "version": 105 }, "cf549724-c577-4fd6-8f9b-d1b8ec519ec0": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 202, + "rule_name": "Domain Added to Google Workspace Trusted Domains", + "sha256": "c773965d1c83361d3745d38a93d9ac9380056a79a5f3d4ebff542d94a9a369ce", + "type": "query", + "version": 104 + } + }, "rule_name": "Domain Added to Google Workspace Trusted Domains", "sha256": "15e692b56a4792a0434440ea85ef264cbfb31e1ebd9bdc618a03987f928a53a1", "type": "query", "version": 205 }, "cf575427-0839-4c69-a9e6-99fde02606f3": { + "min_stack_version": "8.6", "rule_name": "Unusual Discovery Activity by User", "sha256": "2dec950ffa14b4863a879f391b045196709a774f032c8bc35d8f61ba20e2bfff", "type": "new_terms", "version": 1 }, "cf6995ec-32a9-4b2d-9340-f8e61acf3f4e": { + "min_stack_version": "8.3", "rule_name": "Trap Signals Execution", "sha256": "1a696ba4be544120eb0807e5df6957584e991663b97f6a7176337094b9cd85b4", "type": "eql", "version": 2 }, "cff92c41-2225-4763-b4ce-6f71e5bda5e6": { + "min_stack_version": "8.3", "rule_name": "Execution from Unusual Directory - Command Line", "sha256": "1e5d776df1e502f5d444b1a1e6cdcfc3de4ad784a603e7e0f23aaed9eae2f766", "type": "eql", "version": 112 }, "cffbaf47-9391-4e09-a83c-1f27d7474826": { + "min_stack_version": "8.3", "rule_name": "Archive File with Unusual Extension", "sha256": "18c93a2cdc51a8d42ddeac46edeabbdc0d991b52e2dd4e74054eba59583adee3", "type": "eql", "version": 2 }, "d00f33e7-b57d-4023-9952-2db91b1767c4": { + "min_stack_version": "8.3", "rule_name": "Namespace Manipulation Using Unshare", "sha256": "258bf65e5da42c0bef720f575c963343ace055871316f6bba6ec31b60869c06e", "type": "eql", "version": 9 }, "d0b0f3ed-0b37-44bf-adee-e8cb7de92767": { + "min_stack_version": "8.8", "rule_name": "AWS Credentials Searched For Inside A Container", "sha256": "27918dd9cf339832d9efc37e0b589ce887eae09959450ae8a4297df5ba0f040e", "type": "eql", "version": 1 }, "d0e159cf-73e9-40d1-a9ed-077e3158a855": { + "min_stack_version": "8.3", "rule_name": "Registry Persistence via AppInit DLL", "sha256": "4ec85ed3f6241a6015c998b91cdbbcf438629be2a40cdbfce1a173ebabd7c292", "type": "eql", "version": 110 }, "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { + "min_stack_version": "8.3", "rule_name": "Symbolic Link to Shadow Copy Created", "sha256": "c8d1d7cc4181248cc8906dbc6d37aa62c162ed9bde92f7b4daf42b912e451197", "type": "eql", "version": 111 }, "d12bac54-ab2a-4159-933f-d7bcefa7b61d": { + "min_stack_version": "8.3", "rule_name": "Expired or Revoked Driver Loaded", "sha256": "ea840a544f731bf59d6e9ef5ab6773395bd85b0b68618e2116a391972ab21fa2", "type": "eql", "version": 5 }, "d197478e-39f0-4347-a22f-ba654718b148": { + "min_stack_version": "8.3", "rule_name": "Compression DLL Loaded by Unusual Process", "sha256": "e50bbd58e226d8bbd59de277de10019d3228aabae3308cc310c43c5f89b1c0ce", "type": "eql", @@ -6084,36 +8112,42 @@ "version": 100 }, "d22a85c6-d2ad-4cc4-bf7b-54787473669a": { + "min_stack_version": "8.3", "rule_name": "Potential Microsoft Office Sandbox Evasion", "sha256": "60d547919df01902f6d9894993e128a708f3086fe89e9058b7ff57338d0a5fa2", "type": "query", "version": 106 }, "d31f183a-e5b1-451b-8534-ba62bca0b404": { + "min_stack_version": "8.3", "rule_name": "Disabling User Account Control via Registry Modification", "sha256": "603191c9e9fe22a6f972c18bfb548360ab4f4b1378a58e8a4a24479548e8b1d0", "type": "eql", "version": 110 }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { + "min_stack_version": "8.3", "rule_name": "Clearing Windows Event Logs", "sha256": "1c0780a844be282bd8fdfb0d608fa65473ba2d01d1a5be9e50e2e08039542576", "type": "eql", "version": 112 }, "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": { + "min_stack_version": "8.3", "rule_name": "Remote Windows Service Installed", "sha256": "63102ba4aec4aaab713fffceebe688d706bb41cdf8bcf23d4055467011cb9fb9", "type": "eql", "version": 6 }, "d3551433-782f-4e22-bbea-c816af2d41c6": { + "min_stack_version": "8.3", "rule_name": "WMI WBEMTEST Utility Execution", "sha256": "76b2081709ea9b401fc695d779a14dfa839fbd99eb19c8510b2ea6c5f7e7b4f4", "type": "eql", "version": 2 }, "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { + "min_stack_version": "8.3", "rule_name": "Shell Execution via Apple Scripting", "sha256": "71aae69ea3a3fbd1d8e627c5d0fd9b6f7a01313216ddf8c23df060835c0864fd", "type": "eql", @@ -6122,7 +8156,7 @@ "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 204, "rule_name": "Attempt to Delete an Okta Application", "sha256": "ec2d2014d13ce312c51e80554c30af695049e703918b7f1b19da53f58154d6f7", @@ -6136,30 +8170,35 @@ "version": 205 }, "d49cc73f-7a16-4def-89ce-9fc7127d7820": { + "min_stack_version": "8.3", "rule_name": "Web Application Suspicious Activity: sqlmap User Agent", "sha256": "f10cb94a414e6983ebdaa36e5c4a332a76a4d06134043937967fdf2e2faa2cc7", "type": "query", "version": 102 }, "d4af3a06-1e0a-48ec-b96a-faf2309fae46": { + "min_stack_version": "8.3", "rule_name": "Unusual Linux System Information Discovery Activity", "sha256": "1823af90ab9f82af85f6752bb44ce24df6e0ef1e0722d477f91a55675de28c8f", "type": "machine_learning", "version": 103 }, "d4b73fa0-9d43-465e-b8bf-50230da6718b": { + "min_stack_version": "8.3", "rule_name": "Unusual Source IP for a User to Logon from", "sha256": "b9964a7773745de7f347665b66883623fc60d4e0e4a004d0b7e3b5cd79694041", "type": "machine_learning", "version": 103 }, "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": { + "min_stack_version": "8.3", "rule_name": "Linux init (PID 1) Secret Dump via GDB", "sha256": "809e2c52ca587a80879385c7226866c574d86e366a6787b0b1e8df77a8763e06", "type": "eql", "version": 6 }, "d55436a8-719c-445f-92c4-c113ff2f9ba5": { + "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via UID INT_MAX Bug Detected", "sha256": "4408eb01f3714ecf0f5cee312dafd363a2fbbc4a368846ab78b257fdcfef9924", "type": "eql", @@ -6173,6 +8212,7 @@ "version": 3 }, "d563aaba-2e72-462b-8658-3e5ea22db3a6": { + "min_stack_version": "8.3", "rule_name": "Privilege Escalation via Windir Environment Variable", "sha256": "42e3e1682134a7ed8c26d9a5ce2bcf4830d6a7af85268a0d2455a75e23119f6c", "type": "eql", @@ -6181,7 +8221,7 @@ "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Attempt to Delete an Okta Policy Rule", "sha256": "ef00abb177343a787a119303eaa0cb71aef503d40d309b2699d05fe0178157a6", @@ -6195,18 +8235,30 @@ "version": 206 }, "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { + "min_stack_version": "8.3", "rule_name": "Service Command Lateral Movement", "sha256": "a06abd5554d50f0ebc9b99f80159dbf24d97dc6453dab05f27bd09f0e8884f42", "type": "eql", "version": 107 }, "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS CloudWatch Log Stream Deletion", + "sha256": "e7f7445facc4da1f84ee331f6dbbf22337e319df0727349ff958c0f62154fd1f", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS CloudWatch Log Stream Deletion", "sha256": "44a8abff6921cf217c396e51cf30499d8bee7d8f1544fa02f7d9e093e6648578", "type": "query", "version": 209 }, "d62b64a8-a7c9-43e5-aee3-15a725a794e7": { + "min_stack_version": "8.3", "rule_name": "GCP Pub/Sub Subscription Creation", "sha256": "981abcaff8eaa4e947885a8b6e60edb877602e6ec2974994837ffbf18e7085b4", "type": "query", @@ -6219,102 +8271,155 @@ "version": 100 }, "d68e95ad-1c82-4074-a12a-125fe10ac8ba": { + "min_stack_version": "8.3", "rule_name": "System Information Discovery via Windows Command Shell", "sha256": "e564b576c629a29ec8088864b78c7c81c8d46453cc5e038a33fdd24d4a3a2641", "type": "eql", "version": 10 }, "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", + "sha256": "3fa1ccf28083380bbb7d71135b1b5ab0753f90d5fde3ecdeda2cb4ffc6ae81aa", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", "sha256": "e1c61b6847b137835d630c3eba3b8bf7a5da03bf08a0e81a27ca46637b093b91", "type": "query", "version": 206 }, "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": { + "min_stack_version": "8.3", "rule_name": "Modification of WDigest Security Provider", "sha256": "c7b2137213e37ccba915d2c30fa260188c065d8e939c56b72e4fd1f4001d72df", "type": "eql", "version": 109 }, "d72e33fc-6e91-42ff-ac8b-e573268c5a87": { + "min_stack_version": "8.3", "rule_name": "Command Execution via SolarWinds Process", "sha256": "84b33e85f61fe174e8ec6980e6480028773e96980d267505f090cfa2d2460192", "type": "eql", "version": 111 }, "d743ff2a-203e-4a46-a3e3-40512cfe8fbb": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion", + "sha256": "4a8ffe50aa43eaf2654ac6a51517203a86c2951828434a1cb60bb435707c5a6b", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion", "sha256": "8ac44c71af4271eb13db4ef37b755bdfb7b4c9aa8f3ec7041a7a2ec06b98482d", "type": "query", "version": 206 }, "d74d6506-427a-4790-b170-0c2a6ddac799": { + "min_stack_version": "8.3", "rule_name": "Suspicious Memory grep Activity", "sha256": "b142483255de74b46aa32d1dd3a28f2821bb97997be6bae899e84c0d30fa9165", "type": "eql", "version": 2 }, "d75991f2-b989-419d-b797-ac1e54ec2d61": { + "min_stack_version": "8.7", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "SystemKey Access via Command Line", + "sha256": "48b8b3a40209f6422060e3de267b79054f2ad0313fc42c4cef21decadf490f4d", + "type": "query", + "version": 106 + } + }, "rule_name": "SystemKey Access via Command Line", "sha256": "6459c63e59f54f94e12abb17883b4ae2c8a99424f6e2c321c1647d47ce81c091", "type": "query", "version": 206 }, "d76b02ef-fc95-4001-9297-01cb7412232f": { + "min_stack_version": "8.3", "rule_name": "Interactive Terminal Spawned via Python", "sha256": "06fed263415e4ac3e3f062be3c0bc968c640a3632e4588fd2a405dbdac73f541", "type": "eql", "version": 110 }, "d79c4b2a-6134-4edd-86e6-564a92a933f9": { + "min_stack_version": "8.3", "rule_name": "Azure Blob Permissions Modification", "sha256": "4721b8fe47efb148dfe195f28255209d453662590443eac3aeb27c0ef998640f", "type": "query", "version": 103 }, "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": { + "min_stack_version": "8.3", "rule_name": "Spike in Logon Events", "sha256": "d252490036f46e2d8c44e6c0aec56feb27ef9539cd83c5430534df5a0189a203", "type": "machine_learning", "version": 103 }, "d7e62693-aab9-4f66-a21a-3d79ecdd603d": { + "min_stack_version": "8.3", "rule_name": "SMTP on Port 26/TCP", "sha256": "8bf03857acd5416922cae6018a42266418009a83c60f4fa6388d0ac603af5f0b", "type": "query", "version": 104 }, "d8ab1ec1-feeb-48b9-89e7-c12e189448aa": { + "min_stack_version": "8.3", "rule_name": "Untrusted Driver Loaded", "sha256": "9b90c86424390fccfc1959785af10eeade5e654612545617582dca1058cb17b8", "type": "eql", "version": 8 }, "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS IAM Deactivation of MFA Device", + "sha256": "3c501df177ec97cc6f46663425f4c04cb979694688cd3bfad27f03a0d8a2ac53", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS IAM Deactivation of MFA Device", "sha256": "e70bcba5f981ab9bc5d058baf0631ea65c4172e55502ae1f6b6fceeca1035906", "type": "query", "version": 209 }, "d99a037b-c8e2-47a5-97b9-170d076827c4": { + "min_stack_version": "8.3", "rule_name": "Volume Shadow Copy Deletion via PowerShell", "sha256": "32bc4e3bb16d80971b9c8bb068a743e7041477c34017d3fd5a9f1f42ca4873b1", "type": "eql", "version": 111 }, "da7733b1-fe08-487e-b536-0a04c6d8b0cd": { + "min_stack_version": "8.3", "rule_name": "Code Signing Policy Modification Through Registry", "sha256": "9ebf3042fc83b25b6a39a0cc87927cefb341ebb08bcce8749b4e07166ba98d0d", "type": "eql", "version": 9 }, "da7f5803-1cd4-42fd-a890-0173ae80ac69": { + "min_stack_version": "8.9", "rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score", "sha256": "6ede570261a72bdcdf1e10f2f1fa1f9d331da8df7293f982df1b311120e88083", "type": "query", "version": 3 }, "da87eee1-129c-4661-a7aa-57d0b9645fad": { + "min_stack_version": "8.3", "rule_name": "Suspicious Service was Installed in the System", "sha256": "21882fe93edaef610a0b27aef9155e98576d28411bb1deb9914a0163f9f81694", "type": "eql", @@ -6327,36 +8432,42 @@ "version": 100 }, "daafdf96-e7b1-4f14-b494-27e0d24b11f6": { + "min_stack_version": "8.4", "rule_name": "Potential Pass-the-Hash (PtH) Attempt", "sha256": "fb420a72b427d67311f02098a93854b2a6bd5c733b6cbca4275ee920329b9b9e", "type": "new_terms", "version": 3 }, "dafa3235-76dc-40e2-9f71-1773b96d24cf": { + "min_stack_version": "8.3", "rule_name": "Multi-Factor Authentication Disabled for an Azure User", "sha256": "9bec414579dbdeb0c1a10611d7a97fa166af67379b6b69855a360097da1cc0ee", "type": "query", "version": 105 }, "db65f5ba-d1ef-4944-b9e8-7e51060c2b42": { + "min_stack_version": "8.3", "rule_name": "Network-Level Authentication (NLA) Disabled", "sha256": "5ba03fd03c459addbd61462891a2464974c59930a12e77a48efb688584584474", "type": "eql", "version": 3 }, "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": { + "min_stack_version": "8.3", "rule_name": "Execution via Windows Subsystem for Linux", "sha256": "3bcb0230882be5c94ef22fde8ca625bfde5e40e20e1e545cf8a0f68d01c7e8f3", "type": "eql", "version": 6 }, "db8c33a8-03cd-4988-9e2c-d0a4863adb13": { + "min_stack_version": "8.3", "rule_name": "Credential Dumping - Prevented - Elastic Endgame", "sha256": "5de5038a06b13f9d4d0b252316c5fc2a6d92c60d65cf8613bdde5c1514f4bd65", "type": "query", "version": 103 }, "dc0b7782-0df0-47ff-8337-db0d678bdb66": { + "min_stack_version": "8.3", "rule_name": "Suspicious Content Extracted or Decompressed via Funzip", "sha256": "e56d02dd6b3a5cd288516467c111539cbe759ada556ffe40e5d4f26a0e9c6ee0", "type": "eql", @@ -6369,90 +8480,132 @@ "version": 100 }, "dc71c186-9fe4-4437-a4d0-85ebb32b8204": { + "min_stack_version": "8.3", "rule_name": "Potential Hidden Process via Mount Hidepid", "sha256": "abccbf694da0eb306df7f606501df6d3e19475e12fbcd106342e187528d0ecf7", "type": "eql", "version": 8 }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { + "min_stack_version": "8.3", "rule_name": "Volume Shadow Copy Deletion via WMIC", "sha256": "2d9e1771d9606f5f38126860db0e8757d223c30ae4a1b3b93d60ac17b0127a99", "type": "eql", "version": 110 }, "dca28dee-c999-400f-b640-50a081cc0fd1": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "Unusual Country For an AWS Command", + "sha256": "09aabd7cf1fd572c2266143f903d21cbaedb757f619cc17b5f2c78b74e046946", + "type": "machine_learning", + "version": 108 + } + }, "rule_name": "Unusual Country For an AWS Command", "sha256": "e6e99ee2cb2084337de3331bcf945c7714a1fc79df6bc880c40dcb399e87a561", "type": "machine_learning", "version": 208 }, "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": { + "min_stack_version": "8.3", "rule_name": "Suspicious Execution from INET Cache", "sha256": "6b58cc9b14a7fac5ea7f584782e3f3c7161f78158b1ce3fe3c33928ebba3d84d", "type": "eql", "version": 2 }, "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": { + "min_stack_version": "8.3", "rule_name": "Attempt to Install Kali Linux via WSL", "sha256": "51ebf76d12a58d9db10b3a9d16c79ee0ae0672fa77f9fd0682b3796a7520351a", "type": "eql", "version": 7 }, "dd7f1524-643e-11ed-9e35-f661ea17fbcd": { + "min_stack_version": "8.3", "rule_name": "Reverse Shell Created via Named Pipe", "sha256": "d8b4bfe2baa5dc7735769bd51e37b1b139c521ec70d2ce8db325a4d6e409f82c", "type": "eql", "version": 6 }, "ddab1f5f-7089-44f5-9fda-de5b11322e77": { + "min_stack_version": "8.3", "rule_name": "NullSessionPipe Registry Modification", "sha256": "6c3d142ca53ffc037b333b4699eb891e35c11d1ca95aa3ae6347fb173bc33735", "type": "eql", "version": 108 }, "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { + "min_stack_version": "8.3", "rule_name": "Unusual Child Process from a System Virtual Process", "sha256": "0a0a64ff02f4040cf251994361f673fa3c6618edb6d38387c8adf5f5749f4b5a", "type": "eql", "version": 110 }, "debff20a-46bc-4a4d-bae5-5cdd14222795": { + "min_stack_version": "8.3", "rule_name": "Base16 or Base32 Encoding/Decoding Activity", "sha256": "a7f6c2c79e782df9aa8415605d72b36e28ac9b0ab828b6077ede6a98958a6977", "type": "eql", "version": 110 }, "ded09d02-0137-4ccc-8005-c45e617e8d4c": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 101, + "rule_name": "Query Registry using Built-in Tools", + "sha256": "b2ee224e76ea602717f6188bd78728ea09a54c1c694fb5041f9d7f0197db8ebd", + "type": "eql", + "version": 2 + } + }, "rule_name": "Query Registry using Built-in Tools", "sha256": "f96c303f816b1dd2758c8f7dd096711bacc5b826d610127acd0e425a321579cd", "type": "new_terms", "version": 105 }, "df0fd41e-5590-4965-ad5e-cd079ec22fa9": { + "min_stack_version": "8.6", "rule_name": "First Time Seen Driver Loaded", "sha256": "7e66246ea00c9698fbfa57311793c02739cbad96d59bd88bbda9dbc752e4ac58", "type": "new_terms", "version": 7 }, "df197323-72a8-46a9-a08e-3f5b04a4a97a": { + "min_stack_version": "8.3", "rule_name": "Unusual Windows User Calling the Metadata Service", "sha256": "d7b5f6ca8779a491a009ef24fa38c89815905e818546c5671f5dc05bd505e3ce", "type": "machine_learning", "version": 103 }, "df26fd74-1baa-4479-b42e-48da84642330": { + "min_stack_version": "8.3", "rule_name": "Azure Automation Account Created", "sha256": "b82b8d83b12f049d275d3f1d78e61640c6b772c160ca3844d5e09df9cf465669", "type": "query", "version": 102 }, "df6f62d9-caab-4b88-affa-044f4395a1e0": { + "min_stack_version": "8.3", "rule_name": "Dynamic Linker Copy", "sha256": "abf419807a9782b1ea278f1682ee0d5be74e340e248aa42cb3303c3a41892725", "type": "eql", "version": 108 }, "df7fda76-c92b-4943-bc68-04460a5ea5ba": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 199, + "rule_name": "Kubernetes Pod Created With HostPID", + "sha256": "8504c3a7241f7cfb70d23f3d06e6f6c5191c15f0ac37578efdc476c6230b04a6", + "type": "query", + "version": 101 + } + }, "rule_name": "Kubernetes Pod Created With HostPID", "sha256": "b912b62e03d307861dc557cdbfc8fe17d54f7b8a394fee4ec9e46e4539393622", "type": "query", @@ -6465,30 +8618,35 @@ "version": 100 }, "dffbd37c-d4c5-46f8-9181-5afdd9172b4c": { + "min_stack_version": "8.3", "rule_name": "Potential privilege escalation via CVE-2022-38028", "sha256": "6c482e61313171b3dc7b0d4085b1103871e12cb403c6fa1d2048781f9e805253", "type": "eql", "version": 1 }, "e00b8d49-632f-4dc6-94a5-76153a481915": { + "min_stack_version": "8.3", "rule_name": "Delayed Execution via Ping", "sha256": "c6fa799b2b134a4e7c34302b0b8f543c54dd38aaba6bfa93b1933a3374e41c71", "type": "eql", "version": 2 }, "e02bd3ea-72c6-4181-ac2b-0f83d17ad969": { + "min_stack_version": "8.3", "rule_name": "Azure Firewall Policy Deletion", "sha256": "fbf370e089437f900b3701b3d7a7af66a118801719201fe03fbfea44438802c0", "type": "query", "version": 102 }, "e052c845-48d0-4f46-8a13-7d0aba05df82": { + "min_stack_version": "8.3", "rule_name": "KRBTGT Delegation Backdoor", "sha256": "13d64c92f3533756a0657f2f8db2a099ab8cf25d1b5d1722dc5b880ec815bf34", "type": "query", "version": 107 }, "e0881d20-54ac-457f-8733-fe0bc5d44c55": { + "min_stack_version": "8.3", "rule_name": "System Service Discovery through built-in Windows Utilities", "sha256": "c1e96e42705eb2de534b4ce6fa40b16c522e2bb6f8f8a0f0ff6ea140ff22680b", "type": "eql", @@ -6497,7 +8655,7 @@ "e08ccd49-0380-4b2b-8d71-8000377d6e49": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 206, "rule_name": "Attempts to Brute Force an Okta User Account", "sha256": "8e33c2c08ab3335a16db298608f1b8b793646a2abf1362acb2c0f316433293d0", @@ -6511,54 +8669,81 @@ "version": 208 }, "e0cc3807-e108-483c-bf66-5a4fbe0d7e89": { + "min_stack_version": "8.3", "rule_name": "Potentially Suspicious Process Started via tmux or screen", "sha256": "da9fb3e751cf2aca3b76ff6969e48fb1e4f477f4832888b32a57290109f5982a", "type": "eql", "version": 4 }, "e0dacebe-4311-4d50-9387-b17e89c2e7fd": { + "min_stack_version": "7.16", "rule_name": "Whitespace Padding in Process Command Line", "sha256": "2aa8bb1cd50151cb0c68f9f9aaca7894681a205d965326b65eb8c1163e176257", "type": "eql", "version": 100 }, "e0f36de1-0342-453d-95a9-a068b257b053": { + "min_stack_version": "8.3", "rule_name": "Azure Event Hub Deletion", "sha256": "a2ecaf7e5ffeba64be9df560b78b9046a7dd8803d4d3e1f50854456965291dc7", "type": "query", "version": 102 }, "e12c0318-99b1-44f2-830c-3a38a43207ca": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Route Table Created", + "sha256": "7bc47ab3f6abaaa3ab9719f0b5584578bde76d5e46e45c4f5930b55727fde835", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Route Table Created", "sha256": "862abfa5c379d1e32f01d1c6199755c9de4bfcd13eaf1b23d019ae40ccde21c5", "type": "query", "version": 207 }, "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS RDS Cluster Creation", + "sha256": "1028d9d315c9b25af760a4d81b28115f4bc2ea1653f08740433bc44c0c49ecbf", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS RDS Cluster Creation", "sha256": "3971b630a9892ede07636cbd4aafedb6e0a66eb9a58e95bca937fd3d473486f6", "type": "query", "version": 206 }, "e19e64ee-130e-4c07-961f-8a339f0b8362": { + "min_stack_version": "8.3", "rule_name": "Connection to External Network via Telnet", "sha256": "aca0eb0c2cc280c1e11e840c13fbdf1d68c10d4842912b4d5f2c41f27ca376c5", "type": "eql", "version": 107 }, "e1db8899-97c1-4851-8993-3a3265353601": { + "min_stack_version": "8.9", "rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code", "sha256": "2dfa5553eab948bb3ad46437fda2847c3d2d98e63aa80c10f1b8a179eb44b650", "type": "machine_learning", "version": 3 }, "e2258f48-ba75-4248-951b-7c885edf18c2": { + "min_stack_version": "8.3", "rule_name": "Suspicious Mining Process Creation Event", "sha256": "e91422636467edf05da152b15ace87fb9f957102bab6ef22a1f413c45c076dc9", "type": "eql", "version": 6 }, "e26aed74-c816-40d3-a810-48d6fbd8b2fd": { + "min_stack_version": "8.3", "rule_name": "Spike in Successful Logon Events from a Source IP", "sha256": "433470a845fb7c68a2d975d0c852935ae2f613397f228fcbc0508dab28be90ff", "type": "machine_learning", @@ -6567,7 +8752,7 @@ "e26f042e-c590-4e82-8e05-41e81bd822ad": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 211, "rule_name": "Suspicious .NET Reflection via PowerShell", "sha256": "a85be96f9a8185ce72aee9271706a90a0667bc9dc8340ec37a74fc874c3ba6d9", @@ -6588,66 +8773,95 @@ "version": 2 }, "e2a67480-3b79-403d-96e3-fdd2992c50ef": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS Management Console Root Login", + "sha256": "b9dd3e3ff50478a62eb78a03bd6f15b075d2c8b5205f36afb4bb4c84ec2aea89", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS Management Console Root Login", "sha256": "e92692113a5e54b3929b90730de141b010fbf55f4a52a1d77e548a78cc361ecd", "type": "query", "version": 209 }, "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": { + "min_stack_version": "8.3", "rule_name": "System Network Connections Discovery", "sha256": "e18cba651376cfe6e9941e9849b0b35efb04d877fd885ad2d8e410d9690633d1", "type": "eql", "version": 3 }, "e2e0537d-7d8f-4910-a11d-559bcf61295a": { + "min_stack_version": "8.3", "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", "sha256": "3e63bc85075d9b743e6bf54268defc21c112e95ddb806edfb8a78a3ab78903bc", "type": "eql", "version": 7 }, "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { + "min_stack_version": "8.3", "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", "sha256": "bee7840c66166d2669fe2c9007db541d327d9ea4a3fdfda0b9c233e216e4a37d", "type": "eql", "version": 111 }, "e2fb5b18-e33c-4270-851e-c3d675c9afcd": { + "min_stack_version": "8.3", "rule_name": "GCP IAM Role Deletion", "sha256": "81da5ac170cebd66bcbf89e17268d9b7d3559955c522f1623d651961f6419cbe", "type": "query", "version": 104 }, "e3343ab9-4245-4715-b344-e11c56b0a47f": { + "min_stack_version": "8.3", "rule_name": "Process Activity via Compiled HTML File", "sha256": "6cef2e899c6b4e9645a167a889392bdc93d93b0cdbefafa881495069c49f284e", "type": "eql", "version": 110 }, "e3c27562-709a-42bd-82f2-3ed926cced19": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Route53 private hosted zone associated with a VPC", + "sha256": "dd9a314d7acf050b51fec079eb2ff4d0667d2954a8fe4eee7a86081d7971db12", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Route53 private hosted zone associated with a VPC", "sha256": "7ffafc6db354cba90fcf1ace4d763e22cb051ba2f8ad28c7e9f2cd89ef903525", "type": "query", "version": 206 }, "e3c5d5cb-41d5-4206-805c-f30561eae3ac": { + "min_stack_version": "8.3", "rule_name": "Ransomware - Prevented - Elastic Endgame", "sha256": "b7d178b2a838a3cb100c12763f21969b20233d489823c43d10e756e079284462", "type": "query", "version": 103 }, "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": { + "min_stack_version": "8.3", "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", "sha256": "888df58b2f7bdef7997e9bf98f6cefecc8e5dc094ec1c1391fbec5f03fc85d8e", "type": "eql", "version": 107 }, "e3e904b3-0a8e-4e68-86a8-977a163e21d3": { + "min_stack_version": "8.3", "rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification", "sha256": "20a809b0c9d105e502a250b3d41b6934687bf4d74fbbedd98cef83bdf6d2658b", "type": "eql", "version": 110 }, "e468f3f6-7c4c-45bb-846a-053738b3fe5d": { + "min_stack_version": "8.4", "rule_name": "First Time Seen NewCredentials Logon Process", "sha256": "9a219e929d52b9d5fd2593524c043db217318eb6f540793dae2c595418f5dc02", "type": "new_terms", @@ -6656,7 +8870,7 @@ "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Attempt to Modify an Okta Network Zone", "sha256": "5f65ddaac1e8431e60917074c8cb8ead43d51ca2475c63ef74c89e0b558c3456", @@ -6670,18 +8884,30 @@ "version": 206 }, "e4e31051-ee01-4307-a6ee-b21b186958f4": { + "min_stack_version": "8.3", "rule_name": "Service Creation via Local Kerberos Authentication", "sha256": "c47f1f706cc482c626dc8045250f798362338387db47fe387412408b6be3bae1", "type": "eql", "version": 105 }, "e514d8cd-ed15-4011-84e2-d15147e059f1": { + "min_stack_version": "8.3", "rule_name": "Kerberos Pre-authentication Disabled for User", "sha256": "f31d2b25f3d2f895e14eab6c7ec29719c97852d5f2f99b2fa9357b9637c2f510", "type": "query", "version": 110 }, "e555105c-ba6d-481f-82bb-9b633e7b4827": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 202, + "rule_name": "MFA Disabled for Google Workspace Organization", + "sha256": "2c13a6fc437d2115e97e6e81a6d555601f5f93d05f444b9935bf76d94877c049", + "type": "query", + "version": 104 + } + }, "rule_name": "MFA Disabled for Google Workspace Organization", "sha256": "91e053deeef1fbe832a95085ef68f2122ba06d94e64114a2d0e61cf3f1d64d6f", "type": "query", @@ -6694,12 +8920,14 @@ "version": 100 }, "e6c1a552-7776-44ad-ae0f-8746cc07773c": { + "min_stack_version": "8.3", "rule_name": "Bash Shell Profile Modification", "sha256": "bc03a7affdb0db7aca8cb74b550750403c0cc22f1f31640dabbcf506dd04b2b3", "type": "query", "version": 104 }, "e6c98d38-633d-4b3e-9387-42112cd5ac10": { + "min_stack_version": "8.3", "rule_name": "Authorization Plugin Modification", "sha256": "ef208b091fc4ad2aa8c598a1e11c2de761824f498ee049b117285c932936bb8e", "type": "query", @@ -6708,7 +8936,7 @@ "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 204, "rule_name": "Possible Okta DoS Attack", "sha256": "0068f7eda335ee0ee3e6452f9a91166dd50e098862de1791f4e6b6bd0ff4a391", @@ -6722,84 +8950,125 @@ "version": 205 }, "e6e8912f-283f-4d0d-8442-e0dcaf49944b": { + "min_stack_version": "8.3", "rule_name": "Screensaver Plist File Modified by Unexpected Process", "sha256": "226d7ec9a8d7ef8ee5497afe3c062dd60f96978b4e83c4327ab07af37b0e5b51", "type": "eql", "version": 107 }, "e7075e8d-a966-458e-a183-85cd331af255": { + "min_stack_version": "8.3", "rule_name": "Default Cobalt Strike Team Server Certificate", "sha256": "6bbe76d52fd258b99c66bbf69e3f64060fa0a3112a36cd1c55f44d03d2da9d9e", "type": "query", "version": 104 }, "e707a7be-cc52-41ac-8ab3-d34b38c20005": { + "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Memory Dump File Creation", "sha256": "a39d7d4e32b2b06c056764ba041c47a02fd5e39717b5db77d6827117dc870c62", "type": "eql", "version": 3 }, "e7125cea-9fe1-42a5-9a05-b0792cf86f5a": { + "min_stack_version": "8.3", "rule_name": "Execution of Persistent Suspicious Program", "sha256": "bae068bbb951844f6a723136dec199140d6d35b62406b5deddbe6208895a7478", "type": "eql", "version": 107 }, "e72f87d0-a70e-4f8d-8443-a6407bc34643": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 104, + "rule_name": "Suspicious WMI Event Subscription Created", + "sha256": "bee333bfc8d77b96f009283d0b8dc93b5e2e38ef6b27b38b21daccf6fe50833a", + "type": "eql", + "version": 6 + } + }, "rule_name": "Suspicious WMI Event Subscription Created", "sha256": "4f033d8b97bebdd4d3f7dfb51f5465e5283d687187e643b9e5ad76f243122b20", "type": "eql", "version": 106 }, "e7357fec-6e9c-41b9-b93d-6e4fc40c7d47": { + "min_stack_version": "8.3", "rule_name": "Potential Windows Session Hijacking via CcmExec", "sha256": "0bb32a27d1f4286cf963fe0af6c21dba8716c0bc8a3b250af1d0b62993eda76a", "type": "eql", "version": 1 }, "e74d645b-fec6-431e-bf93-ca64a538e0de": { + "min_stack_version": "8.3", "rule_name": "Unusual Process For MSSQL Service Accounts", "sha256": "25ab58cb351438a03b9bae33943b1e2f27038ddab7e44da1138534c0962b40d8", "type": "eql", "version": 4 }, "e760c72b-bb1f-44f0-9f0d-37d51744ee75": { + "min_stack_version": "8.3", "rule_name": "Unusual Execution via Microsoft Common Console File", "sha256": "2d88a1a1afbd362333b27616ad60ef7198d3e854a31723b98ad96fb451d7fb35", "type": "eql", "version": 1 }, "e7cb3cfd-aaa3-4d7b-af18-23b89955062c": { + "min_stack_version": "8.3", "rule_name": "Potential Linux Credential Dumping via Unshadow", "sha256": "9f5e4df959c1865722b929f62227913e0415b091e5be48dc94f3037768b94393", "type": "eql", "version": 8 }, "e7cd5982-17c8-4959-874c-633acde7d426": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Route Table Modified or Deleted", + "sha256": "aac5e30f0f52cc491d255e93c3f1f83cdb0547f9f20b8fe3376704aee6c6f730", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Route Table Modified or Deleted", "sha256": "811d4c47d79d5e63a6d39a14a0e8c4c6d8bdc81b09f09705f57ce46905ea4112", "type": "query", "version": 207 }, "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { + "min_stack_version": "8.3", "rule_name": "Service Control Spawned via Script Interpreter", "sha256": "d821998e1160abb47ecede3b1c462e4239e82c189b4c1bb28462bb126a1b7765", "type": "eql", "version": 108 }, "e86da94d-e54b-4fb5-b96c-cecff87e8787": { + "min_stack_version": "8.3", "rule_name": "Installation of Security Support Provider", "sha256": "7bacfc5c36b455bd387840ed3881384dccf76c4613c11307d4d5d00b45b71f4c", "type": "eql", "version": 108 }, "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": { + "min_stack_version": "8.3", "rule_name": "Host Files System Changes via Windows Subsystem for Linux", "sha256": "f650cdefd5366db74cbb8b10fcdc442ca99580255059225a70906d7069dcc006", "type": "eql", "version": 7 }, "e9001ee6-2d00-4d2f-849e-b8b1fb05234c": { + "min_stack_version": "8.6", + "previous": { + "8.4": { + "max_allowable_version": 102, + "rule_name": "Suspicious System Commands Executed by Previously Unknown Executable", + "sha256": "3a05a24c654cdb42c8718f7cf97e55b13d9be01f97cfd17a78db8f616168fa80", + "type": "new_terms", + "version": 3 + } + }, "rule_name": "Suspicious System Commands Executed by Previously Unknown Executable", "sha256": "f180246dbfb2cb7f01f796113f0a1b305d91c244c4989aef63cfc341e4431f35", "type": "new_terms", @@ -6808,7 +9077,7 @@ "e90ee3af-45fc-432e-a850-4a58cf14a457": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 206, "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", "sha256": "36586610b72fd3df43dda1d0bfca8e2b7a439cde98a6b85da439993e98b9978d", @@ -6822,30 +9091,44 @@ "version": 208 }, "e919611d-6b6f-493b-8314-7ed6ac2e413b": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS EC2 VM Export Failure", + "sha256": "f5fbdb6dd8db185f84352432e56a887048b7d1bac9936d1c3a3944b9f5ed4d31", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS EC2 VM Export Failure", "sha256": "ddfa3e022f23c8689c14e4a4abba71826f9ad576159d7e3d70ee93634965dd8c", "type": "query", "version": 206 }, "e92c99b6-c547-4bb6-b244-2f27394bc849": { + "min_stack_version": "8.9", "rule_name": "Spike in Bytes Sent to an External Device via Airdrop", "sha256": "1e89013def66c292205e6328af1471ef4e60e7476f31abb7718f73d3602c3e91", "type": "machine_learning", "version": 3 }, "e94262f2-c1e9-4d3f-a907-aeab16712e1a": { + "min_stack_version": "8.3", "rule_name": "Unusual Executable File Creation by a System Critical Process", "sha256": "039641e8c7b1e6c8242b90a66989c99c2f7e958b18bbb211f172b588af3a6f3f", "type": "eql", "version": 111 }, "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": { + "min_stack_version": "8.3", "rule_name": "Potential LSA Authentication Package Abuse", "sha256": "d0a1dc56879cb56dc2747d8b68642dcb238491d808de81350698a3876b010d1e", "type": "eql", "version": 105 }, "e9b0902b-c515-413b-b80b-a8dcebc81a66": { + "min_stack_version": "8.9", "rule_name": "Spike in Remote File Transfers", "sha256": "c2714b3ba5f14682e3de18a33b34ee32dd30f9b08a177f6d6ff9c79ced3ef5e1", "type": "machine_learning", @@ -6858,6 +9141,7 @@ "version": 100 }, "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": { + "min_stack_version": "8.3", "rule_name": "Azure Automation Webhook Created", "sha256": "064a5bf18acba039757d18c76b42acec87f1e497cf8143bc705af25765204078", "type": "query", @@ -6870,108 +9154,153 @@ "version": 100 }, "ea09ff26-3902-4c53-bb8e-24b7a5d029dd": { + "min_stack_version": "8.9", "rule_name": "Unusual Process Spawned by a Parent Process", "sha256": "d8ff4bf9daa5791d5125e828242e6da12e755fe8e6594f543661711e82994cfd", "type": "machine_learning", "version": 4 }, "ea248a02-bc47-4043-8e94-2885b19b2636": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS IAM Brute Force of Assume Role Policy", + "sha256": "b067b05efba5deb9be05f4eb293d71270aec223640f2d617f1a365f86c41524c", + "type": "threshold", + "version": 109 + } + }, "rule_name": "AWS IAM Brute Force of Assume Role Policy", "sha256": "a85c08a5d1c0cadd8fa55b0fa4148eb871692edcabdc994258fd047949fc51c3", "type": "threshold", "version": 210 }, "eaa77d63-9679-4ce3-be25-3ba8b795e5fa": { + "min_stack_version": "8.3", "rule_name": "Spike in Firewall Denies", "sha256": "2b70a5f6f296ce20ca6fb54b48a52c4bb57dec8c35b7dfc9b661509716a7cc0a", "type": "machine_learning", "version": 103 }, "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c": { + "min_stack_version": "8.3", "rule_name": "Suspicious APT Package Manager Network Connection", "sha256": "e33ef40e6926a8ebb9819b992a678c5cb30b5ca0ec2564ad888d213893eec80c", "type": "eql", "version": 2 }, "eb079c62-4481-4d6e-9643-3ca499df7aaa": { + "min_stack_version": "8.3", "rule_name": "External Alerts", "sha256": "8abb5aaa7b7120ccd0f4b723b4d43ede8ef4179dfd361a78a77fb3e7501947b6", "type": "query", "version": 103 }, "eb44611f-62a8-4036-a5ef-587098be6c43": { + "min_stack_version": "8.3", "rule_name": "PowerShell Script with Webcam Video Capture Capabilities", "sha256": "492442b9a011a2f12dba2f025284191a27457dc32fa61c4cdae57c2efe1bf9ad", "type": "query", "version": 4 }, "eb610e70-f9e6-4949-82b9-f1c5bcd37c39": { + "min_stack_version": "8.3", "rule_name": "PowerShell Kerberos Ticket Request", "sha256": "1eca5c1ab4882b5bcf2dd344dafbd75a680f7fd7cb7bceb1c7c448fe80765bbb", "type": "query", "version": 111 }, "eb6a3790-d52d-11ec-8ce9-f661ea17fbce": { + "min_stack_version": "8.3", "rule_name": "Suspicious Network Connection Attempt by Root", "sha256": "7a02f3f1c3af4c212b9b07f86517b323423c7f03670c51025f5a7ea876473d5e", "type": "eql", "version": 104 }, "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { + "min_stack_version": "8.3", "rule_name": "Potential Disabling of SELinux", "sha256": "40ab8ab43acdf3a9d7783d20ac3658086a45ff61e1871fe984d77c6a1d3984ef", "type": "eql", "version": 110 }, "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { + "min_stack_version": "8.3", "rule_name": "Mimikatz Memssp Log File Detected", "sha256": "1fe569e32abbc334bce0864e3ec5b30c47d3531f6d884186b2b40c52c0230f98", "type": "eql", "version": 109 }, "ebf1adea-ccf2-4943-8b96-7ab11ca173a5": { + "min_stack_version": "8.3", "rule_name": "IIS HTTP Logging Disabled", "sha256": "d83d663dcda70e00a6ab21131eed87f0b8c368ce720e9af6b55cc3ed301826a8", "type": "eql", "version": 110 }, "ebfe1448-7fac-4d59-acea-181bd89b1f7f": { + "min_stack_version": "8.3", "rule_name": "Process Execution from an Unusual Directory", "sha256": "8df3afe86977d9a2b2f2229f4f6d2fb5bb39898849f2d887050d754afba715a2", "type": "eql", "version": 110 }, "ec604672-bed9-43e1-8871-cf591c052550": { + "min_stack_version": "8.8", "rule_name": "File Made Executable via Chmod Inside A Container", "sha256": "20c2ee6633bad709523ecb7a36a5e666212d251d264feca7543facf2bb56ea54", "type": "eql", "version": 2 }, "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Inbox Forwarding Rule Created", + "sha256": "ccb7629ab98a47b76d488ad0234349226bd54d20ba68a72bfa6d504471d57576", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Inbox Forwarding Rule Created", "sha256": "98615f87ce24445df876a6f771b6899cfdecbd5028d5167fb5f060c7d2cb44df", "type": "query", "version": 206 }, "ecd4857b-5bac-455e-a7c9-a88b66e56a9e": { + "min_stack_version": "8.3", "rule_name": "Executable File with Unusual Extension", "sha256": "0dbad6fbc2a61e15df204d363878baabb0a87b3aacc37a8ffc8044d8bb20d509", "type": "eql", "version": 2 }, "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS RDS Instance/Cluster Stoppage", + "sha256": "507678779aec70fd7d8e6f87c97bad4456c69b88fbf5e1ef2ede267b6c6d356b", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS RDS Instance/Cluster Stoppage", "sha256": "597f9aec8295f443a639129b9f673f0e3302a48b8ba1f7a3eab0de937bc34d58", "type": "query", "version": 206 }, "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": { + "min_stack_version": "8.3", "rule_name": "Azure Global Administrator Role Addition to PIM User", "sha256": "05eb2cfe7c6c45d6ae432cf2c83e8d0a56cb0a6c5111004de8625830d13ee06c", "type": "query", "version": 102 }, "eda499b8-a073-4e35-9733-22ec71f57f3a": { + "min_stack_version": "8.3", "rule_name": "AdFind Command Activity", "sha256": "35efc8cf7bf58aeb31117f913287b60e74e904cbdce764bcd90b1a649e6318e1", "type": "eql", @@ -6980,7 +9309,7 @@ "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Attempt to Deactivate an Okta Application", "sha256": "561500f4153a16fe94b06be9237be4ba8933a3192116af5ef57bdb83da24f973", @@ -6994,12 +9323,14 @@ "version": 206 }, "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { + "min_stack_version": "8.3", "rule_name": "ImageLoad via Windows Update Auto Update Client", "sha256": "6b7b9ccc19477616a522bddc2a00f166753629727474b6494a4460bfc09ec4f6", "type": "eql", "version": 112 }, "edfd5ca9-9d6c-44d9-b615-1e56b920219c": { + "min_stack_version": "8.3", "rule_name": "Linux User Account Creation", "sha256": "95cad73c0f9c90ae0aca50ad6528161624c9d694075e6761ef195da867643c08", "type": "eql", @@ -7008,7 +9339,7 @@ "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 102, "rule_name": "Okta FastPass Phishing Detection", "sha256": "ec087af423a304d3b2f85af7926ba24f67f6207424c00d258a6e350a6721c932", @@ -7022,12 +9353,14 @@ "version": 103 }, "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { + "min_stack_version": "8.3", "rule_name": "Unusual Print Spooler Child Process", "sha256": "3b8d96d08eb433256b4fb0fd5206543e932d32caede2f0296b44a83ccf41868c", "type": "eql", "version": 108 }, "ee53d67a-5f0c-423c-a53c-8084ae562b5c": { + "min_stack_version": "8.3", "rule_name": "Shortcut File Written or Modified on Startup Folder", "sha256": "521aaa3ca230327e4d8a00478e8ca676b40727c00d7a32e0e76210c927f99662", "type": "eql", @@ -7040,48 +9373,56 @@ "version": 100 }, "eea82229-b002-470e-a9e1-00be38b14d32": { + "min_stack_version": "8.3", "rule_name": "Potential Privacy Control Bypass via TCCDB Modification", "sha256": "1650c91ed1f40d868155851c6a47fc4a0d7b9e3acc49ca5a3a94bf02d47454fc", "type": "eql", "version": 107 }, "ef04a476-07ec-48fc-8f3d-5e1742de76d3": { + "min_stack_version": "8.3", "rule_name": "BPF filter applied using TC", "sha256": "1c7ddc592ac0564b1dd00cf9e28b5abb2f8aab7029e47b5267efa0082a5127a2", "type": "eql", "version": 108 }, "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": { + "min_stack_version": "8.3", "rule_name": "Potential Linux Credential Dumping via Proc Filesystem", "sha256": "5fde0d101ad60721c4369e510760dbc8596c6e42f17cccdf2857b69cd04aeeb7", "type": "eql", "version": 7 }, "ef65e82c-d8b4-4895-9824-5f6bc6166804": { + "min_stack_version": "8.8", "rule_name": "Potential Container Escape via Modified notify_on_release File", "sha256": "9bda21518b9733432c642587f1e1a1beb87b1651d0d838fa1cd342d16bbace04", "type": "eql", "version": 1 }, "ef862985-3f13-4262-a686-5f357bbb9bc2": { + "min_stack_version": "8.3", "rule_name": "Whoami Process Activity", "sha256": "31ce332f330bc9a1bccdf8f56d0d422431517beafd6fd72a0263e72bf57f2202", "type": "eql", "version": 111 }, "ef8cc01c-fc49-4954-a175-98569c646740": { + "min_stack_version": "8.9", "rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port", "sha256": "9512995e5dffd053732011c13901b6e07071c98fbf12ad540b632ebf940f2c32", "type": "machine_learning", "version": 3 }, "f036953a-4615-4707-a1ca-dc53bf69dcd5": { + "min_stack_version": "8.3", "rule_name": "Unusual Child Processes of RunDLL32", "sha256": "0713731667d50b24bd145385b0d83cf8936b4173b1eb789f87e15798fb329cbe", "type": "eql", "version": 108 }, "f0493cb4-9b15-43a9-9359-68c23a7f2cf3": { + "min_stack_version": "8.3", "rule_name": "Suspicious HTML File Creation", "sha256": "a8f8624488bd94c12376e0d7098fdf1714698d2df6e877311fded9ab584a043d", "type": "eql", @@ -7090,7 +9431,7 @@ "f06414a6-f2a4-466d-8eba-10f85e8abf71": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 204, "rule_name": "Administrator Role Assigned to an Okta User", "sha256": "333aec880e8bd1653cea01f896e3df2e136839275bf1cffd71197ec4068129ba", @@ -7104,120 +9445,149 @@ "version": 205 }, "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { + "min_stack_version": "8.3", "rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process", "sha256": "5182f386430f01d4b91371a123d7323d6c786af55e661ca361224b7e1abaab5c", "type": "eql", "version": 108 }, "f0bc081a-2346-4744-a6a4-81514817e888": { + "min_stack_version": "8.3", "rule_name": "Azure Alert Suppression Rule Created or Modified", "sha256": "1dce5b8c0bd067b1f048753efed2565f84b6d4c289bed2adbc7a6bf3f8a89270", "type": "query", "version": 102 }, "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": { + "min_stack_version": "8.3", "rule_name": "Execution with Explicit Credentials via Scripting", "sha256": "ac32250e0d57be9cd4a514aa350f9b0b90ef286c6c75fe6f8ab0e6fc775d76cb", "type": "query", "version": 106 }, "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": { + "min_stack_version": "8.3", "rule_name": "Potential Remote Code Execution via Web Server", "sha256": "bea6f0f6ac6a7dcc6cc8784ca4831945d99664237de3f781a9336b2a748346f7", "type": "eql", "version": 7 }, "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": { + "min_stack_version": "8.4", "rule_name": "Forwarded Google Workspace Security Alert", "sha256": "4c73b09f4b3001484895476ebe7fa98e28d4b4ade73a8bc8cae1bf26c22cf8af", "type": "query", "version": 2 }, "f243fe39-83a4-46f3-a3b6-707557a102df": { + "min_stack_version": "8.3", "rule_name": "Service Path Modification", "sha256": "f6488872c8be23ecc9a4e3339d5de39339210c77856be3d05d90c00968a721c9", "type": "eql", "version": 2 }, "f24bcae1-8980-4b30-b5dd-f851b055c9e7": { + "min_stack_version": "8.3", "rule_name": "Creation of Hidden Login Item via Apple Script", "sha256": "1d2b9d1b4fb9b805f30bc47377d70694f4ecd0704dfc2df0c47459605af6d2b3", "type": "eql", "version": 108 }, "f28e2be4-6eca-4349-bdd9-381573730c22": { + "min_stack_version": "8.3", "rule_name": "Potential OpenSSH Backdoor Logging Activity", "sha256": "b10534cda59c460de168c3b9fed3d8899465199770dd6c96f2e2d65358d3cb24", "type": "eql", "version": 109 }, "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { + "min_stack_version": "8.3", "rule_name": "SIP Provider Modification", "sha256": "637b95af638d89775bd2f924af80375c6ff258c63b53785edfb3543db910cbbf", "type": "eql", "version": 107 }, "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { + "min_stack_version": "8.3", "rule_name": "LSASS Memory Dump Creation", "sha256": "f75e7dbe109ab94981359e193e38bc31d50c60ac6258c2e42dd797649989a2f4", "type": "eql", "version": 109 }, "f30f3443-4fbb-4c27-ab89-c3ad49d62315": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS RDS Instance Creation", + "sha256": "1b57c3c8d9066a43e2cf1493eb351327278a05bf30471e51460fc99b3134a1c5", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS RDS Instance Creation", "sha256": "3f5bde898da930f0ca76c88c4f89512b9f7ec40d10c291fc472d909c5ef5a166", "type": "query", "version": 206 }, "f33e68a4-bd19-11ed-b02f-f661ea17fbcc": { + "min_stack_version": "8.4", "rule_name": "Google Workspace Object Copied from External Drive and Access Granted to Custom Application", "sha256": "bf31263ee7b3dd377aad879072d95f3cfa5f487f3db9f91e6d47822700c554c9", "type": "eql", "version": 4 }, "f3403393-1fd9-4686-8f6e-596c58bc00b4": { + "min_stack_version": "8.9", "rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain", "sha256": "2c43c3f3a3eab3066a67fa00b1ecf370bbb5c1a7cc41898dabf2a4553b1630ea", "type": "query", "version": 3 }, "f3475224-b179-4f78-8877-c2bd64c26b88": { + "min_stack_version": "8.3", "rule_name": "WMI Incoming Lateral Movement", "sha256": "109358ad6d085e83bf9097861e3961e3e5afbbbf94504500826ad12ea1e6cf0e", "type": "eql", "version": 110 }, "f37f3054-d40b-49ac-aa9b-a786c74c58b8": { + "min_stack_version": "8.3", "rule_name": "Sudo Heap-Based Buffer Overflow Attempt", "sha256": "631c70d2bd6a2e4b8162193c9ccb972b673d291a842d7006e0a14643ce29341c", "type": "threshold", "version": 104 }, "f3818c85-2207-4b51-8a28-d70fb156ee87": { + "min_stack_version": "8.3", "rule_name": "Suspicious Network Connection via systemd", "sha256": "52931e3500fd41b92dd905637912dc28861b532e3bf11d6ab79f243237f9573c", "type": "eql", "version": 2 }, "f3e22c8b-ea47-45d1-b502-b57b6de950b3": { + "min_stack_version": "8.5", "rule_name": "Threat Intel URL Indicator Match", "sha256": "2e45aadc96febb79204cc0182a5cda5f7b1be5634e47e7c18fc92b429f529471", "type": "threat_match", "version": 6 }, "f41296b4-9975-44d6-9486-514c6f635b2d": { + "min_stack_version": "8.6", "rule_name": "Potential curl CVE-2023-38545 Exploitation", "sha256": "422469c042fbbd783e6f8aca78c507ba139de7e0aa3e364406f12f16db6db808", "type": "eql", "version": 5 }, "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": { + "min_stack_version": "8.3", "rule_name": "Persistence via Microsoft Office AddIns", "sha256": "0a7bcf99db3af18ca1936e60cad4e3c6dcc4b560f8173850784204f8e4a631cc", "type": "eql", "version": 108 }, "f494c678-3c33-43aa-b169-bb3d5198c41d": { + "min_stack_version": "8.3", "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", "sha256": "3d559e86203735f531cbbe7a26f5e361236760068e41b0b421f0f5d59a3c5765", "type": "query", @@ -7237,108 +9607,135 @@ "version": 100 }, "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73": { + "min_stack_version": "8.3", "rule_name": "Suspicious Data Encryption via OpenSSL Utility", "sha256": "bdf4940185721379f94bfd3a1c76f556b73371c2533f71f9d815eb09cebf35bc", "type": "eql", "version": 6 }, "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { + "min_stack_version": "8.3", "rule_name": "Windows Script Executing PowerShell", "sha256": "708503003bcee46e11babb11f8aa31370e2b00f8819ad6b533d88ae777974577", "type": "eql", "version": 111 }, "f5488ac1-099e-4008-a6cb-fb638a0f0828": { + "min_stack_version": "8.8", "rule_name": "SSH Connection Established Inside A Running Container", "sha256": "acfdb1c9d79a1ed5b532921e9010c1184da0de54b516f1c0505265cb48c135b7", "type": "eql", "version": 2 }, "f580bf0a-2d23-43bb-b8e1-17548bb947ec": { + "min_stack_version": "8.3", "rule_name": "Rare SMB Connection to the Internet", "sha256": "a63046d792830722836c024689a5b5e9e1f3ac006e80e1445c1efa17bfbc98e5", "type": "new_terms", "version": 3 }, "f5861570-e39a-4b8a-9259-abd39f84cb97": { + "min_stack_version": "8.3", "rule_name": "WRITEDAC Access on Active Directory Object", "sha256": "e1128eff83337cf8df9523f584e2a5859c85e7d579d9655bb532de4714bd4124", "type": "query", "version": 4 }, "f59668de-caa0-4b84-94c1-3a1549e1e798": { + "min_stack_version": "8.3", "rule_name": "WMIC Remote Command", "sha256": "49fe04b88dc0dc6ee9776c88113935db33ecbc3c955ddb4b201acb6867022d7f", "type": "eql", "version": 4 }, "f5c005d3-4e17-48b0-9cd7-444d48857f97": { + "min_stack_version": "8.3", "rule_name": "Setcap setuid/setgid Capability Set", "sha256": "bec5a046d8ac67ff161d518d2ccf53b9138179dfc67759ad5f9078fdc14810a6", "type": "eql", "version": 5 }, "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": { + "min_stack_version": "8.9", "rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process", "sha256": "d6db5d4e54233628ba05c96ce487387f74b8d57d423cae36a1cfa4602ef0c312", "type": "machine_learning", "version": 4 }, "f5fb4598-4f10-11ed-bdc3-0242ac120002": { + "min_stack_version": "8.3", "rule_name": "Masquerading Space After Filename", "sha256": "0bdfb6f39afe789ae9447ea9f33938a24d746c1017ac0646c9f1776272882e37", "type": "eql", "version": 6 }, "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf": { + "min_stack_version": "8.3", "rule_name": "Account or Group Discovery via Built-In Tools", "sha256": "05cfd191e4f07208be892f795fe81b8a10b3b5b50a3a9ab8f03a0c175ef81135", "type": "eql", "version": 3 }, "f63c8e3c-d396-404f-b2ea-0379d3942d73": { + "min_stack_version": "8.3", "rule_name": "Windows Firewall Disabled via PowerShell", "sha256": "b677759be5d31d2da13e1a1902fc4d9047723a793205cdaf229d6fe6c9ac5088", "type": "eql", "version": 110 }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { + "min_stack_version": "8.3", "rule_name": "Delete Volume USN Journal with Fsutil", "sha256": "6b1d419bf9aa6949ee92ded6a11fd322e88da4c01130617ee0d215449c773841", "type": "eql", "version": 109 }, "f683dcdf-a018-4801-b066-193d4ae6c8e5": { + "min_stack_version": "8.3", "rule_name": "SoftwareUpdate Preferences Modification", "sha256": "23425b32c0a7615768bc200a5112ac8cddf8adf9387d1c01638d9da18edc500b", "type": "query", "version": 106 }, "f75f65cf-ed04-48df-a7ff-b02a8bfe636e": { + "min_stack_version": "8.3", "rule_name": "System Hosts File Access", "sha256": "075b644099d4072660dea321c36b39eba6a6dd8877852416af7f429753d0e571", "type": "eql", "version": 3 }, "f766ffaf-9568-4909-b734-75d19b35cbf4": { + "min_stack_version": "8.3", "rule_name": "Azure Service Principal Credentials Added", "sha256": "93799b4dd788cc7cc2a439cc2a75f129676cafe866903105bfe880aa4a466103", "type": "query", "version": 102 }, "f772ec8a-e182-483c-91d2-72058f76a44c": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS CloudWatch Alarm Deletion", + "sha256": "c61b6a72d80df0fd58791ed1d3826f037ed108533807e6817a707d013f73e4bd", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS CloudWatch Alarm Deletion", "sha256": "9fd21ffae7e6f9944f5abeb3ea4da9d2397f7f3fd140a1aa45f86cdcfe7a92bc", "type": "query", "version": 209 }, "f7769104-e8f9-4931-94a2-68fc04eadec3": { + "min_stack_version": "8.8", "rule_name": "SSH Authorized Keys File Modified Inside a Container", "sha256": "d08ada3a6198777da68c1ad854b2c989ea3c25a2cd89c68741c538de9a433237", "type": "eql", "version": 2 }, "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { + "min_stack_version": "8.3", "rule_name": "Persistent Scripts in the Startup Directory", "sha256": "a1bc8b73c4533f942aac0721b6a1345272ca6770fde9d130e8f62f115eb42177", "type": "eql", @@ -7352,48 +9749,56 @@ "version": 2 }, "f81ee52c-297e-46d9-9205-07e66931df26": { + "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", "sha256": "7f50567407f055ba5fe3ae2e6d27cdcffac7fd9f9eb3dedda702f6f9a3fb15ec", "type": "eql", "version": 109 }, "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": { + "min_stack_version": "8.3", "rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", "sha256": "7041f9420e055d9a272d6c1c7c3ab02fa9843c80df047af4545b3a625f70fa87", "type": "query", "version": 106 }, "f874315d-5188-4b4a-8521-d1c73093a7e4": { + "min_stack_version": "8.3", "rule_name": "Modification of AmsiEnable Registry Key", "sha256": "78279bb6af6824e60ded36c81c6ef322b9ccaeb26c92549abc2921bf4227941b", "type": "eql", "version": 110 }, "f94e898e-94f1-4545-8923-03e4b2866211": { + "min_stack_version": "8.8", "rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User", "sha256": "3e68a069ea98921ba60e3b258f21b0a94dc7d42b38ee50c7332daad964e6b5d0", "type": "new_terms", "version": 1 }, "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { + "min_stack_version": "8.3", "rule_name": "Unusual Linux Network Configuration Discovery", "sha256": "4dd687fdbb673c91ffcda22bc2630d7ea3e59cd3af2a796d57bd7077684f6042", "type": "machine_learning", "version": 104 }, "f95972d3-c23b-463b-89a8-796b3f369b49": { + "min_stack_version": "8.3", "rule_name": "Ingress Transfer via Windows BITS", "sha256": "5952fcaf652a5286441fc15039faeb8970ad18ef5832358bbc5385c6e09ed734", "type": "eql", "version": 7 }, "f97504ac-1053-498f-aeaa-c6d01e76b379": { + "min_stack_version": "8.3", "rule_name": "Browser Extension Install", "sha256": "8d12e1186966462c8fa942c5ea6e8bb556922c22f3a8426371112487df44ca7a", "type": "eql", "version": 2 }, "f9790abf-bd0c-45f9-8b5f-d0b74015e029": { + "min_stack_version": "8.3", "rule_name": "Privileged Account Brute Force", "sha256": "6b7871e9961be78c2d06f1cb08a639f6b4d3dcb022d16261b56fa3472f8f7d70", "type": "eql", @@ -7402,7 +9807,7 @@ "f994964f-6fce-4d75-8e79-e16ccc412588": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 204, "rule_name": "Suspicious Activity Reported by Okta User", "sha256": "f35146f9e2f6aef85cb21013ab2bc3039a0a449e1bf4ed3322496b0dbc449e06", @@ -7416,48 +9821,65 @@ "version": 205 }, "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { + "min_stack_version": "8.3", "rule_name": "Remote File Copy to a Hidden Share", "sha256": "3a766093b0d4f34997e59583bef56fb42b94ebe8b4d5d167f6f5123519f92525", "type": "eql", "version": 109 }, "fa210b61-b627-4e5e-86f4-17e8270656ab": { + "min_stack_version": "8.3", "rule_name": "Potential External Linux SSH Brute Force Detected", "sha256": "6dda8a2bc03a2f1abf5953add4cec3b8260ed538e2600de67de2100cad5ddcda", "type": "eql", "version": 7 }, "fa3a59dc-33c3-43bf-80a9-e8437a922c7f": { + "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Suspicious Binary", "sha256": "9be49e4bfd023d805ed674227d4aa1c27340b638a40b63092a2d82f22f29d52c", "type": "eql", "version": 7 }, "fa488440-04cc-41d7-9279-539387bf2a17": { + "min_stack_version": "8.3", "rule_name": "Suspicious Antimalware Scan Interface DLL", "sha256": "edd75807f5ee2bac491abccd490d597eb1ee40098cfeac22e328318c76943642", "type": "eql", "version": 9 }, "fac52c69-2646-4e79-89c0-fd7653461010": { + "min_stack_version": "8.3", "rule_name": "Potential Disabling of AppArmor", "sha256": "e1fc21035bd0018c82e188c8ebe6241aa878a214edaf3895b806621f5d82d2e3", "type": "eql", "version": 6 }, "fb01d790-9f74-4e76-97dd-b4b0f7bf6435": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 101, + "rule_name": "Potential Masquerading as System32 DLL", + "sha256": "44de9f686412f5ba599fbbf3c20d3d9a0e941c644469a473712133ff1293bf6d", + "type": "eql", + "version": 2 + } + }, "rule_name": "Potential Masquerading as System32 DLL", "sha256": "1af8edb01a1cfb710c926f5d006909a5e7139b1a95763ed5fbc88147f1eab9bc", "type": "eql", "version": 104 }, "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { + "min_stack_version": "8.3", "rule_name": "Network Connection via Registration Utility", "sha256": "cb733e3ad55b691ce6c736d0ab0c7b2f050a61f7c333533ad68e45882396c78d", "type": "eql", "version": 108 }, "fb0afac5-bbd6-49b0-b4f8-44e5381e1587": { + "min_stack_version": "8.8", "rule_name": "High Number of Cloned GitHub Repos From PAT", "sha256": "3fcf7a11e62e1413f109707eddf5ca8210aa4788b88623b7f1a905fb84193234", "type": "threshold", @@ -7470,24 +9892,37 @@ "version": 100 }, "fbd44836-0d69-4004-a0b4-03c20370c435": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Configuration Recorder Stopped", + "sha256": "624fbf2987e46d010e6f19338b9a13acbd0fc5afb7c2704f7f5d076d82b9ced4", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Configuration Recorder Stopped", "sha256": "c7844572d3cc0d0be4f3674e5a404de4a1b409abe2c02b40ca56300b06425004", "type": "query", "version": 206 }, "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { + "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", "sha256": "66652b44a53ed252944d30e221056e1a86dd85654176778bffc526603112d74e", "type": "eql", "version": 109 }, "fc909baa-fb34-4c46-9691-be276ef4234c": { + "min_stack_version": "8.8", "rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)", "sha256": "b8f1378c21d3e35e4db3d9cde9f1583494304e86dc8dbb9a39468206794f91bf", "type": "new_terms", "version": 1 }, "fd01b949-81be-46d5-bcf8-284395d5f56d": { + "min_stack_version": "8.3", "rule_name": "GitHub App Deleted", "sha256": "fd7912580b3ee17ae242b79e0c474ed025239a8690cf03c7095cfb0e32458960", "type": "eql", @@ -7500,114 +9935,151 @@ "version": 100 }, "fd4a992d-6130-4802-9ff8-829b89ae801f": { + "min_stack_version": "8.3", "rule_name": "Potential Application Shimming via Sdbinst", "sha256": "c6e0f3ed2de57cd525aed211c660fafb3d244519f29423756b1e01f95a1f7469", "type": "eql", "version": 110 }, "fd70c98a-c410-42dc-a2e3-761c71848acf": { + "min_stack_version": "8.3", "rule_name": "Suspicious CertUtil Commands", "sha256": "1eefd434526b2d048a615ba540bf83da7ee5150eae84ff517f5de3e7668c964b", "type": "eql", "version": 108 }, "fd7a6052-58fa-4397-93c3-4795249ccfa2": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Svchost spawning Cmd", + "sha256": "2be5bf0d0a6fe7332e43fa29c1f0701bd1ddd82b98458eb81fbd031b4190ff04", + "type": "eql", + "version": 107 + } + }, "rule_name": "Svchost spawning Cmd", "sha256": "6d152e1d87343af4204868f6661565208bc41bc7fa3b54d2431de77ade274f91", "type": "new_terms", "version": 212 }, "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": { + "min_stack_version": "8.3", "rule_name": "Image Loaded with Invalid Signature", "sha256": "57f89690d7c597efa662064cafabb2dc9dbb9836e554784d682f094d14e69c2d", "type": "eql", "version": 2 }, "fda1d332-5e08-4f27-8a9b-8c802e3292a6": { + "min_stack_version": "8.3", "rule_name": "System Binary Copied and/or Moved to Suspicious Directory", "sha256": "64a298cfd46dd919d8d6d349126b6a4a90347cf9eb7a23661803b528c1bd2828", "type": "eql", "version": 7 }, "fddff193-48a3-484d-8d35-90bb3d323a56": { + "min_stack_version": "8.3", "rule_name": "PowerShell Kerberos Ticket Dump", "sha256": "1ccbc020df7ccd578a04c6a962cba1a9eb01217fe0325d1ebb52cfcae454276e", "type": "query", "version": 4 }, "fe25d5bc-01fa-494a-95ff-535c29cc4c96": { + "min_stack_version": "8.3", "rule_name": "PowerShell Script with Password Policy Discovery Capabilities", "sha256": "549dac6c269368c82ba41a9b89a211dab398c0448459487fd6c8c7d2b19c4cf9", "type": "query", "version": 5 }, "fe794edd-487f-4a90-b285-3ee54f2af2d3": { + "min_stack_version": "8.3", "rule_name": "Microsoft Windows Defender Tampering", "sha256": "1049a012554fe790510c642962136afe7809f3cb6743d41c94d9064cb5cd0275", "type": "eql", "version": 110 }, "feafdc51-c575-4ed2-89dd-8e20badc2d6c": { + "min_stack_version": "8.3", "rule_name": "Potential Masquerading as Business App Installer", "sha256": "6daf457d7f6fb492b6a132e9f2ef7980cedfe5de8d41148a55b6265379ba80f5", "type": "eql", "version": 4 }, "fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": { + "min_stack_version": "8.3", "rule_name": "Execution via MS VisualStudio Pre/Post Build Events", "sha256": "f4da580149ea42f56cb5dde277432f33760266a6ae02877f5c9c71a77517fa87", "type": "eql", "version": 2 }, "feeed87c-5e95-4339-aef1-47fd79bcfbe3": { + "min_stack_version": "8.3", "rule_name": "MS Office Macro Security Registry Modifications", "sha256": "0cb2724deeff775fe087f8fc28747011973bfa19b4924546d551ae231cf102e2", "type": "eql", "version": 107 }, "ff013cb4-274d-434a-96bb-fe15ddd3ae92": { + "min_stack_version": "8.3", "rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", "sha256": "be298496f5dc80a824431ca74dd636b027fd4a95e5b4cae739b13de1c3dfe055", "type": "query", "version": 103 }, "ff0d807d-869b-4a0d-a493-52bc46d2f1b1": { + "min_stack_version": "8.9", "rule_name": "Potential DGA Activity", "sha256": "f1777c34722961e6332a58230876ae5519c4fc7e7a09d1450eb0038aeabe2640", "type": "machine_learning", "version": 3 }, "ff10d4d8-fea7-422d-afb1-e5a2702369a9": { + "min_stack_version": "8.6", "rule_name": "Cron Job Created or Changed by Previously Unknown Process", "sha256": "8d0088142351af95023ec0cbec030e26da4de32891f90802ece09174e3446293", "type": "new_terms", "version": 9 }, "ff4599cb-409f-4910-a239-52e4e6f532ff": { + "min_stack_version": "8.7", "rule_name": "LSASS Process Access via Windows API", "sha256": "45523e08c1b08b3aeb6e316fbfd73c257194c643b9c2d30533a4c05de668ca18", "type": "eql", "version": 7 }, "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Exchange Transport Rule Creation", + "sha256": "e247dbb68f81f5c55155bea1dd2a757717bdc740b8259a933165e5a612d3cdb7", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Exchange Transport Rule Creation", "sha256": "24df1fab9f47005a3dcf144bdd7993c237e1da4de8b6ed8ee44d4513417e0f88", "type": "query", "version": 206 }, "ff6cf8b9-b76c-4cc1-ac1b-4935164d1029": { + "min_stack_version": "8.3", "rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory", "sha256": "b84b07ea9bb5fca4cc1522b6f29f121b0a4dc4e0b59d3c48a6b7a2cab83f18bb", "type": "eql", "version": 1 }, "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": { + "min_stack_version": "8.3", "rule_name": "GCP Firewall Rule Deletion", "sha256": "6ea6272c4b6fd3f4e7e5dfdd1e521af24e89ac9633ee8ee964f52fa09e28d068", "type": "query", "version": 104 }, "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": { + "min_stack_version": "8.3", "rule_name": "Potential Sudo Token Manipulation via Process Injection", "sha256": "a7acb15e762a822b94eadf4a2caebe464a6f3cf2f67bfbcebcacba6c928d5366", "type": "eql", diff --git a/docs/versioning.md b/docs/versioning.md deleted file mode 100644 index 120c88b7054..00000000000 --- a/docs/versioning.md +++ /dev/null @@ -1,26 +0,0 @@ -# Supported Versions and Releases - -This document provides detailed information about the different versions that are supported and released for prebuilt detection rules. - -## Current Version - -The current version of prebuilt detection rules is `v8.14`. - -## Previous Versions Released - -The following version(s) are released along with the current version. - -- `v8.13` -- `v8.12` -- `v8.11` - -### Previous Versions Maintained - -The following version(s) are maintained along with the current version. - -- `v8.10` -- `v8.9` - -## End of Life Policy - -Our policy is to support and provide public releases for `Current`, `Current-1`, `Current-2`, `Current-3` versions. We maintain and do not release `Current-4` and `Current-5` versions. diff --git a/rules/apm/apm_403_response_to_a_post.toml b/rules/apm/apm_403_response_to_a_post.toml index d8010b71afc..28bea375cc3 100644 --- a/rules/apm/apm_403_response_to_a_post.toml +++ b/rules/apm/apm_403_response_to_a_post.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["apm"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/apm/apm_405_response_method_not_allowed.toml b/rules/apm/apm_405_response_method_not_allowed.toml index bedc96ade16..4f3b957f224 100644 --- a/rules/apm/apm_405_response_method_not_allowed.toml +++ b/rules/apm/apm_405_response_method_not_allowed.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["apm"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/apm/apm_sqlmap_user_agent.toml b/rules/apm/apm_sqlmap_user_agent.toml index c8ba5b28669..b147173d857 100644 --- a/rules/apm/apm_sqlmap_user_agent.toml +++ b/rules/apm/apm_sqlmap_user_agent.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["apm"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml b/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml index d8ccf625b32..aa5803afe7c 100644 --- a/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml +++ b/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml @@ -2,13 +2,15 @@ creation_date = "2023/06/19" integration = ["endpoint", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/01/30" [rule] author = ["Elastic"] description = """ -Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt to deliver phishing -payloads via a trusted webservice. +Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt +to deliver phishing payloads via a trusted webservice. """ false_positives = [ "Approved third-party applications that use Google Drive download URLs.", @@ -23,14 +25,7 @@ references = ["https://intelligence.abnormalsecurity.com/blog/google-drive-matan risk_score = 47 rule_id = "a8afdce2-0ec1-11ee-b843-f661ea17fbcd" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: Windows", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Command and Control", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/command_and_control_non_standard_ssh_port.toml b/rules/cross-platform/command_and_control_non_standard_ssh_port.toml index 26b3ddbf1af..b863a6bf6dd 100644 --- a/rules/cross-platform/command_and_control_non_standard_ssh_port.toml +++ b/rules/cross-platform/command_and_control_non_standard_ssh_port.toml @@ -2,7 +2,9 @@ creation_date = "2022/10/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/22" [rule] author = ["Elastic"] @@ -28,14 +30,13 @@ references = ["https://attack.mitre.org/techniques/T1571/"] risk_score = 21 rule_id = "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "OS: macOS", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "OS: macOS", + "Data Source: Elastic Defend" + ] type = "eql" query = ''' @@ -50,17 +51,15 @@ sequence by process.entity_id with maxspan=1m ] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1571" name = "Non-Standard Port" reference = "https://attack.mitre.org/techniques/T1571/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml index 9dbe6ea1886..b9179554efb 100644 --- a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml +++ b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/21" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -35,15 +37,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: Windows", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml index 0db7fbdae9c..be6661803a6 100644 --- a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml +++ b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml @@ -1,14 +1,15 @@ [metadata] creation_date = "2021/07/14" maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/06/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] -description = """ -Detects events that have a mismatch on the expected event agent ID. The status "agent_id_mismatch" occurs when the -expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate -attempts to spoof events in order to masquerade actual activity to evade detection. +description = """Detects events that have a mismatch on the expected event agent ID. The status "agent_id_mismatch" +occurs when the expected agent ID associated with the API key does not match the actual agent ID in an event. This could +indicate attempts to spoof events in order to masquerade actual activity to evade detection. """ false_positives = [ """ diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml index 6019f522c45..4003974f46f 100644 --- a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml +++ b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml @@ -1,14 +1,15 @@ [metadata] creation_date = "2021/07/14" maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/06/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] -description = """ -Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent being taken over and -used to inject illegitimate documents into an instance as an attempt to spoof events in order to masquerade actual -activity to evade detection. +description = """Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent +being taken over and used to inject illegitimate documents into an instance as an attempt to spoof events in order to +masquerade actual activity to evade detection. """ false_positives = [ """ @@ -46,11 +47,11 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [rule.threshold] field = ["agent.id"] value = 2 + [[rule.threshold.cardinality]] field = "host.id" value = 2 - - diff --git a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml index c567ad89f2a..72dfb5e4c28 100644 --- a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml +++ b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -26,16 +28,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: Windows", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml index 8a55874a9ce..f1cc6459927 100644 --- a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml +++ b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/04" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -27,15 +29,15 @@ For more details on adding a custom ingest pipeline refer - https://www.elastic. """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" @@ -54,22 +56,20 @@ process where event.action in ("exec", "exec_event", "executed", "process_starte ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] id = "T1070.003" name = "Clear Command History" reference = "https://attack.mitre.org/techniques/T1070/003/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml index 50eac1fc76a..3436a467e40 100644 --- a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml +++ b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2022/05/23" -integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/19" +integration = ["endpoint"] [rule] author = ["Elastic"] @@ -28,15 +30,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: Windows", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml b/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml index 37fb73fe77f..2b5f675a696 100644 --- a/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml +++ b/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml @@ -2,7 +2,9 @@ creation_date = "2022/10/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -32,14 +34,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/defense_evasion_timestomp_touch.toml b/rules/cross-platform/defense_evasion_timestomp_touch.toml index 36d4a8ca911..baed2ce5d36 100644 --- a/rules/cross-platform/defense_evasion_timestomp_touch.toml +++ b/rules/cross-platform/defense_evasion_timestomp_touch.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/03" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/18" [rule] author = ["Elastic"] @@ -28,13 +30,13 @@ For more details on adding a custom ingest pipeline refer - https://www.elastic. """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/discovery_security_software_grep.toml b/rules/cross-platform/discovery_security_software_grep.toml index f22fae9c687..6960ab9e57a 100644 --- a/rules/cross-platform/discovery_security_software_grep.toml +++ b/rules/cross-platform/discovery_security_software_grep.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/18" [rule] author = ["Elastic"] @@ -57,15 +59,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: macOS", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -121,22 +122,20 @@ process.name : "grep" and user.id != "0" and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" + [[rule.threat.technique.subtechnique]] id = "T1518.001" name = "Security Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/001/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml index 2ef727a4d0a..e0181030ac5 100644 --- a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml +++ b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml @@ -2,7 +2,9 @@ creation_date = "2021/09/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -34,14 +36,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml index f97739824da..f8a9ba36327 100644 --- a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml +++ b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/12" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -16,14 +18,7 @@ references = ["https://github.com/neoneggplant/EggShell"] risk_score = 73 rule_id = "41824afb-d68c-4d0e-bfee-474dac1fa56e" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/cross-platform/execution_revershell_via_shell_cmd.toml b/rules/cross-platform/execution_revershell_via_shell_cmd.toml index c872f64da64..b605d906467 100644 --- a/rules/cross-platform/execution_revershell_via_shell_cmd.toml +++ b/rules/cross-platform/execution_revershell_via_shell_cmd.toml @@ -2,7 +2,9 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -60,15 +62,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -85,17 +86,15 @@ process where event.type in ("start", "process_started") and not process.parent.command_line : "runc init" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/cross-platform/execution_suspicious_jar_child_process.toml b/rules/cross-platform/execution_suspicious_jar_child_process.toml index 33a0253eecb..78819736289 100644 --- a/rules/cross-platform/execution_suspicious_jar_child_process.toml +++ b/rules/cross-platform/execution_suspicious_jar_child_process.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/19" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -62,16 +64,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Use Case: Vulnerability", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -85,20 +86,19 @@ event.category:process and event.type:("start" or "process_started") and process ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -107,8 +107,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.command_line"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml index 877e4ced8fd..bd2f016944c 100644 --- a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml +++ b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml @@ -2,7 +2,9 @@ creation_date = "2021/12/10" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -26,15 +28,7 @@ references = [ risk_score = 73 rule_id = "c3f5e1d8-910e-43b4-8d44-d748e498ca86" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Use Case: Vulnerability", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/cross-platform/guided_onboarding_sample_rule.toml b/rules/cross-platform/guided_onboarding_sample_rule.toml index 5bbe240e151..cbcbb2dc7bb 100644 --- a/rules/cross-platform/guided_onboarding_sample_rule.toml +++ b/rules/cross-platform/guided_onboarding_sample_rule.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/09/22" maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Guided Onboarding will be available in Elastic 8.6+" +min_stack_version = "8.7.0" +updated_date = "2024/03/14" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/impact_hosts_file_modified.toml b/rules/cross-platform/impact_hosts_file_modified.toml index 0b5d652fd58..56ebdb5c7d6 100644 --- a/rules/cross-platform/impact_hosts_file_modified.toml +++ b/rules/cross-platform/impact_hosts_file_modified.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/07" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -62,16 +64,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: Windows", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timeline_id = "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c" timeline_title = "Comprehensive File Timeline" timestamp_override = "event.ingested" @@ -98,22 +91,20 @@ any where ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1565" name = "Data Manipulation" reference = "https://attack.mitre.org/techniques/T1565/" + [[rule.threat.technique.subtechnique]] id = "T1565.001" name = "Stored Data Manipulation" reference = "https://attack.mitre.org/techniques/T1565/001/" - - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml index c335de8be23..1287e9e55a3 100644 --- a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml +++ b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/14" maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -26,7 +28,11 @@ setup = """## Setup The Zoom Filebeat module or similarly structured data is required to be compatible with this rule.""" severity = "medium" -tags = ["Data Source: Zoom", "Use Case: Configuration Audit", "Tactic: Initial Access"] +tags = [ + "Data Source: Zoom", + "Use Case: Configuration Audit", + "Tactic: Initial Access" +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/cross-platform/multiple_alerts_different_tactics_host.toml b/rules/cross-platform/multiple_alerts_different_tactics_host.toml index 676a9a892e7..67ee0e38193 100644 --- a/rules/cross-platform/multiple_alerts_different_tactics_host.toml +++ b/rules/cross-platform/multiple_alerts_different_tactics_host.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/11/16" maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/06/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] @@ -16,8 +18,8 @@ false_positives = [ """, ] from = "now-24h" -index = [".alerts-security.*"] interval = "1h" +index = [".alerts-security.*"] language = "kuery" license = "Elastic License v2" name = "Multiple Alerts in Different ATT&CK Tactics on a Single Host" @@ -32,13 +34,10 @@ query = ''' signal.rule.name:* and kibana.alert.rule.threat.tactic.id:* ''' - - [rule.threshold] field = ["host.id"] value = 1 + [[rule.threshold.cardinality]] field = "kibana.alert.rule.threat.tactic.id" value = 3 - - diff --git a/rules/cross-platform/multiple_alerts_involving_user.toml b/rules/cross-platform/multiple_alerts_involving_user.toml index 076a1096ea5..a982df44d51 100644 --- a/rules/cross-platform/multiple_alerts_involving_user.toml +++ b/rules/cross-platform/multiple_alerts_involving_user.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/11/16" maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/06/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] @@ -18,8 +20,8 @@ false_positives = [ """, ] from = "now-24h" -index = [".alerts-security.*"] interval = "1h" +index = [".alerts-security.*"] language = "kuery" license = "Elastic License v2" name = "Multiple Alerts Involving a User" @@ -34,13 +36,10 @@ query = ''' signal.rule.name:* and user.name:* and not user.id:("S-1-5-18" or "S-1-5-19" or "S-1-5-20") ''' - - [rule.threshold] field = ["user.name"] value = 1 + [[rule.threshold.cardinality]] field = "signal.rule.rule_id" value = 5 - - diff --git a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml index 85d4432c091..b811014191e 100644 --- a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml +++ b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/22" [rule] author = ["Elastic"] @@ -27,15 +29,14 @@ references = [ risk_score = 47 rule_id = "93f47b6f-5728-4004-ba00-625083b3dcb0" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: macOS", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -69,27 +70,27 @@ event.category:file and event.type:change and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" @@ -98,8 +99,7 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "file.path"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" - - diff --git a/rules/cross-platform/persistence_shell_profile_modification.toml b/rules/cross-platform/persistence_shell_profile_modification.toml index 60a1afc60aa..da32aff27b2 100644 --- a/rules/cross-platform/persistence_shell_profile_modification.toml +++ b/rules/cross-platform/persistence_shell_profile_modification.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/19" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/22" [rule] author = ["Elastic"] @@ -22,14 +24,13 @@ references = ["https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware- risk_score = 47 rule_id = "e6c1a552-7776-44ad-ae0f-8746cc07773c" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: macOS", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "query" @@ -50,22 +51,20 @@ event.category:file and event.type:change and /Users/*/.zshenv) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.004" name = "Unix Shell Configuration Modification" reference = "https://attack.mitre.org/techniques/T1546/004/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml index 71edbff424d..af9946d38ff 100644 --- a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml +++ b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/22" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -18,18 +20,16 @@ name = "SSH Authorized Keys File Modification" risk_score = 47 rule_id = "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' event.category:file and event.type:(change or creation) and file.name:("authorized_keys" or "authorized_keys2" or "/etc/ssh/sshd_config" or "/root/.ssh") and @@ -51,46 +51,46 @@ event.category:file and event.type:(change or creation) and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.004" name = "SSH Authorized Keys" reference = "https://attack.mitre.org/techniques/T1098/004/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" -[[rule.threat.technique.subtechnique]] -id = "T1021.004" -name = "SSH" -reference = "https://attack.mitre.org/techniques/T1021/004/" - [[rule.threat.technique]] id = "T1563" name = "Remote Service Session Hijacking" reference = "https://attack.mitre.org/techniques/T1563/" + [[rule.threat.technique.subtechnique]] id = "T1563.001" name = "SSH Hijacking" reference = "https://attack.mitre.org/techniques/T1563/001/" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" [rule.threat.tactic] id = "TA0008" @@ -100,8 +100,7 @@ reference = "https://attack.mitre.org/tactics/TA0008/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" - - diff --git a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml index 7b589072395..7996a3987d9 100644 --- a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml +++ b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -18,14 +20,7 @@ name = "Potential Privilege Escalation via Sudoers File Modification" risk_score = 73 rule_id = "76152ca1-71d0-4003-9e37-0983e12832da" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml index 0bbd44d8537..7a9979f2517 100644 --- a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml +++ b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml @@ -2,7 +2,9 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -22,14 +24,7 @@ name = "Setuid / Setgid Bit Set via chmod" risk_score = 21 rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml index 0fa03093486..bd3caf4038d 100644 --- a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml +++ b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml @@ -2,7 +2,9 @@ creation_date = "2021/02/03" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/01/05" [rule] author = ["Elastic"] @@ -31,17 +33,9 @@ references = [ risk_score = 73 rule_id = "f37f3054-d40b-49ac-aa9b-a786c74c58b8" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", -] -timestamp_override = "event.ingested" +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"] type = "threshold" +timestamp_override = "event.ingested" query = ''' event.category:process and event.type:start and diff --git a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml index 23c493369ad..f7b7b826d03 100644 --- a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml +++ b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml @@ -2,7 +2,9 @@ creation_date = "2020/04/13" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/12/18" [rule] author = ["Elastic"] @@ -19,13 +21,13 @@ risk_score = 47 rule_id = "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4" severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -35,20 +37,19 @@ not process.name:(dpkg or platform-python or puppet or yum or dnf) and not process.executable:(/opt/chef/embedded/bin/ruby or /opt/puppetlabs/puppet/bin/ruby or /usr/bin/dockerd) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" @@ -57,8 +58,7 @@ reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "file.path"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" - - diff --git a/rules/cross-platform/threat_intel_indicator_match_address.toml b/rules/cross-platform/threat_intel_indicator_match_address.toml index 07ed6b5d053..55abba3f208 100644 --- a/rules/cross-platform/threat_intel_indicator_match_address.toml +++ b/rules/cross-platform/threat_intel_indicator_match_address.toml @@ -1,7 +1,12 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/01/17" +min_stack_comments = """ +Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match +general rules. +""" +min_stack_version = "8.5.0" [transform] [[transform.osquery]] @@ -28,7 +33,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -99,7 +103,7 @@ This rule is triggered when an IP address indicator from the Threat Intel Filebe references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", - "https://www.elastic.co/security/tip", + "https://www.elastic.co/security/tip" ] risk_score = 99 rule_id = "0c41e478-5263-4c69-8f9e-7dfd2c22da64" @@ -114,74 +118,72 @@ More information can be found [here](https://www.elastic.co/guide/en/security/cu """ severity = "critical" tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"] -threat_index = ["filebeat-*", "logs-ti_*"] -threat_indicator_path = "threat.indicator" -threat_language = "kuery" -threat_query = """ -@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not -labels.is_ioc_transform_source:"true" -""" timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e" timeline_title = "Generic Threat Match Timeline" timestamp_override = "event.ingested" type = "threat_match" -query = ''' -source.ip:* or destination.ip:* +threat_index = ["filebeat-*", "logs-ti_*"] +threat_indicator_path = "threat.indicator" +threat_language = "kuery" + +threat_query = ''' +@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and + not labels.is_ioc_transform_source:"true" ''' +query = """ +source.ip:* or destination.ip:* +""" -[[rule.threat_filters]] +[[rule.threat_filters]] [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -disabled = false -key = "event.category" negate = false +disabled = false type = "phrase" +key = "event.category" [rule.threat_filters.meta.params] query = "threat" [rule.threat_filters.query.match_phrase] "event.category" = "threat" -[[rule.threat_filters]] +[[rule.threat_filters]] [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -disabled = false -key = "event.kind" negate = false +disabled = false type = "phrase" +key = "event.kind" [rule.threat_filters.meta.params] query = "enrichment" [rule.threat_filters.query.match_phrase] "event.kind" = "enrichment" -[[rule.threat_filters]] +[[rule.threat_filters]] [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -disabled = false -key = "event.type" negate = false +disabled = false type = "phrase" +key = "event.type" [rule.threat_filters.meta.params] query = "indicator" [rule.threat_filters.query.match_phrase] "event.type" = "indicator" -[[rule.threat_mapping]] +[[rule.threat_mapping]] [[rule.threat_mapping.entries]] field = "source.ip" type = "mapping" value = "threat.indicator.ip" [[rule.threat_mapping]] - [[rule.threat_mapping.entries]] field = "destination.ip" type = "mapping" value = "threat.indicator.ip" - - diff --git a/rules/cross-platform/threat_intel_indicator_match_hash.toml b/rules/cross-platform/threat_intel_indicator_match_hash.toml index 54bc25febbf..5b6ea5fe098 100644 --- a/rules/cross-platform/threat_intel_indicator_match_hash.toml +++ b/rules/cross-platform/threat_intel_indicator_match_hash.toml @@ -1,7 +1,12 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/01/17" +min_stack_comments = """ +Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match +general rules. +""" +min_stack_version = "8.5.0" [transform] [[transform.osquery]] @@ -28,12 +33,11 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ -This rule is triggered when a hash indicator from the Threat Intel Filebeat module or integrations has a match against -an event that contains file hashes, such as antivirus alerts, process creation, library load, and file operation events. +This rule is triggered when a hash indicator from the Threat Intel Filebeat module or integrations has a match against an +event that contains file hashes, such as antivirus alerts, process creation, library load, and file operation events. """ from = "now-65m" index = ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "winlogbeat-*"] @@ -98,7 +102,7 @@ This rule is triggered when a hash indicator from the Threat Intel Filebeat modu references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", - "https://www.elastic.co/security/tip", + "https://www.elastic.co/security/tip" ] risk_score = 99 rule_id = "aab184d3-72b3-4639-b242-6597c99d8bca" @@ -113,123 +117,115 @@ More information can be found [here](https://www.elastic.co/guide/en/security/cu """ severity = "critical" tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"] -threat_index = ["filebeat-*", "logs-ti_*"] -threat_indicator_path = "threat.indicator" -threat_language = "kuery" -threat_query = """ -@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and (threat.indicator.file.hash.*:* or -threat.indicator.file.pe.imphash:*) and not labels.is_ioc_transform_source:"true" -""" timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e" timeline_title = "Generic Threat Match Timeline" timestamp_override = "event.ingested" type = "threat_match" -query = ''' -file.hash.*:* or process.hash.*:* or dll.hash.*:* +threat_index = ["filebeat-*", "logs-ti_*"] +threat_indicator_path = "threat.indicator" +threat_language = "kuery" + +threat_query = ''' +@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and + (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:*) and + not labels.is_ioc_transform_source:"true" ''' +query = """ +file.hash.*:* or process.hash.*:* or dll.hash.*:* +""" -[[rule.threat_filters]] +[[rule.threat_filters]] [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -disabled = false -key = "event.category" negate = false +disabled = false type = "phrase" +key = "event.category" [rule.threat_filters.meta.params] query = "threat" [rule.threat_filters.query.match_phrase] "event.category" = "threat" -[[rule.threat_filters]] +[[rule.threat_filters]] [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -disabled = false -key = "event.kind" negate = false +disabled = false type = "phrase" +key = "event.kind" [rule.threat_filters.meta.params] query = "enrichment" [rule.threat_filters.query.match_phrase] "event.kind" = "enrichment" -[[rule.threat_filters]] +[[rule.threat_filters]] [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -disabled = false -key = "event.type" negate = false +disabled = false type = "phrase" +key = "event.type" [rule.threat_filters.meta.params] query = "indicator" [rule.threat_filters.query.match_phrase] "event.type" = "indicator" -[[rule.threat_mapping]] +[[rule.threat_mapping]] [[rule.threat_mapping.entries]] field = "file.hash.md5" type = "mapping" value = "threat.indicator.file.hash.md5" [[rule.threat_mapping]] - [[rule.threat_mapping.entries]] field = "file.hash.sha1" type = "mapping" value = "threat.indicator.file.hash.sha1" [[rule.threat_mapping]] - [[rule.threat_mapping.entries]] field = "file.hash.sha256" type = "mapping" value = "threat.indicator.file.hash.sha256" [[rule.threat_mapping]] - [[rule.threat_mapping.entries]] field = "dll.hash.md5" type = "mapping" value = "threat.indicator.file.hash.md5" [[rule.threat_mapping]] - [[rule.threat_mapping.entries]] field = "dll.hash.sha1" type = "mapping" value = "threat.indicator.file.hash.sha1" [[rule.threat_mapping]] - [[rule.threat_mapping.entries]] field = "dll.hash.sha256" type = "mapping" value = "threat.indicator.file.hash.sha256" [[rule.threat_mapping]] - [[rule.threat_mapping.entries]] field = "process.hash.md5" type = "mapping" value = "threat.indicator.file.hash.md5" [[rule.threat_mapping]] - [[rule.threat_mapping.entries]] field = "process.hash.sha1" type = "mapping" value = "threat.indicator.file.hash.sha1" [[rule.threat_mapping]] - [[rule.threat_mapping.entries]] field = "process.hash.sha256" type = "mapping" value = "threat.indicator.file.hash.sha256" - - diff --git a/rules/cross-platform/threat_intel_indicator_match_registry.toml b/rules/cross-platform/threat_intel_indicator_match_registry.toml index fee4820ef14..3cb6742cb3f 100644 --- a/rules/cross-platform/threat_intel_indicator_match_registry.toml +++ b/rules/cross-platform/threat_intel_indicator_match_registry.toml @@ -1,7 +1,12 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/01/17" +min_stack_comments = """ +Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match +general rules. +""" +min_stack_version = "8.5.0" [transform] [[transform.osquery]] @@ -28,7 +33,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -93,7 +97,7 @@ This rule is triggered when a Windows registry indicator from the Threat Intel F references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", - "https://www.elastic.co/security/tip", + "https://www.elastic.co/security/tip" ] risk_score = 99 rule_id = "a61809f3-fb5b-465c-8bff-23a8a068ac60" @@ -108,67 +112,66 @@ More information can be found [here](https://www.elastic.co/guide/en/security/cu """ severity = "critical" tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"] -threat_index = ["filebeat-*", "logs-ti_*"] -threat_indicator_path = "threat.indicator" -threat_language = "kuery" -threat_query = """ -@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.registry.path:* and not -labels.is_ioc_transform_source:"true" -""" timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e" timeline_title = "Generic Threat Match Timeline" timestamp_override = "event.ingested" type = "threat_match" -query = ''' -registry.path:* +threat_index = ["filebeat-*", "logs-ti_*"] +threat_indicator_path = "threat.indicator" +threat_language = "kuery" + +threat_query = ''' +@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.registry.path:* and + not labels.is_ioc_transform_source:"true" ''' +query = """ +registry.path:* +""" -[[rule.threat_filters]] +[[rule.threat_filters]] [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -disabled = false -key = "event.category" negate = false +disabled = false type = "phrase" +key = "event.category" [rule.threat_filters.meta.params] query = "threat" [rule.threat_filters.query.match_phrase] "event.category" = "threat" -[[rule.threat_filters]] +[[rule.threat_filters]] [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -disabled = false -key = "event.kind" negate = false +disabled = false type = "phrase" +key = "event.kind" [rule.threat_filters.meta.params] query = "enrichment" [rule.threat_filters.query.match_phrase] "event.kind" = "enrichment" -[[rule.threat_filters]] +[[rule.threat_filters]] [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -disabled = false -key = "event.type" negate = false +disabled = false type = "phrase" +key = "event.type" [rule.threat_filters.meta.params] query = "indicator" [rule.threat_filters.query.match_phrase] "event.type" = "indicator" -[[rule.threat_mapping]] +[[rule.threat_mapping]] [[rule.threat_mapping.entries]] field = "registry.path" type = "mapping" value = "threat.indicator.registry.path" - - diff --git a/rules/cross-platform/threat_intel_indicator_match_url.toml b/rules/cross-platform/threat_intel_indicator_match_url.toml index cba88abb5f7..ea456406caf 100644 --- a/rules/cross-platform/threat_intel_indicator_match_url.toml +++ b/rules/cross-platform/threat_intel_indicator_match_url.toml @@ -1,7 +1,12 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/01/17" +min_stack_comments = """ +Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match +general rules. +""" +min_stack_version = "8.5.0" [transform] [[transform.osquery]] @@ -28,7 +33,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -102,7 +106,7 @@ This rule is triggered when a URL indicator from the Threat Intel Filebeat modul references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", - "https://www.elastic.co/security/tip", + "https://www.elastic.co/security/tip" ] risk_score = 99 rule_id = "f3e22c8b-ea47-45d1-b502-b57b6de950b3" @@ -117,74 +121,72 @@ More information can be found [here](https://www.elastic.co/guide/en/security/cu """ severity = "critical" tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"] -threat_index = ["filebeat-*", "logs-ti_*"] -threat_indicator_path = "threat.indicator" -threat_language = "kuery" -threat_query = """ -@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.url.full:* and not -labels.is_ioc_transform_source:"true" -""" timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e" timeline_title = "Generic Threat Match Timeline" timestamp_override = "event.ingested" type = "threat_match" -query = ''' -url.full:* +threat_index = ["filebeat-*", "logs-ti_*"] +threat_indicator_path = "threat.indicator" +threat_language = "kuery" + +threat_query = ''' +@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and + threat.indicator.url.full:* and not labels.is_ioc_transform_source:"true" ''' +query = """ +url.full:* +""" -[[rule.threat_filters]] +[[rule.threat_filters]] [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -disabled = false -key = "event.category" negate = false +disabled = false type = "phrase" +key = "event.category" [rule.threat_filters.meta.params] query = "threat" [rule.threat_filters.query.match_phrase] "event.category" = "threat" -[[rule.threat_filters]] +[[rule.threat_filters]] [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -disabled = false -key = "event.kind" negate = false +disabled = false type = "phrase" +key = "event.kind" [rule.threat_filters.meta.params] query = "enrichment" [rule.threat_filters.query.match_phrase] "event.kind" = "enrichment" -[[rule.threat_filters]] +[[rule.threat_filters]] [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -disabled = false -key = "event.type" negate = false +disabled = false type = "phrase" +key = "event.type" [rule.threat_filters.meta.params] query = "indicator" [rule.threat_filters.query.match_phrase] "event.type" = "indicator" -[[rule.threat_mapping]] +[[rule.threat_mapping]] [[rule.threat_mapping.entries]] field = "url.full" type = "mapping" value = "threat.indicator.url.full" [[rule.threat_mapping]] - [[rule.threat_mapping.entries]] field = "url.original" type = "mapping" value = "threat.indicator.url.original" - - diff --git a/rules/integrations/aws/collection_cloudtrail_logging_created.toml b/rules/integrations/aws/collection_cloudtrail_logging_created.toml index f4c31b3d257..3ecd0714803 100644 --- a/rules/integrations/aws/collection_cloudtrail_logging_created.toml +++ b/rules/integrations/aws/collection_cloudtrail_logging_created.toml @@ -2,7 +2,9 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -30,13 +32,7 @@ references = [ risk_score = 21 rule_id = "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Log Auditing", - "Tactic: Collection", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Tactic: Collection"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml b/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml index cbb1e5613fc..a092d575a58 100644 --- a/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml +++ b/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml @@ -2,7 +2,9 @@ creation_date = "2024/04/10" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to 2.0.0" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" [rule] author = ["Elastic"] @@ -17,6 +19,7 @@ language = "kuery" license = "Elastic License v2" name = "AWS EC2 Admin Credential Fetch via Assumed Role" note = """ + ## Triage and Analysis ### Investigating AWS EC2 Admin Credential Fetch via Assumed Role diff --git a/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml b/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml index fd03af121e5..17ca613099c 100644 --- a/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml +++ b/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/16" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -74,10 +76,10 @@ tags = [ "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Credential Access", + "Tactic: Credential Access" ] -timestamp_override = "event.ingested" type = "threshold" +timestamp_override = "event.ingested" query = ''' event.dataset:aws.cloudtrail and diff --git a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml index 5e6d6ebeae3..18248e82547 100644 --- a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml +++ b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml @@ -2,7 +2,9 @@ creation_date = "2020/06/04" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml b/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml index e5e939edf76..6365cc34cf8 100644 --- a/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml +++ b/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml @@ -2,18 +2,16 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Nick Jones", "Elastic"] description = """ -An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service may -attempt to leverage the compromised service to access secrets in AWS Secrets Manager. This rule looks for the first time -a specific user identity has programmatically retrieved a specific secret value from Secrets Manager using the -`GetSecretValue` action. This rule assumes that AWS services such as Lambda functions and EC2 instances are setup with -IAM role's assigned that have the necessary permissions to access the secrets in Secrets Manager. An adversary with -access to a compromised AWS service such as an EC2 instance, Lambda function, or other service would rely on the -compromised service's IAM role to access the secrets in Secrets Manager. +An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service may attempt to leverage the compromised service to access secrets in AWS Secrets Manager. This rule looks for the first time a specific user identity has programmatically retrieved a specific secret value from Secrets Manager using the `GetSecretValue` action. + +This rule assumes that AWS services such as Lambda functions and EC2 instances are setup with IAM role's assigned that have the necessary permissions to access the secrets in Secrets Manager. An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service would rely on the compromised service's IAM role to access the secrets in Secrets Manager. """ false_positives = [ """ @@ -80,7 +78,7 @@ The AWS Fleet integration, Filebeat module, or similarly structured data is requ references = [ "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html", "https://detectioninthe.cloud/ttps/credential_access/access_secret_in_secrets_manager/", - "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum", + "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum" ] risk_score = 47 rule_id = "a00681e3-9ed6-447c-ab2c-be648821c622" diff --git a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml index e8cfdda99fe..889e6d56aa6 100644 --- a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml +++ b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/21" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -29,15 +31,9 @@ references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.htm risk_score = 73 rule_id = "4d50a94f-2844-43fa-8395-6afbd5e1c5ef" severity = "high" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Identity and Access Audit", - "Tactic: Credential Access", -] -timestamp_override = "event.ingested" +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] type = "threshold" +timestamp_override = "event.ingested" query = ''' event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml index 0bbea8b848a..fab6ee327e2 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -74,14 +76,7 @@ references = [ risk_score = 47 rule_id = "7024e2a0-315d-4334-bb1a-441c593e16ab" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Log Auditing", - "Resources: Investigation Guide", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml index 72227a18ad5..6d1ee6ef2f2 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -2,7 +2,9 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -78,14 +80,7 @@ references = [ risk_score = 47 rule_id = "1aa8fa52-44a7-4dae-b058-f3333b91c8d7" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Log Auditing", - "Resources: Investigation Guide", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml index 11861b99045..3d5915bd6fe 100644 --- a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml +++ b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/06/15" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -80,13 +82,7 @@ references = [ risk_score = 47 rule_id = "f772ec8a-e182-483c-91d2-72058f76a44c" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Resources: Investigation Guide", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Resources: Investigation Guide", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml index 855c53f6374..451dda334c4 100644 --- a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml +++ b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/06/26" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -78,13 +80,7 @@ references = [ risk_score = 21 rule_id = "7024e2a0-315d-4334-bb1a-552d604f27bc" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Resources: Investigation Guide", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Resources: Investigation Guide", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml index c0cd38ab247..cc02cd56aed 100644 --- a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml +++ b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml @@ -2,7 +2,9 @@ creation_date = "2020/06/16" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml index 3c803b5f4e9..7f1090ef125 100644 --- a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/06/15" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -77,14 +79,7 @@ references = [ risk_score = 73 rule_id = "9395fd2c-9947-4472-86ef-4aceb2f7e872" severity = "high" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Log Auditing", - "Resources: Investigation Guide", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml index fb2e47ad909..1db8508a9a1 100644 --- a/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -35,13 +37,7 @@ references = [ risk_score = 47 rule_id = "8623535c-1e17-44e1-aa97-7a0699c3037d" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Network Security Monitoring", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml b/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml index d39dcc0b035..5d5500605c9 100644 --- a/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml +++ b/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml @@ -2,7 +2,9 @@ creation_date = "2021/07/19" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml b/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml index a496a341a8c..bb65f1940dc 100644 --- a/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml +++ b/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2021/07/19" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/aws/defense_evasion_escalation_aws_suspicious_saml_activity.toml b/rules/integrations/aws/defense_evasion_escalation_aws_suspicious_saml_activity.toml index 9b150497c7d..2d034a9e71c 100644 --- a/rules/integrations/aws/defense_evasion_escalation_aws_suspicious_saml_activity.toml +++ b/rules/integrations/aws/defense_evasion_escalation_aws_suspicious_saml_activity.toml @@ -2,7 +2,9 @@ creation_date = "2021/09/22" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Austin Songer"] @@ -29,13 +31,7 @@ references = [ risk_score = 21 rule_id = "979729e7-0c52-4c4c-b71e-88103304a79f" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Identity and Access Audit", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml index d0f4ad05d7d..54e33b5a95f 100644 --- a/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml +++ b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/28" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml b/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml index 0df31df63c9..15682431e20 100644 --- a/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml +++ b/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2024/04/12" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/05/06" [rule] author = ["Elastic"] @@ -19,6 +21,7 @@ language = "kuery" license = "Elastic License v2" name = "Route53 Resolver Query Log Configuration Deleted" note = """ + ## Triage and Analysis ### Investigating Route53 Resolver Query Log Configuration Deleted diff --git a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml index ceb62849c0d..0777ffc6523 100644 --- a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml +++ b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/27" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -33,13 +35,7 @@ references = [ risk_score = 21 rule_id = "227dc608-e558-43d9-b521-150772250bae" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Asset Visibility", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml index 33ddcf3751a..749b42b06fe 100644 --- a/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/21" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -30,13 +32,7 @@ references = [ risk_score = 47 rule_id = "91d04cd4-47a9-4334-ab14-084abe274d49" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Network Security Monitoring", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml index 1206af84945..a83cccbfaa9 100644 --- a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/06/09" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -30,13 +32,7 @@ references = [ risk_score = 47 rule_id = "5beaebc1-cc13-4bfc-9949-776f9e0dc318" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Network Security Monitoring", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml b/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml index bc1ecf1dadb..04631d87839 100644 --- a/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml +++ b/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml @@ -2,7 +2,9 @@ creation_date = "2024/04/16" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/05/13" [rule] author = ["Elastic"] @@ -24,6 +26,7 @@ language = "kuery" license = "Elastic License v2" name = "EC2 AMI Shared with Another Account" note = """ + ## Triage and Analysis ### Investigating EC2 AMI Shared with Another Account diff --git a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml index e809fcaf22f..a305bc80ded 100644 --- a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml +++ b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml @@ -2,7 +2,9 @@ creation_date = "2021/05/05" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -34,14 +36,7 @@ references = [ risk_score = 47 rule_id = "c1812764-0788-470f-8e74-eb4a14d47573" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Network Security Monitoring", - "Tactic: Exfiltration", - "Tactic: Collection", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Exfiltration", "Tactic: Collection"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml b/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml index cb94ddfe272..24f65ef73db 100644 --- a/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml +++ b/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/06/24" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml b/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml index 6b99a4eed46..79bb4391784 100644 --- a/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml +++ b/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml @@ -2,7 +2,9 @@ creation_date = "2021/04/22" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -30,14 +32,7 @@ references = ["https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.h risk_score = 21 rule_id = "e919611d-6b6f-493b-8314-7ed6ac2e413b" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Asset Visibility", - "Tactic: Exfiltration", - "Tactic: Collection", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Exfiltration", "Tactic: Collection"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml index 3acc55c151f..e76a934dc14 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/06" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -27,13 +29,7 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Sta risk_score = 21 rule_id = "119c8877-8613-416d-a98a-96b6664ee73a" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Asset Visibility", - "Tactic: Exfiltration", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Exfiltration"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml index fb21fe2f6d0..8197da77b7b 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/29" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Austin Songer"] @@ -32,13 +34,7 @@ references = [ risk_score = 47 rule_id = "bf1073bf-ce26-4607-b405-ba1ed8e9e204" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Asset Visibility", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml index 4dced14d748..6059acca429 100644 --- a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml +++ b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/17" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml index 48494c6f32f..aa38f0674fc 100644 --- a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml +++ b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml @@ -2,7 +2,9 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -74,15 +76,7 @@ references = [ risk_score = 21 rule_id = "3e002465-876f-4f04-b016-84ef48ce7e5d" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS Cloudtrail", - "Use Case: Log Auditing", - "Resources: Investigation Guide", - "Tactic: Impact", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Cloudtrail", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml index a51d7148eb4..35f56683f91 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/18" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -79,15 +81,7 @@ references = [ risk_score = 47 rule_id = "68a7a5a5-a2fc-4a76-ba9f-26849de881b4" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS CloudWatch", - "Use Case: Log Auditing", - "Resources: Investigation Guide", - "Tactic: Impact", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS CloudWatch", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml index f673d30df59..f9f57c9970d 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/20" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml index 06305eb8968..efaedd39646 100644 --- a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml +++ b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml @@ -2,7 +2,9 @@ creation_date = "2020/06/05" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -34,13 +36,7 @@ references = [ risk_score = 47 rule_id = "bb9b13b2-1700-48a8-a750-b43b0a72ab69" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS EC2", - "Tactic: Impact", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml b/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml index 289a125097f..7bfe2402105 100644 --- a/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml +++ b/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2021/08/27" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml index c9d1fb8a117..c908c752f19 100644 --- a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -73,14 +75,7 @@ references = [ risk_score = 47 rule_id = "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS IAM", - "Resources: Investigation Guide", - "Tactic: Impact", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Resources: Investigation Guide", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_iam_group_deletion.toml b/rules/integrations/aws/impact_iam_group_deletion.toml index 97463e97775..6c8c05f71c6 100644 --- a/rules/integrations/aws/impact_iam_group_deletion.toml +++ b/rules/integrations/aws/impact_iam_group_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/21" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -33,13 +35,7 @@ references = [ risk_score = 21 rule_id = "867616ec-41e5-4edc-ada2-ab13ab45de8a" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS IAM", - "Tactic: Impact", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml b/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml index 11c2d13335e..6eb74194e22 100644 --- a/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml +++ b/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2022/09/21" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Xavier Pich"] @@ -35,14 +37,7 @@ references = [ risk_score = 47 rule_id = "6951f15e-533c-4a60-8014-a3c3ab851a1b" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS KMS", - "Use Case: Log Auditing", - "Tactic: Impact", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS KMS", "Use Case: Log Auditing", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_rds_group_deletion.toml b/rules/integrations/aws/impact_rds_group_deletion.toml index 989081659af..4f13ca6bb77 100644 --- a/rules/integrations/aws/impact_rds_group_deletion.toml +++ b/rules/integrations/aws/impact_rds_group_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -28,13 +30,7 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Del risk_score = 21 rule_id = "863cdf31-7fd3-41cf-a185-681237ea277b" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS RDS", - "Tactic: Impact", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml index 8648fe43465..571098c7745 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/21" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -37,14 +39,7 @@ references = [ risk_score = 47 rule_id = "9055ece6-2689-4224-a0e0-b04881e1f8ad" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS RDS", - "Use Case: Asset Visibility", - "Tactic: Impact", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml b/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml index ecdf99bd422..423869ff99f 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/20" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -32,14 +34,7 @@ references = [ risk_score = 47 rule_id = "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS RDS", - "Use Case: Asset Visibility", - "Tactic: Impact", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/initial_access_console_login_root.toml b/rules/integrations/aws/initial_access_console_login_root.toml index de2126e086f..e42fe045a0f 100644 --- a/rules/integrations/aws/initial_access_console_login_root.toml +++ b/rules/integrations/aws/initial_access_console_login_root.toml @@ -2,7 +2,9 @@ creation_date = "2020/06/11" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -70,7 +72,7 @@ tags = [ "Data Source: AWS Signin", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Initial Access", + "Tactic: Initial Access" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/initial_access_password_recovery.toml b/rules/integrations/aws/initial_access_password_recovery.toml index 76273e283f6..05f43038b7f 100644 --- a/rules/integrations/aws/initial_access_password_recovery.toml +++ b/rules/integrations/aws/initial_access_password_recovery.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/02" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -30,14 +32,7 @@ references = ["https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/"] risk_score = 21 rule_id = "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS Signin", - "Use Case: Identity and Access Audit", - "Tactic: Initial Access", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Signin", "Use Case: Identity and Access Audit", "Tactic: Initial Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/initial_access_via_system_manager.toml b/rules/integrations/aws/initial_access_via_system_manager.toml index 7f7beade85d..378c45ce1fc 100644 --- a/rules/integrations/aws/initial_access_via_system_manager.toml +++ b/rules/integrations/aws/initial_access_via_system_manager.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml index 8b7f1512af9..2e7f5fb50cd 100644 --- a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml +++ b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/07/13" -integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" +integration = ["aws"] [rule] anomaly_threshold = 50 @@ -85,13 +87,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "78d3d8d9-b476-451d-a9e0-7a5addd70670" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] type = "machine_learning" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml index 0ebbb531d76..f0622af6cca 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/07/13" -integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" +integration = ["aws"] [rule] anomaly_threshold = 50 @@ -87,13 +89,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "19de8096-e2b0-4bd8-80c9-34a820813fff" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] type = "machine_learning" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml index 947265fdca3..ae2cf411bf2 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/07/13" -integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" +integration = ["aws"] [rule] anomaly_threshold = 50 @@ -89,13 +91,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "809b70d3-e2c3-455e-af1b-2626a5a1a276" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] type = "machine_learning" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml index 1cb446348cf..dae363dc164 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/07/13" -integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" +integration = ["aws"] [rule] anomaly_threshold = 50 @@ -89,13 +91,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "dca28dee-c999-400f-b640-50a081cc0fd1" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] type = "machine_learning" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml index 88a65f6838a..b2e817bfcc4 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/07/13" -integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" +integration = ["aws"] [rule] anomaly_threshold = 75 @@ -87,13 +89,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] type = "machine_learning" diff --git a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml index 0ec4ba8c4a3..2fd07cb2991 100644 --- a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml +++ b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml @@ -2,7 +2,9 @@ creation_date = "2020/06/04" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -35,14 +37,7 @@ references = [ risk_score = 21 rule_id = "39144f38-5284-4f8e-a2ae-e3fd628d90b0" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS EC2", - "Use Case: Network Security Monitoring", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Network Security Monitoring", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml index 356547289d0..70e77bbf7d7 100644 --- a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml +++ b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml @@ -2,7 +2,9 @@ creation_date = "2021/05/05" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -31,14 +33,7 @@ references = ["https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-securi risk_score = 21 rule_id = "29052c19-ff3e-42fd-8363-7be14d7c5469" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS EC2", - "Use Case: Network Security Monitoring", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Network Security Monitoring", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_iam_group_creation.toml b/rules/integrations/aws/persistence_iam_group_creation.toml index 5d678c72d7c..c638a896749 100644 --- a/rules/integrations/aws/persistence_iam_group_creation.toml +++ b/rules/integrations/aws/persistence_iam_group_creation.toml @@ -2,7 +2,9 @@ creation_date = "2020/06/05" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -33,14 +35,7 @@ references = [ risk_score = 21 rule_id = "169f3a93-efc7-4df2-94d6-0d9438c310d1" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS IAM", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_rds_cluster_creation.toml b/rules/integrations/aws/persistence_rds_cluster_creation.toml index 352fd7c484b..840f8a3c229 100644 --- a/rules/integrations/aws/persistence_rds_cluster_creation.toml +++ b/rules/integrations/aws/persistence_rds_cluster_creation.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/20" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -35,14 +37,7 @@ references = [ risk_score = 21 rule_id = "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS RDS", - "Use Case: Asset Visibility", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_rds_group_creation.toml b/rules/integrations/aws/persistence_rds_group_creation.toml index 1140f4e4ef5..70265434c42 100644 --- a/rules/integrations/aws/persistence_rds_group_creation.toml +++ b/rules/integrations/aws/persistence_rds_group_creation.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -27,13 +29,7 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Cre risk_score = 21 rule_id = "378f9024-8a0c-46a5-aa08-ce147ac73a4e" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS RDS", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_rds_instance_creation.toml b/rules/integrations/aws/persistence_rds_instance_creation.toml index ba167a1cb93..bab38356826 100644 --- a/rules/integrations/aws/persistence_rds_instance_creation.toml +++ b/rules/integrations/aws/persistence_rds_instance_creation.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/06" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -27,14 +29,7 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Cre risk_score = 21 rule_id = "f30f3443-4fbb-4c27-ab89-c3ad49d62315" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS RDS", - "Use Case: Asset Visibility", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_redshift_instance_creation.toml b/rules/integrations/aws/persistence_redshift_instance_creation.toml index ee4a8e87d42..5160db70a5f 100644 --- a/rules/integrations/aws/persistence_redshift_instance_creation.toml +++ b/rules/integrations/aws/persistence_redshift_instance_creation.toml @@ -2,7 +2,9 @@ creation_date = "2022/04/12" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -31,14 +33,7 @@ references = ["https://docs.aws.amazon.com/redshift/latest/APIReference/API_Crea risk_score = 21 rule_id = "015cca13-8832-49ac-a01b-a396114809f6" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS Redshift", - "Use Case: Asset Visibility", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Redshift", "Use Case: Asset Visibility", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml index 3adaff849fd..4e065c4fa71 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml @@ -2,7 +2,9 @@ creation_date = "2021/05/10" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -33,14 +35,7 @@ references = [ risk_score = 21 rule_id = "12051077-0124-4394-9522-8f4f4db1d674" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS Route53", - "Use Case: Asset Visibility", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Asset Visibility", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml index 758c5f25b39..166506aa70e 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml @@ -2,7 +2,9 @@ creation_date = "2021/05/10" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -28,14 +30,7 @@ references = ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Opera risk_score = 21 rule_id = "2045567e-b0af-444a-8c0b-0b6e2dae9e13" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS Route53", - "Use Case: Asset Visibility", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Asset Visibility", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml index 50c7b0fa2ed..7b763c72d89 100644 --- a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml +++ b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml @@ -2,7 +2,9 @@ creation_date = "2021/07/19" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Austin Songer"] @@ -27,14 +29,7 @@ references = ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Assoc risk_score = 21 rule_id = "e3c27562-709a-42bd-82f2-3ed926cced19" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS Route53", - "Use Case: Asset Visibility", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Asset Visibility", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_route_table_created.toml b/rules/integrations/aws/persistence_route_table_created.toml index c254309c058..b79c5f29690 100644 --- a/rules/integrations/aws/persistence_route_table_created.toml +++ b/rules/integrations/aws/persistence_route_table_created.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -32,14 +34,7 @@ references = [ risk_score = 21 rule_id = "e12c0318-99b1-44f2-830c-3a38a43207ca" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS Route53", - "Use Case: Network Security Monitoring", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Network Security Monitoring", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml b/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml index 8829dc1659b..6f3cc8f42fb 100644 --- a/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml +++ b/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -36,14 +38,7 @@ references = [ risk_score = 21 rule_id = "e7cd5982-17c8-4959-874c-633acde7d426" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS Route53", - "Use Case: Network Security Monitoring", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Network Security Monitoring", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml b/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml index 3e8adc73be3..903cb9c1ba0 100644 --- a/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml +++ b/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -75,7 +77,7 @@ tags = [ "Data Source: AWS Route53", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Privilege Escalation", + "Tactic: Privilege Escalation" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml index 1cc2fd23f1f..c81aedb0401 100644 --- a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml +++ b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml @@ -2,7 +2,9 @@ creation_date = "2021/05/17" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Austin Songer"] @@ -22,14 +24,7 @@ references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRol risk_score = 21 rule_id = "93075852-b0f5-4b8b-89c3-a226efae5726" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS STS", - "Use Case: Identity and Access Audit", - "Tactic: Privilege Escalation", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS STS", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml b/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml index 7bde75f679e..48ce9ac22b7 100644 --- a/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml +++ b/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml @@ -2,7 +2,9 @@ creation_date = "2021/05/17" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Austin Songer"] @@ -28,14 +30,7 @@ references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessio risk_score = 21 rule_id = "b45ab1d2-712f-4f01-a751-df3826969807" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS STS", - "Use Case: Identity and Access Audit", - "Tactic: Privilege Escalation", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS STS", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml b/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml index 979d9ef466a..53313087b57 100644 --- a/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml +++ b/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -76,7 +78,7 @@ tags = [ "Data Source: AWS STS", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Privilege Escalation", + "Tactic: Privilege Escalation" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/collection_update_event_hub_auth_rule.toml b/rules/integrations/azure/collection_update_event_hub_auth_rule.toml index b3ffe646b7d..e6087f04f40 100644 --- a/rules/integrations/azure/collection_update_event_hub_auth_rule.toml +++ b/rules/integrations/azure/collection_update_event_hub_auth_rule.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -53,6 +55,7 @@ reference = "https://attack.mitre.org/techniques/T1530/" id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml b/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml index 92c23e47a2b..301b47cc7f4 100644 --- a/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml +++ b/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml @@ -2,7 +2,9 @@ creation_date = "2021/08/12" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/28" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/azure/credential_access_key_vault_modified.toml b/rules/integrations/azure/credential_access_key_vault_modified.toml index b58c6dfac3f..60f60148cc1 100644 --- a/rules/integrations/azure/credential_access_key_vault_modified.toml +++ b/rules/integrations/azure/credential_access_key_vault_modified.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml index 5f1e83dabbf..4373e066167 100644 --- a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml +++ b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/19" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -32,12 +34,7 @@ references = [ risk_score = 21 rule_id = "1e0b832e-957e-43ae-b319-db82d228c908" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Identity and Access Audit", - "Tactic: Credential Access", -] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml b/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml index e6d6c3ef2b1..54c17bac930 100644 --- a/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml +++ b/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/14" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -34,12 +36,7 @@ references = [ risk_score = 47 rule_id = "1a36cace-11a7-43a8-9a10-b497c5a02cd3" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Identity and Access Audit", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml b/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml index 50ea493d443..48d4d5cdd59 100644 --- a/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml +++ b/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml b/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml index 7802a541aa0..45331762b05 100644 --- a/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml +++ b/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml @@ -2,7 +2,9 @@ creation_date = "2021/09/22" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -28,13 +30,7 @@ references = ["https://docs.microsoft.com/en-us/azure/role-based-access-control/ risk_score = 47 rule_id = "d79c4b2a-6134-4edd-86e6-564a92a933f9" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Identity and Access Audit", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml b/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml index 3d1aed02314..47626334d16 100644 --- a/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml +++ b/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/17" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml b/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml index cad7d6eec7a..230a3c55e5d 100644 --- a/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml +++ b/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/14" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -79,7 +81,7 @@ tags = [ "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Defense Evasion", + "Tactic: Defense Evasion" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml index b94eb74a53b..a12e6f744cb 100644 --- a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml +++ b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml index f0c701c2cb6..438edb64ff4 100644 --- a/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,12 +31,7 @@ references = ["https://docs.microsoft.com/en-us/azure/firewall-manager/policy-ov risk_score = 21 rule_id = "e02bd3ea-72c6-4181-ac2b-0f83d17ad969" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Network Security Monitoring", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml index acea8b019f8..4569cd69aed 100644 --- a/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2021/08/01" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -33,12 +35,7 @@ references = [ risk_score = 21 rule_id = "09d028a5-dcde-409f-8ae0-557cef1b7082" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Network Security Monitoring", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml index 12782cf9cb0..1d762fb49a5 100644 --- a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +++ b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/24" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml index 4bf9be6b02e..1e460c72f75 100644 --- a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -30,12 +32,7 @@ references = ["https://docs.microsoft.com/en-us/azure/network-watcher/network-wa risk_score = 47 rule_id = "323cb487-279d-4218-bcbd-a568efe930c6" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Network Security Monitoring", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_suppression_rule_created.toml b/rules/integrations/azure/defense_evasion_suppression_rule_created.toml index 5adfd45abdd..d3ce5bbd326 100644 --- a/rules/integrations/azure/defense_evasion_suppression_rule_created.toml +++ b/rules/integrations/azure/defense_evasion_suppression_rule_created.toml @@ -2,7 +2,9 @@ creation_date = "2021/08/27" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/azure/discovery_blob_container_access_mod.toml b/rules/integrations/azure/discovery_blob_container_access_mod.toml index 61d9adf1f1c..d0643bd1825 100644 --- a/rules/integrations/azure/discovery_blob_container_access_mod.toml +++ b/rules/integrations/azure/discovery_blob_container_access_mod.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/execution_command_virtual_machine.toml b/rules/integrations/azure/execution_command_virtual_machine.toml index 6913c697a2e..c23a07b5e66 100644 --- a/rules/integrations/azure/execution_command_virtual_machine.toml +++ b/rules/integrations/azure/execution_command_virtual_machine.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/17" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml b/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml index d66662ddb29..beb326d83d2 100644 --- a/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml +++ b/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml @@ -2,7 +2,9 @@ creation_date = "2021/05/05" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml index 791f2c8c25a..6fb47608bff 100644 --- a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml +++ b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/24" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/azure/impact_resource_group_deletion.toml b/rules/integrations/azure/impact_resource_group_deletion.toml index 6ccdd075ad5..e84b2782060 100644 --- a/rules/integrations/azure/impact_resource_group_deletion.toml +++ b/rules/integrations/azure/impact_resource_group_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/17" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/impact_virtual_network_device_modified.toml b/rules/integrations/azure/impact_virtual_network_device_modified.toml index f1e9e003e68..b8dfb12a905 100644 --- a/rules/integrations/azure/impact_virtual_network_device_modified.toml +++ b/rules/integrations/azure/impact_virtual_network_device_modified.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/12" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml index fb43d7cada4..7a19dec88e3 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/04" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Willem D'Haese"] @@ -77,7 +79,7 @@ tags = [ "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Initial Access", + "Tactic: Initial Access" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml index 1657100c372..18bec57767d 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/18" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -72,7 +74,7 @@ tags = [ "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Initial Access", + "Tactic: Initial Access" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml b/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml index 84c1ea44cae..759a39fb377 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/14" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -76,7 +78,7 @@ tags = [ "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Initial Access", + "Tactic: Initial Access" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml index 8766f39fcf6..d5fd491a1aa 100644 --- a/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml +++ b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/01" integration = ["azure", "o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/22" [rule] author = ["Elastic"] @@ -78,7 +80,7 @@ tags = [ "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Initial Access", + "Tactic: Initial Access" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_external_guest_user_invite.toml b/rules/integrations/azure/initial_access_external_guest_user_invite.toml index ec46d414b1e..bd423645618 100644 --- a/rules/integrations/azure/initial_access_external_guest_user_invite.toml +++ b/rules/integrations/azure/initial_access_external_guest_user_invite.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_automation_account_created.toml b/rules/integrations/azure/persistence_azure_automation_account_created.toml index 114f1210d26..c8018b94f0e 100644 --- a/rules/integrations/azure/persistence_azure_automation_account_created.toml +++ b/rules/integrations/azure/persistence_azure_automation_account_created.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml b/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml index 94aa992de20..9b4723dc041 100644 --- a/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml +++ b/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_automation_webhook_created.toml b/rules/integrations/azure/persistence_azure_automation_webhook_created.toml index 370c2d78c7c..d0d03fc2de8 100644 --- a/rules/integrations/azure/persistence_azure_automation_webhook_created.toml +++ b/rules/integrations/azure/persistence_azure_automation_webhook_created.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml b/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml index fda5b5dbbe4..a679e83b9ed 100644 --- a/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml +++ b/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml index d3509a4a043..aed4975d38b 100644 --- a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml +++ b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/06" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml b/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml index c27d826a2e9..913b409850d 100644 --- a/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml +++ b/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/24" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml b/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml index fa292e7a474..6e2bcb3b6f0 100644 --- a/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml +++ b/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -73,7 +75,7 @@ tags = [ "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Persistence", + "Tactic: Persistence" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml b/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml index df2043ba47f..73504c66777 100644 --- a/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml +++ b/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -67,7 +69,7 @@ tags = [ "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Persistence", + "Tactic: Persistence" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml index 1da8d4b0099..976609b89df 100644 --- a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml +++ b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml index cdb7081845a..83a6a7834e1 100644 --- a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml +++ b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml b/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml index c57337e5f17..09f19c7c6e7 100644 --- a/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml +++ b/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/18" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -27,12 +29,7 @@ references = [ risk_score = 21 rule_id = "1c966416-60c1-436b-bfd0-e002fddbfd89" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Identity and Access Audit", - "Tactic: Privilege Escalation", -] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/cloud_defend/container_workload_protection.toml b/rules/integrations/cloud_defend/container_workload_protection.toml index af8cc879b82..fe0d918514d 100644 --- a/rules/integrations/cloud_defend/container_workload_protection.toml +++ b/rules/integrations/cloud_defend/container_workload_protection.toml @@ -2,13 +2,15 @@ creation_date = "2023/04/05" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Initial version of the Container Workload Protection alerts" +min_stack_version = "8.8.0" +updated_date = "2024/05/13" [rule] author = ["Elastic"] description = """ -Generates a detection alert each time a 'Container Workload Protection' alert is received. Enabling this rule allows you -to immediately begin triaging and investigating these alerts. +Generates a detection alert each time a 'Container Workload Protection' alert is received. Enabling this rule allows you to +immediately begin triaging and investigating these alerts. """ enabled = true from = "now-10m" @@ -37,4 +39,3 @@ type = "query" query = ''' event.kind:alert and event.module:cloud_defend ''' - diff --git a/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml index da057f623e1..4311d3809d5 100644 --- a/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml @@ -2,60 +2,52 @@ creation_date = "2023/06/28" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/06/28" [rule] author = ["Elastic"] -description = """ -This rule detects the use of system search utilities like grep and find to search for AWS credentials inside a -container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or -facilitate a container breakout to the underlying cloud environment. -""" +description = "This rule detects the use of system search utilities like grep and find to search for AWS credentials inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying cloud environment." from = "now-6m" index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" name = "AWS Credentials Searched For Inside A Container" -references = ["https://sysdig.com/blog/threat-detection-aws-cloud-containers/"] +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] +references = [ + "https://sysdig.com/blog/threat-detection-aws-cloud-containers/", +] risk_score = 47 rule_id = "d0b0f3ed-0b37-44bf-adee-e8cb7de92767" severity = "medium" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", -] timestamp_override = "event.ingested" type = "eql" -query = ''' +query = """ process where event.module == "cloud_defend" and event.type == "start" and /*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/ (process.name : ("grep", "egrep", "fgrep", "find", "locate", "mlocate") or process.args : ("grep", "egrep", "fgrep", "find", "locate", "mlocate")) and process.args : ("*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_token*", "*accesskeyid*", "*secretaccesskey*", "*access_key*", "*.aws/credentials*") -''' - +""" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" -[[rule.threat.technique.subtechnique]] -id = "T1552.001" -name = "Credentials In Files" -reference = "https://attack.mitre.org/techniques/T1552/001/" - + [rule.threat.tactic] + id = "TA0006" + reference = "https://attack.mitre.org/tactics/TA0006/" + name = "Credential Access" -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat.technique]] + id = "T1552" + reference = "https://attack.mitre.org/techniques/T1552/" + name = "Unsecured Credentials" + [[rule.threat.technique.subtechnique]] + id = "T1552.001" + reference = "https://attack.mitre.org/techniques/T1552/001/" + name = "Credentials In Files" diff --git a/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml index ad37dcc18f5..77b0d8b6a71 100644 --- a/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml @@ -2,7 +2,9 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -19,14 +21,7 @@ name = "Sensitive Files Compression Inside A Container" risk_score = 47 rule_id = "475b42f0-61fb-4ef0-8a85-597458bfb0a1" severity = "medium" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Collection", - "Tactic: Credential Access", -] +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access"] timestamp_override = "event.ingested" type = "eql" @@ -100,4 +95,3 @@ reference = "https://attack.mitre.org/techniques/T1560/001/" id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - diff --git a/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml index dc8fd0b0b06..d1b2210cb67 100644 --- a/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml @@ -2,36 +2,30 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] -description = """ -This rule detects the use of system search utilities like grep and find to search for private SSH keys or passwords -inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container -environment or facilitate a container breakout to the underlying host machine. -""" +description = "This rule detects the use of system search utilities like grep and find to search for private SSH keys or passwords inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying host machine." from = "now-6m" index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" name = "Sensitive Keys Or Passwords Searched For Inside A Container" -references = ["https://sysdig.com/blog/cve-2021-25741-kubelet-falco/"] +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] +references = [ + "https://sysdig.com/blog/cve-2021-25741-kubelet-falco/", +] risk_score = 47 rule_id = "9661ed8b-001c-40dc-a777-0983b7b0c91a" severity = "medium" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", -] timestamp_override = "event.ingested" type = "eql" -query = ''' +query = """ process where container.id: "*" and event.type== "start" and (( /*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/ @@ -45,24 +39,22 @@ or (process.name in ("find", "locate", "mlocate") or process.args in ("find", "locate", "mlocate")) and process.args : ("*id_rsa*", "*id_dsa*") )) -''' - +""" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" -[[rule.threat.technique.subtechnique]] -id = "T1552.001" -name = "Credentials In Files" -reference = "https://attack.mitre.org/techniques/T1552/001/" - + [rule.threat.tactic] + id = "TA0006" + reference = "https://attack.mitre.org/tactics/TA0006/" + name = "Credential Access" -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat.technique]] + id = "T1552" + reference = "https://attack.mitre.org/techniques/T1552/" + name = "Unsecured Credentials" + [[rule.threat.technique.subtechnique]] + id = "T1552.001" + reference = "https://attack.mitre.org/techniques/T1552/001/" + name = "Credentials In Files" diff --git a/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml b/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml index 14581165c8e..76e8dad4c46 100644 --- a/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml +++ b/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml @@ -2,16 +2,17 @@ creation_date = "2023/06/06" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/06/23" [rule] author = ["Elastic"] description = """ -This rule detects the creation or modification of the dynamic linker preload shared object (ld.so.preload) inside a -container. The Linux dynamic linker is used to load libraries needed by a program at runtime. Adversaries may hijack the -dynamic linker by modifying the /etc/ld.so.preload file to point to malicious libraries. This behavior can be used to -grant unauthorized access to system resources and has been used to evade detection of malicious processes in container -environments. +This rule detects the creation or modification of the dynamic linker preload shared object (ld.so.preload) inside a container. +The Linux dynamic linker is used to load libraries needed by a program at runtime. Adversaries may hijack the dynamic linker by modifying +the /etc/ld.so.preload file to point to malicious libraries. This behavior can be used to grant unauthorized access to system resources and +has been used to evade detection of malicious processes in container environments. """ from = "now-6m" index = ["logs-cloud_defend*"] @@ -21,9 +22,9 @@ license = "Elastic License v2" name = "Modification of Dynamic Linker Preload Shared Object Inside A Container" references = [ "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/", - "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang/", + "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang/", "https://sysdig.com/blog/threat-detection-aws-cloud-containers/", -] +] risk_score = 73 rule_id = "342f834b-21a6-41bf-878c-87d116eba3ee" severity = "high" @@ -53,4 +54,3 @@ reference = "https://attack.mitre.org/techniques/T1574/006/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml b/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml index bb9fab55b3f..cae35970e82 100644 --- a/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml @@ -2,88 +2,73 @@ creation_date = "2023/04/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] -description = """ -This rule detects commonly abused network utilities running inside a container. Network utilities like nc, nmap, dig, -tcpdump, ngrep, telnet, mitmproxy, zmap can be used for malicious purposes such as network reconnaissance, monitoring, -or exploitation, and should be monitored closely within a container. -""" -false_positives = [ - """ - There is a potential for false positives if the container is used for legitimate tasks that require the use of - network utilities, such as network troubleshooting, testing or system monitoring. It is important to investigate any - alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate - container activity. - """, -] +description = "This rule detects commonly abused network utilities running inside a container. Network utilities like nc, nmap, dig, tcpdump, ngrep, telnet, mitmproxy, zmap can be used for malicious purposes such as network reconnaissance, monitoring, or exploitation, and should be monitored closely within a container." +false_positives = [""" + There is a potential for false positives if the container is used for legitimate tasks that require the use of network utilities, such as network troubleshooting, testing or system monitoring. It is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity. + """] from = "now-6m" index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" name = "Suspicious Network Tool Launched Inside A Container" +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Command and Control", "Tactic: Reconnaissance"] risk_score = 47 rule_id = "1a289854-5b78-49fe-9440-8a8096b1ab50" severity = "medium" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Command and Control", - "Tactic: Reconnaissance", -] timestamp_override = "event.ingested" type = "eql" -query = ''' +query = """ process where container.id: "*" and event.type== "start" and ( (process.name: ("nc", "ncat", "nmap", "dig", "nslookup", "tcpdump", "tshark", "ngrep", "telnet", "mitmproxy", "socat", "zmap", "masscan", "zgrab")) or /*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/ (process.args: ("nc", "ncat", "nmap", "dig", "nslookup", "tcpdump", "tshark", "ngrep", "telnet", "mitmproxy", "socat", "zmap", "masscan", "zgrab")) ) -''' - +""" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1046" -name = "Network Service Discovery" -reference = "https://attack.mitre.org/techniques/T1046/" + [rule.threat.tactic] + id = "TA0007" + reference = "https://attack.mitre.org/tactics/TA0007/" + name = "Discovery" + + [[rule.threat.technique]] + id = "T1046" + reference = "https://attack.mitre.org/techniques/T1046/" + name = "Network Service Discovery" -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1105" -name = "Ingress Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1105/" + [rule.threat.tactic] + id = "TA0011" + reference = "https://attack.mitre.org/tactics/TA0011/" + name = "Command and Control" + + [[rule.threat.technique]] + id = "T1105" + reference = "https://attack.mitre.org/techniques/T1105/" + name = "Ingress Tool Transfer" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1595" -name = "Active Scanning" -reference = "https://attack.mitre.org/techniques/T1595/" - -[rule.threat.tactic] -id = "TA0043" -name = "Reconnaissance" -reference = "https://attack.mitre.org/tactics/TA0043/" + [rule.threat.tactic] + id = "TA0043" + reference = "https://attack.mitre.org/tactics/TA0043/" + name = "Reconnaissance" + [[rule.threat.technique]] + id = "T1595" + reference = "https://attack.mitre.org/techniques/T1595/" + name = "Active Scanning" diff --git a/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml b/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml index 24a7ee25a08..50f1e3610e6 100644 --- a/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml @@ -2,23 +2,16 @@ creation_date = "2023/04/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] -description = """ -This rule detects when a container management binary is run from inside a container. These binaries are critical -components of many containerized environments, and their presence and execution in unauthorized containers could -indicate compromise or a misconfiguration. -""" -false_positives = [ - """ - There is a potential for false positives if the container is used for legitimate administrative tasks that require - the use of container management utilities, such as deploying, scaling, or updating containerized applications. It is - important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity - or part of legitimate container activity. - """, -] +description = "This rule detects when a container management binary is run from inside a container. These binaries are critical components of many containerized environments, and their presence and execution in unauthorized containers could indicate compromise or a misconfiguration." +false_positives = [""" + There is a potential for false positives if the container is used for legitimate administrative tasks that require the use of container management utilities, such as deploying, scaling, or updating containerized applications. It is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity. + """] from = "now-6m" index = ["logs-cloud_defend*"] interval = "5m" @@ -28,32 +21,24 @@ name = "Container Management Utility Run Inside A Container" risk_score = 21 rule_id = "6c6bb7ea-0636-44ca-b541-201478ef6b50" severity = "low" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", -] +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] timestamp_override = "event.ingested" type = "eql" -query = ''' +query = """ process where container.id: "*" and event.type== "start" and process.name: ("dockerd", "docker", "kubelet", "kube-proxy", "kubectl", "containerd", "runc", "systemd", "crictl") -''' - +""" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1609" -name = "Container Administration Command" -reference = "https://attack.mitre.org/techniques/T1609/" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.threat.tactic] + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" + name = "Execution" + [[rule.threat.technique]] + id = "T1609" + reference = "https://attack.mitre.org/techniques/T1609/" + name = "Container Administration Command" diff --git a/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml b/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml index 64fb497ec44..6a8e4acd1ca 100644 --- a/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml @@ -2,15 +2,13 @@ creation_date = "2023/04/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] -description = """ -This rule detects when chmod is used to add the execute permission to a file inside a container. Modifying file -permissions to make a file executable could indicate malicious activity, as an attacker may attempt to run unauthorized -or malicious code inside the container. -""" +description = "This rule detects when chmod is used to add the execute permission to a file inside a container. Modifying file permissions to make a file executable could indicate malicious activity, as an attacker may attempt to run unauthorized or malicious code inside the container." from = "now-6m" index = ["logs-cloud_defend*"] interval = "5m" @@ -20,53 +18,45 @@ name = "File Made Executable via Chmod Inside A Container" risk_score = 47 rule_id = "ec604672-bed9-43e1-8871-cf591c052550" severity = "medium" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Defense Evasion", -] +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "eql" -query = ''' +query = """ file where container.id: "*" and event.type in ("change", "creation") and /*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/ (process.name : "chmod" or process.args : "chmod") and process.args : ("*x*", "777", "755", "754", "700") and not process.args: "-x" -''' - +""" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" + [rule.threat.tactic] + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" + name = "Execution" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] + id = "T1059" + reference = "https://attack.mitre.org/techniques/T1059/" + name = "Command and Scripting Interpreter" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1222" -name = "File and Directory Permissions Modification" -reference = "https://attack.mitre.org/techniques/T1222/" -[[rule.threat.technique.subtechnique]] -id = "T1222.002" -name = "Linux and Mac File and Directory Permissions Modification" -reference = "https://attack.mitre.org/techniques/T1222/002/" - - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" + [rule.threat.tactic] + id = "TA0005" + reference = "https://attack.mitre.org/tactics/TA0005/" + name = "Defense Evasion" + + [[rule.threat.technique]] + id = "T1222" + reference = "https://attack.mitre.org/techniques/T1222/" + name = "File and Directory Permissions Modification" + + [[rule.threat.technique.subtechnique]] + id = "T1222.002" + reference = "https://attack.mitre.org/techniques/T1222/002/" + name = "Linux and Mac File and Directory Permissions Modification" + diff --git a/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml b/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml index 16de26f880e..78e59f5f28e 100644 --- a/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml +++ b/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml @@ -2,16 +2,17 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] description = """ This rule detects interactive 'exec' events launched against a container using the 'exec' command. Using the 'exec' -command in a pod allows a user to establish a temporary shell session and execute any process/command inside the -container. This rule specifically targets higher-risk interactive commands that allow real-time interaction with a -container's shell. A malicious actor could use this level of access to further compromise the container environment or -attempt a container breakout. +command in a pod allows a user to establish a temporary shell session and execute any process/command inside the container. +This rule specifically targets higher-risk interactive commands that allow real-time interaction with a container's shell. +A malicious actor could use this level of access to further compromise the container environment or attempt a container breakout. """ false_positives = [ """ @@ -36,13 +37,7 @@ references = [ risk_score = 73 rule_id = "420e5bb4-93bf-40a3-8f4a-4cc1af90eca1" severity = "high" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", -] +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] timestamp_override = "event.ingested" type = "eql" @@ -62,24 +57,23 @@ process.interactive == true [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - - -[[rule.threat.technique]] -id = "T1609" -name = "Container Administration Command" -reference = "https://attack.mitre.org/techniques/T1609/" + [rule.threat.tactic] + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" + name = "Execution" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] + id = "T1059" + reference = "https://attack.mitre.org/techniques/T1059/" + name = "Command and Scripting Interpreter" + [[rule.threat.technique.subtechnique]] + id = "T1059.004" + reference = "https://attack.mitre.org/techniques/T1059/004/" + name = "Unix Shell" + + [[rule.threat.technique]] + id = "T1609" + name = "Container Administration Command" + reference = "https://attack.mitre.org/techniques/T1609/" diff --git a/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml b/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml index 55c5ccec6c3..12ba616f380 100644 --- a/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml @@ -2,19 +2,16 @@ creation_date = "2023/04/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] -description = """ -This rule detects when an interactive shell is spawned inside a running container. This could indicate a potential -container breakout attempt or an attacker's attempt to gain unauthorized access to the underlying host. -""" -false_positives = [ - """ - Legitimate users and processes, such as system administration tools, may utilize shell utilities inside a container - resulting in false positives. - """, +description = "This rule detects when an interactive shell is spawned inside a running container. This could indicate a potential container breakout attempt or an attacker's attempt to gain unauthorized access to the underlying host." +false_positives = [""" + Legitimate users and processes, such as system administration tools, may utilize shell utilities inside a container resulting in false positives. + """ ] from = "now-6m" index = ["logs-cloud_defend*"] @@ -22,20 +19,14 @@ interval = "5m" language = "eql" license = "Elastic License v2" name = "Suspicious Interactive Shell Spawned From Inside A Container" +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] risk_score = 73 rule_id = "8d3d0794-c776-476b-8674-ee2e685f6470" severity = "high" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", -] timestamp_override = "event.ingested" type = "eql" -query = ''' +query = """ process where container.id: "*" and event.type== "start" and @@ -46,24 +37,22 @@ event.action in ("fork", "exec") and event.action != "end" (process.executable: "*/*sh" and process.args: ("-i", "-it")) or process.args: "*/*sh" ) -''' - +""" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - + [rule.threat.tactic] + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" + name = "Execution" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] + id = "T1059" + reference = "https://attack.mitre.org/techniques/T1059/" + name = "Command and Scripting Interpreter" + [[rule.threat.technique.subtechnique]] + id = "T1059.004" + reference = "https://attack.mitre.org/techniques/T1059/004/" + name = "Unix Shell" diff --git a/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml b/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml index c739bdcdcbf..3557818cd73 100644 --- a/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml @@ -2,23 +2,16 @@ creation_date = "2023/04/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] -description = """ -This rule detects an established netcat listener running inside a container. Netcat is a utility used for reading and -writing data across network connections, and it can be used for malicious purposes such as establishing a backdoor for -persistence or exfiltrating data. -""" -false_positives = [ - """ - There is a potential for false positives if the container is used for legitimate tasks that require the use of - netcat, such as network troubleshooting, testing or system monitoring. It is important to investigate any alerts - generated by this rule to determine if they are indicative of malicious activity or part of legitimate container - activity. - """, -] +description = "This rule detects an established netcat listener running inside a container. Netcat is a utility used for reading and writing data across network connections, and it can be used for malicious purposes such as establishing a backdoor for persistence or exfiltrating data." +false_positives = [""" + There is a potential for false positives if the container is used for legitimate tasks that require the use of netcat, such as network troubleshooting, testing or system monitoring. It is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity. + """] from = "now-6m" index = ["logs-cloud_defend*"] interval = "5m" @@ -28,17 +21,11 @@ name = "Netcat Listener Established Inside A Container" risk_score = 73 rule_id = "a52a9439-d52c-401c-be37-2785235c6547" severity = "high" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", -] +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] timestamp_override = "event.ingested" type = "eql" -query = ''' +query = """ process where container.id: "*" and event.type== "start" and event.action in ("fork", "exec") and ( @@ -51,24 +38,22 @@ process.args: ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") /* bind shell to specific port */ or process.args:("-*l*", "--listen", "-*p*", "--source-port") ) -''' - +""" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - + [rule.threat.tactic] + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" + name = "Execution" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] + id = "T1059" + reference = "https://attack.mitre.org/techniques/T1059/" + name = "Command and Scripting Interpreter" + [[rule.threat.technique.subtechnique]] + id = "T1059.004" + reference = "https://attack.mitre.org/techniques/T1059/004/" + name = "Unix Shell" diff --git a/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml b/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml index d4cdae3dcc6..09e02b6b142 100644 --- a/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml +++ b/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml @@ -2,20 +2,21 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] description = """ -This rule detects an incoming SSH connection established inside a running container. Running an ssh daemon inside a -container should be avoided and monitored closely if necessary. If an attacker gains valid credentials they can use it -to gain initial access or establish persistence within a compromised environment. +This rule detects an incoming SSH connection established inside a running container. Running an ssh daemon inside +a container should be avoided and monitored closely if necessary. If an attacker gains valid credentials they can use +it to gain initial access or establish persistence within a compromised environment. """ -false_positives = [ - """ - SSH usage may be legitimate depending on the environment. Access patterns and follow-on activity should be analyzed - to distinguish between authorized and potentially malicious behavior. - """, +false_positives = [""" + SSH usage may be legitimate depending on the environment. + Access patterns and follow-on activity should be analyzed to distinguish between authorized and potentially malicious behavior. + """ ] from = "now-6m" index = ["logs-cloud_defend*"] @@ -23,20 +24,13 @@ interval = "5m" language = "eql" license = "Elastic License v2" name = "SSH Connection Established Inside A Running Container" -references = [ +references = [ "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container/", ] risk_score = 73 rule_id = "f5488ac1-099e-4008-a6cb-fb638a0f0828" severity = "high" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Lateral Movement", -] +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement"] timestamp_override = "event.ingested" type = "eql" @@ -61,11 +55,12 @@ id = "T1133" name = "External Remote Services" reference = "https://attack.mitre.org/techniques/T1133/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -77,10 +72,7 @@ id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml b/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml index 5ed644ebed5..3b63f77876b 100644 --- a/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml @@ -2,21 +2,21 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] description = """ -This rule detects an SSH or SSHD process executed from inside a container. This includes both the client ssh binary and -server ssh daemon process. SSH usage inside a container should be avoided and monitored closely when necessary. With -valid credentials an attacker may move laterally to other containers or to the underlying host through container -breakout. They may also use valid SSH credentials as a persistence mechanism. +This rule detects an SSH or SSHD process executed from inside a container. This includes both the client ssh binary and server ssh daemon process. +SSH usage inside a container should be avoided and monitored closely when necessary. With valid credentials an attacker may move laterally to +other containers or to the underlying host through container breakout. They may also use valid SSH credentials as a persistence mechanism. """ -false_positives = [ - """ - SSH usage may be legitimate depending on the environment. Access patterns and follow-on activity should be analyzed - to distinguish between authorized and potentially malicious behavior. - """, +false_positives = [""" + SSH usage may be legitimate depending on the environment. + Access patterns and follow-on activity should be analyzed to distinguish between authorized and potentially malicious behavior. + """ ] from = "now-6m" index = ["logs-cloud_defend*"] @@ -24,21 +24,14 @@ interval = "5m" language = "eql" license = "Elastic License v2" name = "SSH Process Launched From Inside A Container" -references = [ +references = [ "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container/", "https://www.blackhillsinfosec.com/sshazam-hide-your-c2-inside-of-ssh/", ] risk_score = 73 rule_id = "03a514d9-500e-443e-b6a9-72718c548f6c" severity = "high" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Persistence", -] +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "eql" @@ -60,12 +53,11 @@ id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -73,7 +65,6 @@ id = "T1133" name = "External Remote Services" reference = "https://attack.mitre.org/techniques/T1133/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml b/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml index 30220e18f92..9e40863fbcc 100644 --- a/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml +++ b/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml @@ -2,15 +2,17 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] description = """ -This rule detects the creation or modification of an authorized_keys or sshd_config file inside a container. The Secure -Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. -Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s). Unexpected and -unauthorized SSH usage inside a container can be an indicator of compromise and should be investigated. +This rule detects the creation or modification of an authorized_keys or sshd_config file inside a container. +The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. +Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s). +Unexpected and unauthorized SSH usage inside a container can be an indicator of compromise and should be investigated. """ from = "now-6m" index = ["logs-cloud_defend*"] @@ -21,14 +23,7 @@ name = "SSH Authorized Keys File Modified Inside a Container" risk_score = 73 rule_id = "f7769104-e8f9-4931-94a2-68fc04eadec3" severity = "high" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Lateral Movement", -] +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Lateral Movement"] timestamp_override = "event.ingested" type = "eql" @@ -49,24 +44,15 @@ id = "T1098.004" name = "SSH Authorized Keys" reference = "https://attack.mitre.org/techniques/T1098/004/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" -[[rule.threat.technique.subtechnique]] -id = "T1021.004" -name = "SSH" -reference = "https://attack.mitre.org/techniques/T1021/004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1563" name = "Remote Service Session Hijacking" @@ -76,10 +62,16 @@ id = "T1563.001" name = "SSH Hijacking" reference = "https://attack.mitre.org/techniques/T1563/001/" - +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml index e02c4778a14..7d3c3b6c284 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/12/18" [rule] author = ["Elastic"] diff --git a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml index 8c44e8b3c60..5b9bb8a9d8d 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml index 014a64956d8..59d455b4410 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml @@ -2,8 +2,10 @@ creation_date = "2021/06/23" integration = ["cyberarkpas"] maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -33,12 +35,7 @@ risk_score = 73 rule_id = "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54" rule_name_override = "event.action" severity = "high" -tags = [ - "Data Source: CyberArk PAS", - "Use Case: Log Auditing", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", -] +tags = ["Data Source: CyberArk PAS", "Use Case: Log Auditing", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml index 4fd99826fe8..9c63474aa4a 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml @@ -2,8 +2,10 @@ creation_date = "2021/06/23" integration = ["cyberarkpas"] maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -33,12 +35,7 @@ risk_score = 73 rule_id = "c5f81243-56e0-47f9-b5bb-55a5ed89ba57" rule_name_override = "event.action" severity = "high" -tags = [ - "Data Source: CyberArk PAS", - "Use Case: Log Auditing", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", -] +tags = ["Data Source: CyberArk PAS", "Use Case: Log Auditing", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml index 55bf68afc0f..0291e681351 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New rule" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 75 @@ -17,13 +19,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_high_sent_bytes_destination_geo_country_iso_code" name = "Potential Data Exfiltration Activity to an Unusual ISO Code" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/ded", - "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", -] -risk_score = 21 -rule_id = "e1db8899-97c1-4851-8993-3a3265353601" setup = """## Setup The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). @@ -50,6 +45,13 @@ Before you can enable rules for Data Exfiltration Detection, you'll need to enab - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", +] +risk_score = 21 +rule_id = "e1db8899-97c1-4851-8993-3a3265353601" severity = "low" tags = [ "Use Case: Data Exfiltration Detection", diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml index 88a012b6e29..71f7de4c7ec 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New rule" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 75 @@ -17,13 +19,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_high_sent_bytes_destination_ip" name = "Potential Data Exfiltration Activity to an Unusual IP Address" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/ded", - "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", -] -risk_score = 21 -rule_id = "cc653d77-ddd2-45b1-9197-c75ad19df66c" setup = """## Setup The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). @@ -50,6 +45,13 @@ Before you can enable rules for Data Exfiltration Detection, you'll need to enab - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", +] +risk_score = 21 +rule_id = "cc653d77-ddd2-45b1-9197-c75ad19df66c" severity = "low" tags = [ "Use Case: Data Exfiltration Detection", diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml index 20d6850ca12..7d5b38f0403 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New rule" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 75 @@ -16,13 +18,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_high_sent_bytes_destination_port" name = "Potential Data Exfiltration Activity to an Unusual Destination Port" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/ded", - "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", -] -risk_score = 21 -rule_id = "ef8cc01c-fc49-4954-a175-98569c646740" setup = """## Setup The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). @@ -49,6 +44,13 @@ Before you can enable rules for Data Exfiltration Detection, you'll need to enab - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", +] +risk_score = 21 +rule_id = "ef8cc01c-fc49-4954-a175-98569c646740" severity = "low" tags = [ "Use Case: Data Exfiltration Detection", diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml index 1a3e7ef8555..69708440927 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New rule" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 75 @@ -17,13 +19,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_high_sent_bytes_destination_region_name" name = "Potential Data Exfiltration Activity to an Unusual Region" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/ded", - "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", -] -risk_score = 21 -rule_id = "bfba5158-1fd6-4937-a205-77d96213b341" setup = """## Setup The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). @@ -50,6 +45,13 @@ Before you can enable rules for Data Exfiltration Detection, you'll need to enab - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", +] +risk_score = 21 +rule_id = "bfba5158-1fd6-4937-a205-77d96213b341" severity = "low" tags = [ "Use Case: Data Exfiltration Detection", diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml index b62f5b16920..a560d7cd27a 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New rule" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 75 @@ -17,13 +19,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_high_bytes_written_to_external_device" name = "Spike in Bytes Sent to an External Device" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/ded", - "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", -] -risk_score = 21 -rule_id = "35a3b253-eea8-46f0-abd3-68bdd47e6e3d" setup = """## Setup The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). @@ -49,6 +44,13 @@ Before you can enable rules for Data Exfiltration Detection, you'll need to enab - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", +] +risk_score = 21 +rule_id = "35a3b253-eea8-46f0-abd3-68bdd47e6e3d" severity = "low" tags = [ "Use Case: Data Exfiltration Detection", diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml index d484668f893..7a30d8d9b24 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New rule" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 75 @@ -18,13 +20,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_high_bytes_written_to_external_device_airdrop" name = "Spike in Bytes Sent to an External Device via Airdrop" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/ded", - "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", -] -risk_score = 21 -rule_id = "e92c99b6-c547-4bb6-b244-2f27394bc849" setup = """## Setup The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). @@ -50,6 +45,13 @@ Before you can enable rules for Data Exfiltration Detection, you'll need to enab - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", +] +risk_score = 21 +rule_id = "e92c99b6-c547-4bb6-b244-2f27394bc849" severity = "low" tags = [ "Use Case: Data Exfiltration Detection", diff --git a/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml b/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml index fc98cc66a3f..cdc7a88d3b4 100644 --- a/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml +++ b/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New rule" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 75 @@ -17,13 +19,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_rare_process_writing_to_external_device" name = "Unusual Process Writing Data to an External Device" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/ded", - "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", -] -risk_score = 21 -rule_id = "4b95ecea-7225-4690-9938-2a2c0bad9c99" setup = """## Setup The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). @@ -49,6 +44,13 @@ Before you can enable rules for Data Exfiltration Detection, you'll need to enab - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", +] +risk_score = 21 +rule_id = "4b95ecea-7225-4690-9938-2a2c0bad9c99" severity = "low" tags = [ "Use Case: Data Exfiltration Detection", diff --git a/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml b/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml index 47b2a9d9957..d6550b0d420 100644 --- a/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml +++ b/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/14" integration = ["dga", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "DGA package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] author = ["Elastic"] @@ -15,13 +17,6 @@ index = ["logs-endpoint.events.*", "logs-network_traffic.*"] language = "kuery" license = "Elastic License v2" name = "Machine Learning Detected DGA activity using a known SUNBURST DNS domain" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/dga", - "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration", -] -risk_score = 99 -rule_id = "bcaa15ce-2d41-44d7-a322-918f9db77766" setup = """## Setup The rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. @@ -68,6 +63,13 @@ Before you can enable this rule, you'll need to enrich DNS events with predictio } ``` """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/dga", + "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration", +] +risk_score = 99 +rule_id = "bcaa15ce-2d41-44d7-a322-918f9db77766" severity = "critical" tags = [ "Domain: Network", diff --git a/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml b/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml index 0830449ff22..76e884d760f 100644 --- a/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml +++ b/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/14" integration = ["dga", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "DGA package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 70 @@ -17,13 +19,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "dga_high_sum_probability" name = "Potential DGA Activity" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/dga", - "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration", -] -risk_score = 21 -rule_id = "ff0d807d-869b-4a0d-a493-52bc46d2f1b1" setup = """## Setup The rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. @@ -77,6 +72,13 @@ Before you can enable this rule, you'll need to enable the corresponding Anomaly - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/dga/kibana/ml_module/dga-ml.json) configuration file, you will see a card for DGA under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/dga", + "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration", +] +risk_score = 21 +rule_id = "ff0d807d-869b-4a0d-a493-52bc46d2f1b1" severity = "low" tags = [ "Use Case: Domain Generation Algorithm Detection", diff --git a/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml b/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml index dca1fb0b3b9..88007164d87 100644 --- a/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml +++ b/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/14" integration = ["dga", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "DGA package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] author = ["Elastic"] @@ -15,13 +17,6 @@ index = ["logs-endpoint.events.*", "logs-network_traffic.*"] language = "kuery" license = "Elastic License v2" name = "Machine Learning Detected a DNS Request With a High DGA Probability Score" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/dga", - "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration", -] -risk_score = 21 -rule_id = "da7f5803-1cd4-42fd-a890-0173ae80ac69" setup = """## Setup The rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. @@ -68,6 +63,13 @@ Before you can enable this rule, you'll need to enrich DNS events with predictio } ``` """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/dga", + "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration", +] +risk_score = 21 +rule_id = "da7f5803-1cd4-42fd-a890-0173ae80ac69" severity = "low" tags = [ "Domain: Network", diff --git a/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml b/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml index ef50f101169..79e0bc018a6 100644 --- a/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml +++ b/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/14" integration = ["dga", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "DGA package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] author = ["Elastic"] @@ -15,13 +17,6 @@ index = ["logs-endpoint.events.*", "logs-network_traffic.*"] language = "kuery" license = "Elastic License v2" name = "Machine Learning Detected a DNS Request Predicted to be a DGA Domain" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/dga", - "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration", -] -risk_score = 21 -rule_id = "f3403393-1fd9-4686-8f6e-596c58bc00b4" setup = """## Setup The rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. @@ -68,6 +63,13 @@ Before you can enable this rule, you'll need to enrich DNS events with predictio } ``` """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/dga", + "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration", +] +risk_score = 21 +rule_id = "f3403393-1fd9-4686-8f6e-596c58bc00b4" severity = "low" tags = [ "Domain: Network", diff --git a/rules/integrations/endpoint/elastic_endpoint_security.toml b/rules/integrations/endpoint/elastic_endpoint_security.toml index 7353bf7fcc6..ddc45fe6865 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security.toml @@ -2,8 +2,10 @@ creation_date = "2020/07/08" integration = ["endpoint"] maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml index 3d33d2ee993..afc316a77bf 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/23" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,13 +31,7 @@ references = ["https://cloud.google.com/pubsub/docs/overview"] risk_score = 21 rule_id = "d62b64a8-a7c9-43e5-aee3-15a725a794e7" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Log Auditing", - "Tactic: Collection", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Collection"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml index 701fd52c77f..de979e3009e 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/23" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,13 +31,7 @@ references = ["https://cloud.google.com/pubsub/docs/admin"] risk_score = 21 rule_id = "a10d3d9d-0f65-48f1-8b25-af175e2594f5" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Log Auditing", - "Tactic: Collection", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Collection"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml index bf65a769bb5..f19f55da16b 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -32,13 +34,7 @@ references = [ risk_score = 21 rule_id = "30562697-9859-4ae0-a8c5-dab45d664170" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml index 2bd5d930541..68d787f49bb 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -31,13 +33,7 @@ references = [ risk_score = 47 rule_id = "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml index ae5126fc5fb..3f219874af8 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -32,13 +34,7 @@ references = [ risk_score = 47 rule_id = "2783d84f-5091-4d7d-9319-9fceda8fa71b" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml index a9e9ba23557..5e66bedffac 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -31,13 +33,7 @@ references = ["https://cloud.google.com/logging/docs/buckets", "https://cloud.go risk_score = 47 rule_id = "5663b693-0dea-4f2e-8275-f1ae5ff2de8e" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Log Auditing", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml index 3b91941b1cc..cb523589193 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/18" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,13 +31,7 @@ references = ["https://cloud.google.com/logging/docs/export"] risk_score = 47 rule_id = "51859fa0-d86b-4214-bf48-ebb30ed91305" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Log Auditing", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml index d81d4f1c70e..03c2b9b4a97 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/23" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,13 +31,7 @@ references = ["https://cloud.google.com/pubsub/docs/overview"] risk_score = 21 rule_id = "cc89312d-6f47-48e4-a87c-4977bd4633c3" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Log Auditing", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml index b0c2ba3b66a..df8980906ee 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/18" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,13 +31,7 @@ references = ["https://cloud.google.com/pubsub/docs/overview"] risk_score = 21 rule_id = "3202e172-01b1-4738-a932-d024c514ba72" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Log Auditing", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml index 58c3e161484..b1f8119e794 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -27,13 +29,7 @@ references = ["https://cloud.google.com/storage/docs/key-terms#buckets"] risk_score = 47 rule_id = "97359fd8-757d-4b1d-9af1-ef29e4a8680e" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Identity and Access Audit", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml index 5aa2543b2d8..93d434aa0f7 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -28,13 +30,7 @@ references = ["https://cloud.google.com/storage/docs/access-control/iam-permissi risk_score = 47 rule_id = "2326d1b2-9acf-4dee-bd21-867ea7378b4d" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Identity and Access Audit", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml index ae837651b9c..9d7467ce9be 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,13 +31,7 @@ references = ["https://cloud.google.com/vpc/docs/vpc"] risk_score = 47 rule_id = "c58c3081-2e1d-4497-8491-e73a45d1a6d6" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml index 14e579912ce..d8ab78834fc 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,13 +31,7 @@ references = ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google. risk_score = 21 rule_id = "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml index b0b775a5f06..9084f33dcf6 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,13 +31,7 @@ references = ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google. risk_score = 47 rule_id = "a17bcc91-297b-459b-b5ce-bc7460d8f82a" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml index c1b0254c4f0..28408b63947 100644 --- a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml +++ b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,13 +31,7 @@ references = ["https://cloud.google.com/logging/docs/export#how_sinks_work"] risk_score = 21 rule_id = "184dfe52-2999-42d9-b9d1-d1ca54495a61" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Log Auditing", - "Tactic: Exfiltration", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Exfiltration"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml b/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml index c999c7eebe1..4bd608d6896 100644 --- a/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml +++ b/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,13 +31,7 @@ references = ["https://cloud.google.com/iam/docs/understanding-roles"] risk_score = 21 rule_id = "e2fb5b18-e33c-4270-851e-c3d675c9afcd" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Identity and Access Audit", - "Tactic: Impact", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/impact_gcp_service_account_deleted.toml b/rules/integrations/gcp/impact_gcp_service_account_deleted.toml index 7f30b45a128..15b278eef14 100644 --- a/rules/integrations/gcp/impact_gcp_service_account_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_service_account_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -30,13 +32,7 @@ references = ["https://cloud.google.com/iam/docs/service-accounts"] risk_score = 47 rule_id = "8fb75dda-c47a-4e34-8ecd-34facf7aad13" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Identity and Access Audit", - "Tactic: Impact", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/impact_gcp_service_account_disabled.toml b/rules/integrations/gcp/impact_gcp_service_account_disabled.toml index 034f249af9b..5f4640b988e 100644 --- a/rules/integrations/gcp/impact_gcp_service_account_disabled.toml +++ b/rules/integrations/gcp/impact_gcp_service_account_disabled.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -30,13 +32,7 @@ references = ["https://cloud.google.com/iam/docs/service-accounts"] risk_score = 47 rule_id = "bca7d28e-4a48-47b1-adb7-5074310e9a61" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Identity and Access Audit", - "Tactic: Impact", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml b/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml index cfc19dbb136..b4c74cf818c 100644 --- a/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml index fbf52054537..a412746fc16 100644 --- a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml +++ b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,13 +31,7 @@ references = ["https://cloud.google.com/iam/docs/understanding-custom-roles"] risk_score = 47 rule_id = "aa8007f0-d1df-49ef-8520-407857594827" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Identity and Access Audit", - "Tactic: Initial Access", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Initial Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml index 18048b305d9..894d12936f7 100644 --- a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml +++ b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -33,13 +35,7 @@ references = [ risk_score = 21 rule_id = "9890ee61-d061-403d-9bf6-64934c51f638" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml index 07b969e6a80..8ee7350643e 100644 --- a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml +++ b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -34,13 +36,7 @@ references = [ risk_score = 21 rule_id = "0e5acaae-6a64-4bbc-adb8-27649c03f7e1" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/persistence_gcp_service_account_created.toml b/rules/integrations/gcp/persistence_gcp_service_account_created.toml index b929f9b69a2..4207b15ffdb 100644 --- a/rules/integrations/gcp/persistence_gcp_service_account_created.toml +++ b/rules/integrations/gcp/persistence_gcp_service_account_created.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -31,13 +33,7 @@ references = ["https://cloud.google.com/iam/docs/service-accounts"] risk_score = 21 rule_id = "7ceb2216-47dd-4e64-9433-cddc99727623" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml b/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml index d85163a5c79..d38ee949682 100644 --- a/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml +++ b/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml @@ -2,15 +2,18 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/30" [rule] author = ["Elastic"] description = """ -This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules can be -used to enforce certain workflows or requirements before a contributor can push changes to a branch in your repository. -Changes to these protected branch settings should be investigated and verified as legitimate activity. Unauthorized -changes could be used to lower your organization's security posture and leave you exposed for future attacks. +This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules +can be used to enforce certain workflows or requirements before a contributor can push changes to a branch in +your repository. Changes to these protected branch settings should be investigated and verified as legitimate +activity. Unauthorized changes could be used to lower your organization's security posture and leave you exposed +for future attacks. """ from = "now-9m" index = ["logs-github.audit-*"] @@ -23,13 +26,11 @@ severity = "medium" tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Github"] timestamp_override = "event.ingested" type = "eql" - query = ''' configuration where event.dataset == "github.audit" - and github.category == "protected_branch" and event.type == "change" + and github.category == "protected_branch" and event.type == "change" ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/integrations/github/execution_github_app_deleted.toml b/rules/integrations/github/execution_github_app_deleted.toml index b49bc9b3389..891c181759a 100644 --- a/rules/integrations/github/execution_github_app_deleted.toml +++ b/rules/integrations/github/execution_github_app_deleted.toml @@ -2,11 +2,15 @@ creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/11" [rule] author = ["Elastic"] -description = "Detects the deletion of a GitHub app either from a repo or an organization.\n" +description = """ +Detects the deletion of a GitHub app either from a repo or an organization. +""" from = "now-9m" index = ["logs-github.audit-*"] language = "eql" @@ -15,7 +19,11 @@ name = "GitHub App Deleted" risk_score = 21 rule_id = "fd01b949-81be-46d5-bcf8-284395d5f56d" severity = "low" -tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Github"] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "eql" @@ -23,7 +31,6 @@ query = ''' configuration where event.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion" ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -36,4 +43,3 @@ reference = "https://attack.mitre.org/techniques/T1648/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml b/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml index 85da5ced62c..dfa81e0277d 100644 --- a/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml +++ b/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml @@ -2,13 +2,14 @@ creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to GitHub Integration" +min_stack_version = "8.8.0" +updated_date = "2023/12/14" [rule] author = ["Elastic"] description = """ -Detects a high number of unique private repo clone events originating from a single personal access token within a short -time period. +Detects a high number of unique private repo clone events originating from a single personal access token within a short time period. """ from = "now-6m" index = ["logs-github.audit-*"] @@ -18,13 +19,12 @@ name = "High Number of Cloned GitHub Repos From PAT" risk_score = 21 rule_id = "fb0afac5-bbd6-49b0-b4f8-44e5381e1587" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "threshold" @@ -34,7 +34,6 @@ github.programmatic_access_type:("OAuth access token" or "Fine-grained personal github.repository_public:false ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -51,8 +50,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.threshold] field = ["github.hashed_token"] value = 1 + [[rule.threshold.cardinality]] field = "github.repo" value = 10 - - diff --git a/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml b/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml index b055bbe42af..2908f7b3e87 100644 --- a/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml +++ b/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml @@ -1,14 +1,17 @@ [metadata] creation_date = "2023/12/14" maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/18" [rule] author = ["Elastic"] description = """ -This rule is part of the "GitHub UEBA - Unusual Activity from Account Pack", and leverages alert data to determine when -multiple alerts are executed by the same user in a timespan of one hour. Analysts can use this to prioritize triage and -response, as these alerts are a higher indicator of compromised user accounts or PATs. +This rule is part of the "GitHub UEBA - Unusual Activity from Account Pack", and leverages alert data to +determine when multiple alerts are executed by the same user in a timespan of one hour. +Analysts can use this to prioritize triage and response, as these alerts are a higher indicator of compromised user +accounts or PATs. """ from = "now-60m" index = [".alerts-security.*"] @@ -18,14 +21,13 @@ name = "GitHub UEBA - Multiple Alerts from a GitHub Account" risk_score = 47 rule_id = "929223b4-fba3-4a1c-a943-ec4716ad23ec" severity = "medium" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Rule Type: Higher-Order Rule", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: Higher-Order Rule", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "threshold" @@ -33,7 +35,6 @@ query = ''' signal.rule.tags:("Use Case: UEBA" and "Data Source: Github") and kibana.alert.workflow_status:"open" ''' - [[rule.threat]] framework = "MITRE ATT&CK" @@ -45,8 +46,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.threshold] field = ["user.name"] value = 1 + [[rule.threshold.cardinality]] field = "signal.rule.name" value = 5 - - diff --git a/rules/integrations/github/execution_new_github_app_installed.toml b/rules/integrations/github/execution_new_github_app_installed.toml index 8d63b58be15..2d07e6bb6ba 100644 --- a/rules/integrations/github/execution_new_github_app_installed.toml +++ b/rules/integrations/github/execution_new_github_app_installed.toml @@ -2,16 +2,18 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/03" [rule] author = ["Elastic"] description = """ -This rule detects when a new GitHub App has been installed in your organization account. GitHub Apps extend GitHub's -functionality both within and outside of GitHub. When an app is installed it is granted permissions to read or modify -your repository and organization data. Only trusted apps should be installed and any newly installed apps should be -investigated to verify their legitimacy. Unauthorized app installation could lower your organization's security posture -and leave you exposed for future attacks. +This rule detects when a new GitHub App has been installed in your organization account. +GitHub Apps extend GitHub's functionality both within and outside of GitHub. +When an app is installed it is granted permissions to read or modify your repository and organization data. +Only trusted apps should be installed and any newly installed apps should be investigated to verify their legitimacy. +Unauthorized app installation could lower your organization's security posture and leave you exposed for future attacks. """ from = "now-9m" index = ["logs-github.audit-*"] @@ -24,12 +26,10 @@ severity = "medium" tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Github"] timestamp_override = "event.ingested" type = "eql" - query = ''' configuration where event.dataset == "github.audit" and event.action == "integration_installation.create" ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -38,6 +38,7 @@ name = "Software Deployment Tools" reference = "https://attack.mitre.org/techniques/T1072/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/integrations/github/impact_github_repository_deleted.toml b/rules/integrations/github/impact_github_repository_deleted.toml index c75c9c689d8..9eebd68aea8 100644 --- a/rules/integrations/github/impact_github_repository_deleted.toml +++ b/rules/integrations/github/impact_github_repository_deleted.toml @@ -2,15 +2,19 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/14" [rule] author = ["Elastic"] description = """ -This rule detects when a GitHub repository is deleted within your organization. Repositories are a critical component -used within an organization to manage work, collaborate with others and release products to the public. Any delete -action against a repository should be investigated to determine it's validity. Unauthorized deletion of organization -repositories could cause irreversible loss of intellectual property and indicate compromise within your organization. +This rule detects when a GitHub repository is deleted within your organization. +Repositories are a critical component used within an organization to manage work, +collaborate with others and release products to the public. Any delete action against +a repository should be investigated to determine it's validity. Unauthorized deletion +of organization repositories could cause irreversible loss of intellectual property and +indicate compromise within your organization. """ from = "now-9m" index = ["logs-github.audit-*"] @@ -20,21 +24,18 @@ name = "GitHub Repository Deleted" risk_score = 47 rule_id = "345889c4-23a8-4bc0-b7ca-756bd17ce83b" severity = "medium" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Impact", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Impact", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' configuration where event.module == "github" and event.action == "repo.destroy" ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -43,8 +44,8 @@ name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/integrations/github/persistence_github_org_owner_added.toml b/rules/integrations/github/persistence_github_org_owner_added.toml index df89d4bd008..7fd963c9fe6 100644 --- a/rules/integrations/github/persistence_github_org_owner_added.toml +++ b/rules/integrations/github/persistence_github_org_owner_added.toml @@ -2,14 +2,16 @@ creation_date = "2023/09/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/14" [rule] author = ["Elastic"] description = """ -Detects when a new member is added to a GitHub organization as an owner. This role provides admin level privileges. Any -new owner roles should be investigated to determine it's validity. Unauthorized owner roles could indicate compromise -within your organization and provide unlimited access to data and settings. +Detects when a new member is added to a GitHub organization as an owner. +This role provides admin level privileges. Any new owner roles should be investigated to determine it's validity. +Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings. """ from = "now-9m" index = ["logs-github.audit-*"] @@ -19,21 +21,18 @@ name = "New GitHub Owner Added" risk_score = 47 rule_id = "24401eca-ad0b-4ff9-9431-487a8e183af9" severity = "medium" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Persistence", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Persistence", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' iam where event.dataset == "github.audit" and event.action == "org.add_member" and github.permission == "admin" ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -46,7 +45,6 @@ name = "Cloud Account" reference = "https://attack.mitre.org/techniques/T1136/003/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/integrations/github/persistence_organization_owner_role_granted.toml b/rules/integrations/github/persistence_organization_owner_role_granted.toml index 7c31e52610b..08adb684912 100644 --- a/rules/integrations/github/persistence_organization_owner_role_granted.toml +++ b/rules/integrations/github/persistence_organization_owner_role_granted.toml @@ -2,14 +2,16 @@ creation_date = "2023/09/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/14" [rule] author = ["Elastic"] description = """ -This rule detects when a member is granted the organization owner role of a GitHub organization. This role provides -admin level privileges. Any new owner role should be investigated to determine its validity. Unauthorized owner roles -could indicate compromise within your organization and provide unlimited access to data and settings. +This rule detects when a member is granted the organization owner role of a GitHub organization. +This role provides admin level privileges. Any new owner role should be investigated to determine its validity. +Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings. """ from = "now-9m" index = ["logs-github.audit-*"] @@ -19,21 +21,18 @@ name = "GitHub Owner Role Granted To User" risk_score = 47 rule_id = "9b343b62-d173-4cfd-bd8b-e6379f964ca4" severity = "medium" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Persistence", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Persistence", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' iam where event.dataset == "github.audit" and event.action == "org.update_member" and github.permission == "admin" ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -46,7 +45,6 @@ name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml b/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml index 3b0bb139b97..87875196e6f 100644 --- a/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml +++ b/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/24" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -80,12 +82,7 @@ references = ["https://support.google.com/a/answer/1247799?hl=en"] risk_score = 47 rule_id = "07b5f85a-240f-11ed-b3d9-f661ea17fbce" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Tactic: Collection", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Data Source: Google Workspace", "Tactic: Collection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml b/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml index 2f9485b97b3..0cfba8bdd98 100644 --- a/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml +++ b/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml @@ -2,7 +2,9 @@ creation_date = "2022/09/13" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -80,12 +82,7 @@ references = ["https://support.google.com/a/answer/2685650?hl=en"] risk_score = 47 rule_id = "9510add4-3392-11ed-bd01-f661ea17fbce" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Tactic: Collection", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Data Source: Google Workspace", "Tactic: Collection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml b/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml index 32ca309972a..32f0a1a9258 100644 --- a/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml +++ b/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml @@ -2,7 +2,9 @@ creation_date = "2023/03/21" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml b/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml index 422ba0189ba..98380cea753 100644 --- a/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml +++ b/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/25" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -88,7 +90,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Configuration Audit", "Resources: Investigation Guide", - "Tactic: Defense Evasion", + "Tactic: Defense Evasion" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml index 1b92225d220..f97647f948b 100644 --- a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml +++ b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -83,7 +85,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Defense Evasion", - "Resources: Investigation Guide", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml index e16f5f51216..073d40ed61c 100644 --- a/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml +++ b/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml @@ -2,7 +2,9 @@ creation_date = "2022/09/06" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -83,7 +85,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Defense Evasion", - "Resources: Investigation Guide", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml index 600ad32787a..703af0aefe3 100644 --- a/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml +++ b/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml @@ -2,19 +2,18 @@ creation_date = "2023/03/30" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] description = """ -Detects the first time a third-party application logs in and authenticated with OAuth. OAuth is used to grant -permissions to specific resources and services in Google Workspace. Compromised credentials or service accounts could -allow an adversary to authenticate to Google Workspace as a valid user and inherit their privileges. +Detects the first time a third-party application logs in and authenticated with OAuth. OAuth is used to grant permissions to specific resources and services in Google Workspace. Compromised credentials or service accounts could allow an adversary to authenticate to Google Workspace as a valid user and inherit their privileges. """ false_positives = [ """ - Developers may leverage third-party applications for legitimate purposes in Google Workspace such as for - administrative tasks. + Developers may leverage third-party applications for legitimate purposes in Google Workspace such as for administrative tasks. """, ] from = "now-130m" @@ -68,6 +67,7 @@ reference = "https://attack.mitre.org/techniques/T1550/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -89,8 +89,7 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["google_workspace.token.client.id"] + [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-15d" - - +value = "now-15d" \ No newline at end of file diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_restrictions_for_google_marketplace_changed_to_allow_any_app.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_restrictions_for_google_marketplace_changed_to_allow_any_app.toml index 771d2750a38..5e34dce622f 100644 --- a/rules/integrations/google_workspace/defense_evasion_google_workspace_restrictions_for_google_marketplace_changed_to_allow_any_app.toml +++ b/rules/integrations/google_workspace/defense_evasion_google_workspace_restrictions_for_google_marketplace_changed_to_allow_any_app.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/25" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -92,7 +94,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Defense Evasion", - "Resources: Investigation Guide", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml b/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml index 65f289b2659..d369794ed3c 100644 --- a/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml +++ b/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml @@ -2,8 +2,10 @@ creation_date = "2023/01/15" integration = ["google_workspace"] maturity = "production" +min_stack_comments = "Google Workspace feature only present in 8.4+ stack versions" +min_stack_version = "8.4.0" +updated_date = "2023/06/22" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -36,12 +38,7 @@ risk_score = 73 rule_id = "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc" rule_name_override = "google_workspace.alert.type" severity = "high" -tags = [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Log Auditing", - "Use Case: Threat Detection", -] +tags = ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Log Auditing", "Use Case: Threat Detection"] timestamp_override = "event.ingested" type = "query" @@ -49,23 +46,21 @@ query = ''' event.dataset: google_workspace.alert ''' - [[rule.severity_mapping]] field = "google_workspace.alert.metadata.severity" +value = "LOW" operator = "equals" severity = "low" -value = "LOW" [[rule.severity_mapping]] field = "google_workspace.alert.metadata.severity" +value = "MEDIUM" operator = "equals" severity = "medium" -value = "MEDIUM" [[rule.severity_mapping]] field = "google_workspace.alert.metadata.severity" +value = "HIGH" operator = "equals" severity = "high" -value = "HIGH" - diff --git a/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml b/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml index 747f1ff2ffa..14aedf96052 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -83,7 +85,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Impact", - "Resources: Investigation Guide", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml index 9999e04f1b5..482baaafd1f 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml b/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml index c023a887bf0..74015523b76 100644 --- a/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml +++ b/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml @@ -2,7 +2,9 @@ creation_date = "2023/02/16" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/initial_access_google_workspace_object_copied_from_external_drive_and_access_granted_to_custom_application.toml b/rules/integrations/google_workspace/initial_access_google_workspace_object_copied_from_external_drive_and_access_granted_to_custom_application.toml index 73a01ef943d..3d9429701d2 100644 --- a/rules/integrations/google_workspace/initial_access_google_workspace_object_copied_from_external_drive_and_access_granted_to_custom_application.toml +++ b/rules/integrations/google_workspace/initial_access_google_workspace_object_copied_from_external_drive_and_access_granted_to_custom_application.toml @@ -2,7 +2,9 @@ creation_date = "2023/03/07" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -89,12 +91,7 @@ references = [ risk_score = 47 rule_id = "f33e68a4-bd19-11ed-b02f-f661ea17fbcc" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Tactic: Initial Access", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Data Source: Google Workspace", "Tactic: Initial Access", "Resources: Investigation Guide"] type = "eql" query = ''' diff --git a/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml b/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml index 379476c08dc..76b673f2d0c 100644 --- a/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml +++ b/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -40,12 +42,7 @@ references = ["https://support.google.com/a/answer/1110339"] risk_score = 21 rule_id = "00678712-b2df-11ed-afe9-f661ea17fbcc" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Identity and Access Audit", - "Tactic: Initial Access", -] +tags = ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Initial Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml index d7eb4ce5531..d59bb7cebaa 100644 --- a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml +++ b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -87,7 +89,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Persistence", - "Resources: Investigation Guide", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml b/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml index 0d47da77d01..9a5cac6aeca 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/26" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -87,7 +89,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Persistence", - "Resources: Investigation Guide", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml index 78b80ba643e..a99d257299c 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -90,7 +92,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Persistence", - "Resources: Investigation Guide", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml index eb8bc2a6282..570539eebff 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/12" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -81,13 +83,7 @@ references = ["https://developers.google.com/admin-sdk/directory/v1/guides/deleg risk_score = 47 rule_id = "acbc8bb9-2486-49a8-8779-45fb5f9a93ee" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml index 1a5b51af505..770238e7a6e 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -83,13 +85,7 @@ references = ["https://support.google.com/a/answer/2406043?hl=en"] risk_score = 47 rule_id = "ad3f2807-2b3e-47d7-b282-f84acbbe14be" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml index 6181ee74c49..21f071d546d 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.4.0" +updated_date = "2023/04/12" [rule] author = ["Elastic"] @@ -85,7 +87,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Persistence", - "Resources: Investigation Guide", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml index fae520fa6e7..672b61c7883 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -85,13 +87,7 @@ references = ["https://support.google.com/a/answer/2406043?hl=en"] risk_score = 47 rule_id = "6f435062-b7fc-4af9-acea-5b1ead65c5a5" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml b/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml index bec0569605e..fc0fc257654 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml @@ -2,7 +2,9 @@ creation_date = "2022/09/06" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -89,7 +91,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Persistence", - "Resources: Investigation Guide", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml index 098cfa6157e..5a0fc0bd2a5 100644 --- a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml +++ b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -83,7 +85,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Persistence", - "Resources: Investigation Guide", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/kubernetes/discovery_denied_service_account_request.toml b/rules/integrations/kubernetes/discovery_denied_service_account_request.toml index 50e54311ef7..b04db4c49c1 100644 --- a/rules/integrations/kubernetes/discovery_denied_service_account_request.toml +++ b/rules/integrations/kubernetes/discovery_denied_service_account_request.toml @@ -2,7 +2,9 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to Kubernetes Integration" +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml index d0589a903d9..2c1f88b33e3 100644 --- a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml +++ b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml @@ -2,7 +2,9 @@ creation_date = "2022/06/30" integration = ["kubernetes"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to Kubernetes Integration" +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml index 1c134a8e0b8..0834391421b 100644 --- a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml +++ b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml @@ -2,7 +2,9 @@ creation_date = "2022/05/17" integration = ["kubernetes"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to Kubernetes Integration" +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml index 2fd9df0a9e0..6da38310c01 100644 --- a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml +++ b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml @@ -2,7 +2,10 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to Kubernetes Integration" +min_stack_version = "8.4.0" +updated_date = "2023/06/23" + [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml index 84e57ae7e00..2d649630771 100644 --- a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml +++ b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml @@ -2,7 +2,9 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to Kubernetes Integration" +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml b/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml index ab1756c91af..6389cbb8ec1 100644 --- a/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml +++ b/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml @@ -2,7 +2,9 @@ creation_date = "2022/09/20" integration = ["kubernetes"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to Kubernetes Integration" +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml index 6b67122e530..6b261fa4c6d 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml @@ -2,7 +2,9 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to Kubernetes Integration" +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml index e1e7005a68c..770e16e076c 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml @@ -2,7 +2,9 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to Kubernetes Integration" +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml index 49a1dec6249..d40d9a87af8 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml @@ -2,7 +2,9 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to Kubernetes Integration" +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml index 20c8c18652f..b91cc231599 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml @@ -2,7 +2,9 @@ creation_date = "2022/07/11" integration = ["kubernetes"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to Kubernetes Integration" +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml index f1f93659d1d..39639d75a39 100644 --- a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml +++ b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml @@ -2,7 +2,9 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to Kubernetes Integration" +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml b/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml index 051c4b214e9..97e333ac0ea 100644 --- a/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml +++ b/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml @@ -2,7 +2,9 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to Kubernetes Integration" +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml index fdac1aa8b75..57b927c85fd 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LMD package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 70 @@ -17,14 +19,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_mean_rdp_process_args" name = "High Mean of Process Arguments in an RDP Session" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "36c48a0c-c63a-4cbc-aee1-8cac87db31a9" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -51,6 +45,14 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "36c48a0c-c63a-4cbc-aee1-8cac87db31a9" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml index 619c08ec281..c88ed4a04e7 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LMD package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 70 @@ -17,14 +19,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_mean_rdp_session_duration" name = "High Mean of RDP Session Duration" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "a74c60cb-70ee-4629-a127-608ead14ebf1" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -51,6 +45,14 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "a74c60cb-70ee-4629-a127-608ead14ebf1" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml b/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml index f2930aca5a6..cec48ce9680 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LMD package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 70 @@ -18,14 +20,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_file_size_remote_file_transfer" name = "Unusual Remote File Size" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "0678bc9c-b71a-433b-87e6-2f664b6b3131" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -51,6 +45,14 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "0678bc9c-b71a-433b-87e6-2f664b6b3131" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml b/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml index f2072d40f55..83e027be23f 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LMD package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 70 @@ -17,14 +19,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_var_rdp_session_duration" name = "High Variance in RDP Session Duration" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "a8d35ca0-ad8d-48a9-9f6c-553622dca61a" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -51,6 +45,14 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "a8d35ca0-ad8d-48a9-9f6c-553622dca61a" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml index 283fd17854a..8528ef1ce1a 100644 --- a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml +++ b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LMD package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 70 @@ -17,14 +19,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_rare_file_path_remote_transfer" name = "Unusual Remote File Directory" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "be4c5aed-90f5-4221-8bd5-7ab3a4334751" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -50,6 +44,14 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "be4c5aed-90f5-4221-8bd5-7ab3a4334751" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml index fad3bd17f58..1e67d54e040 100644 --- a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml +++ b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LMD package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 70 @@ -16,14 +18,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_rare_file_extension_remote_transfer" name = "Unusual Remote File Extension" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "814d96c7-2068-42aa-ba8e-fe0ddd565e2e" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -49,6 +43,14 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "814d96c7-2068-42aa-ba8e-fe0ddd565e2e" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml index 0c1dccd6c10..6717d596f81 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LMD package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 70 @@ -17,14 +19,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_rdp_distinct_count_destination_ip_for_source" name = "Spike in Number of Connections Made from a Source IP" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "3e0561b5-3fac-4461-84cc-19163b9aaa61" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -51,6 +45,14 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "3e0561b5-3fac-4461-84cc-19163b9aaa61" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml index d3193f054d7..e9812f200e9 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LMD package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 70 @@ -17,14 +19,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_rdp_distinct_count_source_ip_for_destination" name = "Spike in Number of Connections Made to a Destination IP" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -51,6 +45,14 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml index cdb15b8e932..f9f27d852dd 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LMD package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 70 @@ -16,14 +18,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_sum_rdp_number_of_processes" name = "Spike in Number of Processes in an RDP Session" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -50,6 +44,14 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml index 7abc56dfef5..23f283148b9 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LMD package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 70 @@ -18,14 +20,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_count_remote_file_transfer" name = "Spike in Remote File Transfers" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "e9b0902b-c515-413b-b80b-a8dcebc81a66" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -51,6 +45,14 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "e9b0902b-c515-413b-b80b-a8dcebc81a66" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml b/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml index d16f9cba327..8819bf40ed0 100644 --- a/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml +++ b/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LMD package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 70 @@ -17,14 +19,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_unusual_time_weekday_rdp_session_start" name = "Unusual Time or Day for an RDP Session" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "3f4e2dba-828a-452a-af35-fe29c5e78969" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -51,6 +45,14 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "3f4e2dba-828a-452a-af35-fe29c5e78969" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml index 9cd9d0b4429..332e71150a4 100644 --- a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml +++ b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml @@ -2,7 +2,9 @@ creation_date = "2021/03/29" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic", "Gary Blackwell", "Austin Songer"] diff --git a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml index eefc98fb4d2..862240ebb40 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic", "Willem D'Haese", "Austin Songer"] @@ -28,14 +30,9 @@ references = ["https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-u risk_score = 73 rule_id = "26f68dba-ce29-497b-8e13-b4fde1db5a2d" severity = "high" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Identity and Access Audit", - "Tactic: Credential Access", -] -timestamp_override = "event.ingested" +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] type = "threshold" +timestamp_override = "event.ingested" query = ''' event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and diff --git a/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml b/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml index 697a0f7718e..b709ca3dec9 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/01" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] @@ -28,14 +30,9 @@ The Office 365 Logs Fleet integration, Filebeat module, or similarly structured risk_score = 73 rule_id = "3efee4f0-182a-40a8-a835-102c68a4175d" severity = "high" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Identity and Access Audit", - "Tactic: Credential Access", -] -timestamp_override = "event.ingested" +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] type = "threshold" +timestamp_override = "event.ingested" query = ''' event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and diff --git a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml index f74a123e361..58d24cb0497 100644 --- a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml +++ b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml @@ -2,7 +2,9 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic", "Austin Songer"] @@ -27,14 +29,9 @@ The Office 365 Logs Fleet integration, Filebeat module, or similarly structured risk_score = 73 rule_id = "2de10e77-c144-4e69-afb7-344e7127abd0" severity = "high" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Identity and Access Audit", - "Tactic: Credential Access", -] -timestamp_override = "event.ingested" +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] type = "threshold" +timestamp_override = "event.ingested" query = ''' event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:"SsoArtifactInvalidOrExpired" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml index 77bc6a6dfa9..8f99baefdef 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] @@ -31,12 +33,7 @@ references = [ risk_score = 47 rule_id = "60f3adec-1df9-4104-9c75-b97d9f078b25" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml index ec5a1d9bbc5..c160e5ed558 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] @@ -31,12 +33,7 @@ references = [ risk_score = 47 rule_id = "d743ff2a-203e-4a46-a3e3-40512cfe8fbb" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml index 3a8e0b5063c..b7384af5a46 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] @@ -31,12 +33,7 @@ references = [ risk_score = 47 rule_id = "ca79768e-40e1-4e45-a097-0e5fbc876ac2" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml index 9d9933ff325..df89e34c06e 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] @@ -31,12 +33,7 @@ references = [ risk_score = 21 rule_id = "03024bd9-d23f-4ec1-8674-3cf1a21e130b" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml b/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml index c702bee9a9c..147b3d4a33a 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/13" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml index b000de68c75..4cb6fe52e78 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml +++ b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml index 1d3f8d6595f..b765b557589 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml +++ b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml b/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml index d249e245d1a..d562df516f4 100644 --- a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml +++ b/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml @@ -2,7 +2,9 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml b/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml index 91ff9f58844..288995e6a39 100644 --- a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml +++ b/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml b/rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml index 517c52cf466..90fe94c86f4 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml @@ -2,7 +2,9 @@ creation_date = "2023/07/18" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/05/15" [rule] author = ["Elastic"] @@ -32,20 +34,15 @@ note = """## Triage and analysis - User changing of ClientAppId or new connection post an extended period of leave. - If the total number of accessed Mailboxes by ClientAppId is too high there is a high chance it's a false positive. """ -references = ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a"] -risk_score = 47 -rule_id = "48819484-9826-4083-9eba-1da74cd0eaf2" setup = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ +references = ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a"] +risk_score = 47 +rule_id = "48819484-9826-4083-9eba-1da74cd0eaf2" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Initial Access", -] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"] timestamp_override = "event.ingested" type = "new_terms" @@ -110,11 +107,10 @@ id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [rule.new_terms] field = "new_terms_fields" value = ["o365.audit.ClientAppId"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-25d" - - diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml index 19722674349..c08ab9f6604 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] @@ -32,12 +34,7 @@ references = [ risk_score = 47 rule_id = "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Initial Access", -] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml index 71db20bf46d..61782f36120 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] @@ -32,12 +34,7 @@ references = [ risk_score = 47 rule_id = "97314185-2568-4561-ae81-f3e480e5e695" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Initial Access", -] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml index c0734782b56..a9b2dd6b3ef 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] @@ -31,12 +33,7 @@ references = [ risk_score = 47 rule_id = "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Identity and Access Audit", - "Tactic: Initial Access", -] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Initial Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml b/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml index 9eb423152f7..0453d71ad3a 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml @@ -2,7 +2,9 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Austin Songer"] @@ -27,12 +29,7 @@ references = [ risk_score = 47 rule_id = "0136b315-b566-482f-866c-1d8e2477ba16" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Initial Access", -] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml b/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml index 0b96dcaff21..90c76c255e5 100644 --- a/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml +++ b/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/12" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml b/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml index 1e179228799..52de44169fd 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml +++ b/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/10" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml index 4ba15633da1..480d23d769c 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml +++ b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/10" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml index 348964efd89..e62ba72b5bb 100644 --- a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml +++ b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml @@ -2,7 +2,9 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml b/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml index 90ef1163536..daf801209d0 100644 --- a/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml b/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml index d445e6723d7..d3c59704944 100644 --- a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml +++ b/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] @@ -31,12 +33,7 @@ references = [ risk_score = 47 rule_id = "98995807-5b09-4e37-8a54-5cae5dc932d7" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml index 821b0bf2f8c..94cfa618762 100644 --- a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml +++ b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/06" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] @@ -27,12 +29,7 @@ references = [ risk_score = 47 rule_id = "88671231-6626-4e1b-abb7-6e361a171fbb" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml b/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml index a8da34138b9..e4a143449a3 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] @@ -29,7 +31,12 @@ references = ["https://docs.microsoft.com/en-us/microsoftteams/platform/concepts risk_score = 47 rule_id = "bbd1a775-8267-41fa-9232-20e5582596ac" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml b/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml index a47f63526f6..a5288bc405e 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml b/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml index cad302f3660..03d0fdbd60a 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml b/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml index 5e7873a454e..7cc85cff038 100644 --- a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml +++ b/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml @@ -2,7 +2,9 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Austin Songer"] @@ -28,12 +30,7 @@ references = [ risk_score = 21 rule_id = "684554fc-0777-47ce-8c9b-3d01f198d7f8" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Identity and Access Audit", - "Tactic: Privilege Escalation", -] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml index 7a71526db20..5f546571cb0 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/19" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LotL package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2024/04/01" [rule] anomaly_threshold = 75 @@ -18,13 +20,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_rare_process_by_host" name = "Unusual Process Spawned by a Host" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/problemchild", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "56004189-4e69-4a39-b4a9-195329d226e9" setup = """## Setup The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. @@ -80,6 +75,13 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: If the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and check whether any ProblemChild predictions have been generated. - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "56004189-4e69-4a39-b4a9-195329d226e9" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml index eda57d0433b..08116f76b9f 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LotL package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2024/04/01" [rule] anomaly_threshold = 75 @@ -18,13 +20,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_rare_process_by_parent" name = "Unusual Process Spawned by a Parent Process" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/problemchild", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "ea09ff26-3902-4c53-bb8e-24b7a5d029dd" setup = """## Setup The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. @@ -80,6 +75,13 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet. - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "ea09ff26-3902-4c53-bb8e-24b7a5d029dd" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml index c9039de7f75..1f39131547d 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LotL package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2024/04/01" [rule] anomaly_threshold = 75 @@ -19,13 +21,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_rare_process_by_user" name = "Unusual Process Spawned by a User" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/problemchild", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb" setup = """## Setup The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. @@ -81,6 +76,13 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet. - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml index 7b8a91cef65..ae2a2dd3426 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LotL package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2024/04/01" [rule] author = ["Elastic"] @@ -16,13 +18,6 @@ index = ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/problemchild", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "13e908b9-7bf0-4235-abc9-b5deb500d0ad" setup = """## Setup The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. @@ -71,6 +66,13 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi } ``` """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "13e908b9-7bf0-4235-abc9-b5deb500d0ad" severity = "low" tags = [ "OS: Windows", diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml index c134556b6f8..0357b533ebb 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LotL package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2024/04/01" [rule] author = ["Elastic"] @@ -16,13 +18,6 @@ index = ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/problemchild", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "994e40aa-8c85-43de-825e-15f665375ee8" setup = """## Setup The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. @@ -71,6 +66,13 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi } ``` """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "994e40aa-8c85-43de-825e-15f665375ee8" severity = "low" tags = [ "OS: Windows", diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml index bfb17d0f270..77346bbbfcb 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LotL package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2024/04/01" [rule] anomaly_threshold = 75 @@ -20,13 +22,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_high_sum_by_host" name = "Suspicious Windows Process Cluster Spawned by a Host" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/problemchild", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "bdfebe11-e169-42e3-b344-c5d2015533d3" setup = """## Setup The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. @@ -82,6 +77,13 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet. - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "bdfebe11-e169-42e3-b344-c5d2015533d3" severity = "low" tags = [ "Use Case: Living off the Land Attack Detection", diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml index f8a89d0a9fa..693b3cadd28 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LotL package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2024/04/01" [rule] anomaly_threshold = 75 @@ -20,13 +22,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_high_sum_by_parent" name = "Suspicious Windows Process Cluster Spawned by a Parent Process" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/problemchild", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0" setup = """## Setup The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. @@ -82,6 +77,13 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet. - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml index 98ff9844090..d9533c157b3 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LotL package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2024/04/01" [rule] anomaly_threshold = 75 @@ -20,13 +22,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_high_sum_by_user" name = "Suspicious Windows Process Cluster Spawned by a User" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/problemchild", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "1224da6c-0326-4b4f-8454-68cdc5ae542b" setup = """## Setup The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. @@ -82,6 +77,13 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet. - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "1224da6c-0326-4b4f-8454-68cdc5ae542b" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/linux/command_and_control_cat_network_activity.toml b/rules/linux/command_and_control_cat_network_activity.toml index 5d422e19931..42f466d8307 100644 --- a/rules/linux/command_and_control_cat_network_activity.toml +++ b/rules/linux/command_and_control_cat_network_activity.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/04" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -29,14 +31,13 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" - [rule] author = ["Elastic"] description = """ -This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat is -capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. This -activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools or -files to another host in the network or exfiltrate data while attempting to evade detection in the process. +This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat +is capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. +This activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools +or files to another host in the network or exfiltrate data while attempting to evade detection in the process. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -130,14 +131,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id, process.entity_id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -153,7 +153,6 @@ sequence by host.id, process.entity_id with maxspan=1s )] ''' - [[rule.threat]] framework = "MITRE ATT&CK" @@ -161,6 +160,7 @@ framework = "MITRE ATT&CK" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -168,6 +168,7 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -175,4 +176,3 @@ framework = "MITRE ATT&CK" id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - diff --git a/rules/linux/command_and_control_linux_chisel_client_activity.toml b/rules/linux/command_and_control_linux_chisel_client_activity.toml index 45b888b7016..5a6cb5f3e72 100644 --- a/rules/linux/command_and_control_linux_chisel_client_activity.toml +++ b/rules/linux/command_and_control_linux_chisel_client_activity.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -29,15 +31,14 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" - [rule] author = ["Elastic"] description = """ -This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection -attempt. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding -and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication -channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized -access to internal systems. +This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection attempt. +Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure +communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass +network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal +systems. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -107,8 +108,8 @@ This rule looks for a sequence of command line arguments that are consistent wit """ references = [ "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", - "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding", -] + "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" + ] risk_score = 47 rule_id = "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd" setup = """## Setup @@ -138,14 +139,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id, process.entity_id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -158,17 +158,15 @@ sequence by host.id, process.entity_id with maxspan=1s "ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd")] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/linux/command_and_control_linux_chisel_server_activity.toml b/rules/linux/command_and_control_linux_chisel_server_activity.toml index 1ddfe0bd6a4..0f511f1f3cf 100644 --- a/rules/linux/command_and_control_linux_chisel_server_activity.toml +++ b/rules/linux/command_and_control_linux_chisel_server_activity.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -29,15 +31,14 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" - [rule] author = ["Elastic"] description = """ -This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received -connection within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP -tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to -establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating -tunnels that allow unauthorized access to internal systems. +This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received connection +within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, +enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish +covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that +allow unauthorized access to internal systems. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -107,8 +108,8 @@ This rule looks for a sequence of command line arguments that are consistent wit """ references = [ "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", - "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding", -] + "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" + ] risk_score = 47 rule_id = "ac8805f6-1e08-406c-962e-3937057fa86f" setup = """## Setup @@ -138,14 +139,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id, process.entity_id with maxspan=1m [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -158,17 +158,15 @@ sequence by host.id, process.entity_id with maxspan=1m "ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd", "hugo")] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/linux/command_and_control_linux_kworker_netcon.toml b/rules/linux/command_and_control_linux_kworker_netcon.toml index 6fa97bf2cb1..1c34f956065 100644 --- a/rules/linux/command_and_control_linux_kworker_netcon.toml +++ b/rules/linux/command_and_control_linux_kworker_netcon.toml @@ -2,14 +2,16 @@ creation_date = "2023/10/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/04/30" [rule] author = ["Elastic"] description = """ This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the -kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel -space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. +kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel +space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process. """ from = "now-9m" @@ -47,15 +49,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and process.name:kworker* and not destination.ip:( @@ -71,49 +72,50 @@ process.name:kworker* and not destination.ip:( ) and not destination.port:2049 ''' - [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" + [rule.threat.tactic] + id = "TA0011" + name = "Command and Control" + reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" + [rule.threat.tactic] + id = "TA0005" + name = "Defense Evasion" + reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat.technique]] + name = "Masquerading" + id = "T1036" + reference = "https://attack.mitre.org/techniques/T1036/" + + [[rule.threat.technique]] + name = "Rootkit" + id = "T1014" + reference = "https://attack.mitre.org/techniques/T1014/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1041" -name = "Exfiltration Over C2 Channel" -reference = "https://attack.mitre.org/techniques/T1041/" + [rule.threat.tactic] + id = "TA0010" + name = "Exfiltration" + reference = "https://attack.mitre.org/tactics/TA0010/" -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" + [[rule.threat.technique]] + name = "Exfiltration Over C2 Channel" + id = "T1041" + reference = "https://attack.mitre.org/techniques/T1041/" [rule.new_terms] field = "new_terms_fields" value = ["process.name", "destination.ip", "destination.port"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - diff --git a/rules/linux/command_and_control_linux_proxychains_activity.toml b/rules/linux/command_and_control_linux_proxychains_activity.toml index 6af677c749b..4fe527e7466 100644 --- a/rules/linux/command_and_control_linux_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_proxychains_activity.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -29,13 +31,12 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" - [rule] author = ["Elastic"] description = """ -This rule monitors for the execution of the ProxyChains utility. ProxyChains is a command-line tool that enables the -routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted -resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and +This rule monitors for the execution of the ProxyChains utility. ProxyChains is a command-line tool that enables the +routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted +resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions. """ from = "now-9m" @@ -111,33 +112,30 @@ risk_score = 21 rule_id = "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "proxychains" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml index d0e52b96bfe..063f3188912 100644 --- a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -29,15 +31,13 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" - [rule] author = ["Elastic"] description = """ This rule monitors for the execution of suspicious linux tools through ProxyChains. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to -restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade -detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and -intentions. +restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, +and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -137,17 +137,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "proxychains" and process.args : ( @@ -157,17 +156,15 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml index b1ca0af322f..e063595ee22 100644 --- a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml +++ b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/30" [transform] [[transform.osquery]] @@ -29,14 +31,12 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" - [rule] author = ["Elastic"] description = """ -This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can -leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels, -and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote -control. +This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can +leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels, +and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote control. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -108,8 +108,8 @@ This rule looks for several utilities that are capable of setting up tunnel netw """ references = [ "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", - "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding", -] + "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" + ] risk_score = 47 rule_id = "6ee947e9-de7e-4281-a55d-09289bdf947e" setup = """## Setup @@ -139,16 +139,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( ( @@ -169,17 +168,15 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml index 8e52abef11f..75e542d0975 100644 --- a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml +++ b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml @@ -2,7 +2,9 @@ creation_date = "2023/06/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/12/12" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" - [rule] author = ["Elastic"] description = """ @@ -168,13 +169,13 @@ Packetbeat is a real-time network packet analyzer that you can use for applicati """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -199,15 +200,14 @@ not destination.ip:( not destination.port:(22 or 80 or 443) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" @@ -216,8 +216,7 @@ reference = "https://attack.mitre.org/tactics/TA0011/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "destination.ip", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules/linux/command_and_control_tunneling_via_earthworm.toml b/rules/linux/command_and_control_tunneling_via_earthworm.toml index edf2c027b3c..e9cf2452665 100644 --- a/rules/linux/command_and_control_tunneling_via_earthworm.toml +++ b/rules/linux/command_and_control_tunneling_via_earthworm.toml @@ -2,7 +2,9 @@ creation_date = "2021/04/12" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" - [rule] author = ["Elastic"] description = """ @@ -149,13 +150,13 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/credential_access_collection_sensitive_files.toml b/rules/linux/credential_access_collection_sensitive_files.toml index b4def3d777d..2e1bf781c53 100644 --- a/rules/linux/credential_access_collection_sensitive_files.toml +++ b/rules/linux/credential_access_collection_sensitive_files.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/22" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -61,14 +63,14 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Collection", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Collection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -107,37 +109,37 @@ event.category:process and host.os.type:linux and event.type:start and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.001" name = "Credentials In Files" reference = "https://attack.mitre.org/techniques/T1552/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" reference = "https://attack.mitre.org/techniques/T1560/" + [[rule.threat.technique.subtechnique]] id = "T1560.001" name = "Archive via Utility" reference = "https://attack.mitre.org/techniques/T1560/001/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" @@ -146,8 +148,7 @@ reference = "https://attack.mitre.org/tactics/TA0009/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.command_line", "process.parent.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" - - diff --git a/rules/linux/credential_access_credential_dumping.toml b/rules/linux/credential_access_credential_dumping.toml index 1b57dacdf04..0c136e26c7d 100644 --- a/rules/linux/credential_access_credential_dumping.toml +++ b/rules/linux/credential_access_credential_dumping.toml @@ -2,23 +2,28 @@ creation_date = "2023/02/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/19" [rule] author = ["Elastic"] description = """ -Identifies the execution of the unshadow utility which is part of John the Ripper, a password-cracking tool on the host -machine. Malicious actors can use the utility to retrieve the combined contents of the '/etc/shadow' and '/etc/password' -files. Using the combined file generated from the utility, the malicious threat actors can use them as input for -password-cracking utilities or prepare themselves for future operations by gathering credential information of the -victim. +Identifies the execution of the unshadow utility which is part of John the Ripper, +a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve +the combined contents of the '/etc/shadow' and '/etc/password' files. +Using the combined file generated from the utility, the malicious threat actors can use them as input +for password-cracking utilities or prepare themselves for future operations by gathering +credential information of the victim. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Linux Credential Dumping via Unshadow" -references = ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"] +references = [ + "https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/", +] risk_score = 47 rule_id = "e7cb3cfd-aaa3-4d7b-af18-23b89955062c" setup = """## Setup @@ -48,37 +53,34 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "unshadow" and process.args_count >= 3 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.008" name = "/etc/passwd and /etc/shadow" reference = "https://attack.mitre.org/techniques/T1003/008/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_gdb_init_process_hooking.toml b/rules/linux/credential_access_gdb_init_process_hooking.toml index 23bf71fefd2..e5b8dfc173b 100644 --- a/rules/linux/credential_access_gdb_init_process_hooking.toml +++ b/rules/linux/credential_access_gdb_init_process_hooking.toml @@ -2,12 +2,14 @@ creation_date = "2023/08/30" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -This rule monitors for the potential memory dump of the init process (PID 1) through gdb. Attackers may leverage memory +This rule monitors for the potential memory dump of the init process (PID 1) through gdb. Attackers may leverage memory dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include "truffleproc" and "bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly. """ @@ -16,7 +18,10 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Linux init (PID 1) Secret Dump via GDB" -references = ["https://github.com/controlplaneio/truffleproc", "https://github.com/hajzer/bash-memory-dump"] +references = [ + "https://github.com/controlplaneio/truffleproc", + "https://github.com/hajzer/bash-memory-dump" +] risk_score = 47 rule_id = "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f" setup = """## Setup @@ -46,37 +51,34 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "gdb" and process.args in ("--pid", "-p") and process.args == "1" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.007" name = "Proc Filesystem" reference = "https://attack.mitre.org/techniques/T1003/007/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_gdb_process_hooking.toml b/rules/linux/credential_access_gdb_process_hooking.toml index 622a54dba55..1a72efb5829 100644 --- a/rules/linux/credential_access_gdb_process_hooking.toml +++ b/rules/linux/credential_access_gdb_process_hooking.toml @@ -2,13 +2,15 @@ creation_date = "2023/08/30" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ This rule monitors for potential memory dumping through gdb. Attackers may leverage memory dumping techniques to attempt -secret extraction from privileged processes. Tools that display this behavior include "truffleproc" and +secret extraction from privileged processes. Tools that display this behavior include "truffleproc" and "bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly. """ from = "now-9m" @@ -16,22 +18,24 @@ index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_mana language = "eql" license = "Elastic License v2" name = "Linux Process Hooking via GDB" -references = ["https://github.com/controlplaneio/truffleproc", "https://github.com/hajzer/bash-memory-dump"] +references = [ + "https://github.com/controlplaneio/truffleproc", + "https://github.com/hajzer/bash-memory-dump" +] risk_score = 21 rule_id = "66c058f3-99f4-4d18-952b-43348f2577a0" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "gdb" and process.args in ("--pid", "-p") and @@ -39,22 +43,20 @@ process where host.os.type == "linux" and event.type == "start" and event.action process.args != "1" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.007" name = "Proc Filesystem" reference = "https://attack.mitre.org/techniques/T1003/007/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml b/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml index 7e883b44436..8f187c78dbc 100644 --- a/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml +++ b/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml @@ -2,13 +2,15 @@ creation_date = "2023/07/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/20" [rule] author = ["Elastic"] description = """ -Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a -short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a +Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a +short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a set of customly crafted passwords in an attempt to gain access to these accounts. """ from = "now-9m" @@ -45,14 +47,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id, process.parent.executable, user.id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "su" and @@ -63,22 +64,20 @@ sequence by host.id, process.parent.executable, user.id with maxspan=1s ] with runs=10 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [[rule.threat.technique.subtechnique]] id = "T1110.001" name = "Password Guessing" reference = "https://attack.mitre.org/techniques/T1110/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml index 264cbb61e71..ca151185152 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml @@ -2,13 +2,15 @@ creation_date = "2022/09/14" integration = ["system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] description = """ -Identifies multiple external consecutive login failures targeting a user account from the same source address within a -short time interval. Adversaries will often brute force login attempts across multiple users with a common or known +Identifies multiple external consecutive login failures targeting a user account from the same source address within +a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts. """ from = "now-9m" @@ -77,9 +79,12 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] +tags = ["Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ] type = "eql" - query = ''' sequence by host.id, source.ip, user.name with maxspan=15s [ authentication where host.os.type == "linux" and diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml index dc4b7b8ec79..6640ba40453 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml @@ -2,13 +2,15 @@ creation_date = "2023/02/21" integration = ["system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] description = """ -Identifies multiple internal consecutive login failures targeting a user account from the same source address within a -short time interval. Adversaries will often brute force login attempts across multiple users with a common or known +Identifies multiple internal consecutive login failures targeting a user account from the same source address within +a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts. """ from = "now-9m" @@ -73,9 +75,12 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] +tags = ["Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ] type = "eql" - query = ''' sequence by host.id, source.ip, user.name with maxspan=15s [ authentication where host.os.type == "linux" and diff --git a/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml index 936f72da6b4..d554c3a0918 100644 --- a/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml @@ -2,16 +2,18 @@ creation_date = "2023/07/06" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/19" [rule] author = ["Elastic"] description = """ -An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different -combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can -include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and -potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting -a specific user account from the same source address and within a short time interval, followed by a successful +An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different +combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can +include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and +potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting +a specific user account from the same source address and within a short time interval, followed by a successful authentication. """ from = "now-9m" @@ -58,14 +60,13 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "medium" tags = [ - "Data Source: Auditd Manager", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", -] + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ] type = "eql" - query = ''' sequence by host.id, auditd.data.addr, related.user with maxspan=5s [authentication where host.os.type == "linux" and event.action == "authenticated" and @@ -76,13 +77,14 @@ sequence by host.id, auditd.data.addr, related.user with maxspan=5s auditd.data.addr != "0.0.0.0" and auditd.data.addr != "::"] | tail 1 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [[rule.threat.technique.subtechnique]] id = "T1110.001" name = "Password Guessing" @@ -93,10 +95,7 @@ id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml index f4c9c353808..cd5da35ff6f 100644 --- a/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml @@ -2,16 +2,18 @@ creation_date = "2023/07/06" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/19" [rule] author = ["Elastic"] description = """ -An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and +An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and password combinations to gain unauthorized access to a remote computer via RDP, and if successful, the potential impact -can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks -within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising -the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a +can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks +within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising +the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a specific user account within a short time interval, followed by a successful authentication. """ from = "now-9m" @@ -58,14 +60,13 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "medium" tags = [ - "Data Source: Auditd Manager", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", -] + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ] type = "eql" - query = ''' sequence by host.id, related.user with maxspan=5s [authentication where host.os.type == "linux" and event.action == "authenticated" and @@ -74,13 +75,14 @@ sequence by host.id, related.user with maxspan=5s auditd.data.terminal : "*rdp*" and event.outcome == "success"] | tail 1 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [[rule.threat.technique.subtechnique]] id = "T1110.001" name = "Password Guessing" @@ -91,10 +93,7 @@ id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml index 735059d55f4..ed7a05b5662 100644 --- a/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml @@ -2,16 +2,18 @@ creation_date = "2022/09/14" integration = ["system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] description = """ -Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can -attempt to login into multiple users with a common or known password to gain access to accounts. +Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can attempt +to login into multiple users with a common or known password to gain access to accounts. """ from = "now-9m" -index = ["auditbeat-*", "filebeat-*", "logs-system.auth-*"] +index = ["auditbeat-*", "filebeat-*", "logs-system.auth-*"] language = "eql" license = "Elastic License v2" name = "Potential Successful SSH Brute Force Attack" @@ -79,9 +81,13 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ] type = "eql" - query = ''' sequence by host.id, source.ip, user.name with maxspan=15s [authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and @@ -91,13 +97,14 @@ sequence by host.id, source.ip, user.name with maxspan=15s event.outcome == "success" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [[rule.threat.technique.subtechnique]] id = "T1110.001" name = "Password Guessing" @@ -108,10 +115,7 @@ id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_proc_credential_dumping.toml b/rules/linux/credential_access_proc_credential_dumping.toml index 9da10c339f0..ff941228c7e 100644 --- a/rules/linux/credential_access_proc_credential_dumping.toml +++ b/rules/linux/credential_access_proc_credential_dumping.toml @@ -2,15 +2,17 @@ creation_date = "2023/04/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/20" [rule] author = ["Elastic"] description = """ Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz. -Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits a -known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by dumping the -process and extracting lines that have a high probability of containing cleartext passwords. +Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits +a known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by +dumping the process and extracting lines that have a high probability of containing cleartext passwords. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -19,7 +21,7 @@ license = "Elastic License v2" name = "Potential Linux Credential Dumping via Proc Filesystem" references = [ "https://github.com/huntergregal/mimipenguin", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781" ] risk_score = 47 rule_id = "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311" @@ -50,15 +52,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Use Case: Vulnerability", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id, process.parent.name with maxspan=1m [process where host.os.type == "linux" and process.name == "ps" and event.action == "exec" @@ -67,27 +68,25 @@ sequence by host.id, process.parent.name with maxspan=1m and process.args : "/tmp/*"] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.007" name = "Proc Filesystem" reference = "https://attack.mitre.org/techniques/T1003/007/" - [[rule.threat.technique]] id = "T1212" name = "Exploitation for Credential Access" reference = "https://attack.mitre.org/techniques/T1212/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_ssh_backdoor_log.toml b/rules/linux/credential_access_ssh_backdoor_log.toml index a537b35e543..ecc4b593291 100644 --- a/rules/linux/credential_access_ssh_backdoor_log.toml +++ b/rules/linux/credential_access_ssh_backdoor_log.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -64,15 +66,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml index 2b7ee154fe7..1c84372ed06 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml @@ -2,7 +2,9 @@ creation_date = "2023/02/22" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/20" [rule] author = ["Elastic"] @@ -44,16 +46,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -73,22 +75,20 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1562" name = "Impair Defenses" +id = "T1562" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] -id = "T1562.001" name = "Disable or Modify Tools" +id = "T1562.001" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] -id = "TA0005" name = "Defense Evasion" +id = "TA0005" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index 78771aa6d7e..9c21dacf15b 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -2,7 +2,9 @@ creation_date = "2020/04/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -55,14 +57,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index 544c7ce58e0..31c0b7f2d6b 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/04/17" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -59,26 +61,25 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name in ("base16", "base32", "base32plain", "base32hex") and not process.args in ("--help", "--version") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" @@ -89,9 +90,7 @@ id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml index 362dc53aaf3..ba14cbaf631 100644 --- a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml +++ b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml @@ -2,14 +2,16 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move and -rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if -it does, the activity should be investigated. +This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move +and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, +so if it does, the activity should be investigated. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -45,14 +47,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id, process.entity_id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -83,27 +84,25 @@ sequence by host.id, process.entity_id with maxspan=1s ) and not file.path : ("/tmp/rear*", "/var/tmp/rear*", "/var/tmp/dracut*", "/var/tmp/mkinitramfs*")] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.003" name = "Rename System Utilities" reference = "https://attack.mitre.org/techniques/T1036/003/" - -[[rule.threat.technique]] -id = "T1564" -name = "Hide Artifacts" -reference = "https://attack.mitre.org/techniques/T1564/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_chattr_immutable_file.toml b/rules/linux/defense_evasion_chattr_immutable_file.toml index dacc91b8d4d..6708e47842d 100644 --- a/rules/linux/defense_evasion_chattr_immutable_file.toml +++ b/rules/linux/defense_evasion_chattr_immutable_file.toml @@ -2,7 +2,9 @@ creation_date = "2022/07/22" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/01/11" [rule] author = ["Elastic"] @@ -62,13 +64,13 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -79,20 +81,19 @@ process where host.os.type == "linux" and event.type == "start" and user.id == " not process.parent.name in ("systemd", "cf-agent", "ntpdate", "xargs", "px", "preinst", "auth") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" + [[rule.threat.technique.subtechnique]] id = "T1222.002" name = "Linux and Mac File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/002/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml index 989283a3641..6f37f146f24 100644 --- a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml +++ b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/24" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -44,48 +46,45 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "dmesg" and process.args == "-c" ''' - [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1070" -name = "Indicator Removal" -reference = "https://attack.mitre.org/techniques/T1070/" -[[rule.threat.technique.subtechnique]] -id = "T1070.002" -name = "Clear Linux or Mac System Logs" -reference = "https://attack.mitre.org/techniques/T1070/002/" - [[rule.threat.technique]] -id = "T1562" name = "Impair Defenses" +id = "T1562" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] -id = "T1562.001" name = "Disable or Modify Tools" +id = "T1562.001" reference = "https://attack.mitre.org/techniques/T1562/001/" +[[rule.threat.technique]] +name = "Indicator Removal" +id = "T1070" +reference = "https://attack.mitre.org/techniques/T1070/" +[[rule.threat.technique.subtechnique]] +name = "Clear Linux or Mac System Logs" +id = "T1070.002" +reference = "https://attack.mitre.org/techniques/T1070/002/" [rule.threat.tactic] -id = "TA0005" name = "Defense Evasion" +id = "TA0005" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_disable_apparmor_attempt.toml b/rules/linux/defense_evasion_disable_apparmor_attempt.toml index f5010f7c8b8..b871a387c7b 100644 --- a/rules/linux/defense_evasion_disable_apparmor_attempt.toml +++ b/rules/linux/defense_evasion_disable_apparmor_attempt.toml @@ -2,12 +2,14 @@ creation_date = "2023/08/28" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces +This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces fine-grained access control policies to restrict the actions and resources that specific applications and processes can access. Adversaries may disable security tools to avoid possible detection of their tools and activities. """ @@ -45,17 +47,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -64,22 +65,20 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index 3de937008a8..ef0ade341fa 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -2,7 +2,9 @@ creation_date = "2020/04/22" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -57,38 +59,35 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "setenforce" and process.args == "0" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml b/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml index e51936b4a4f..7751d734d66 100644 --- a/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml +++ b/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml @@ -2,16 +2,18 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.5.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -Identifies instances where the 'touch' command is executed on a Linux system with the "-r" flag, which is used to modify -the timestamp of a file based on another file's timestamp. The rule targets specific VM-related paths, such as -"/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". These paths are associated with VMware virtualization software, and -their presence in the touch command arguments may indicate that a threat actor is attempting to tamper with timestamps -of VM-related files and configurations on the system. +Identifies instances where the 'touch' command is executed on a Linux system with the "-r" flag, +which is used to modify the timestamp of a file based on another file's timestamp. The rule targets specific VM-related +paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". These paths are associated with VMware virtualization +software, and their presence in the touch command arguments may indicate that a threat actor is attempting to +tamper with timestamps of VM-related files and configurations on the system. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -50,39 +52,36 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "touch" and process.args == "-r" and process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] id = "T1070.006" name = "Timestomp" reference = "https://attack.mitre.org/techniques/T1070/006/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index c14918a6bd2..9b41a3d3ddc 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -2,7 +2,9 @@ creation_date = "2020/04/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/20" [rule] author = ["Elastic"] @@ -45,13 +47,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" @@ -61,22 +63,20 @@ process where host.os.type == "linux" and event.type == "start" and process.name ) and not process.parent.name == "logrotate" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] id = "T1070.004" name = "File Deletion" reference = "https://attack.mitre.org/techniques/T1070/004/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index e18c9cd1e32..308ff063e22 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -2,7 +2,9 @@ creation_date = "2020/04/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/02/20" [rule] author = ["Elastic"] @@ -62,30 +64,28 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type:linux and event.category:process and event.type:start and process.name:(chattr or chgrp or chmod or chown) and process.working_directory:(/dev/shm or /tmp or /var/tmp) and not process.parent.name:(apt-key or update-motd-updates-available) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" @@ -94,8 +94,7 @@ reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.parent.executable", "process.command_line"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index f157040848e..c5ccfbfbe5e 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -2,7 +2,9 @@ creation_date = "2020/04/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/20" [rule] author = ["Elastic"] @@ -67,12 +69,12 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -83,24 +85,24 @@ process.args regex~ """\.[a-z0-9_\-][a-z0-9_\-\.]{1,254}""" and not process.name in ("ls", "find", "grep", "git", "jq", "basename") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" + [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/linux/defense_evasion_hidden_shared_object.toml b/rules/linux/defense_evasion_hidden_shared_object.toml index f320147a67b..c841c28f353 100644 --- a/rules/linux/defense_evasion_hidden_shared_object.toml +++ b/rules/linux/defense_evasion_hidden_shared_object.toml @@ -2,7 +2,9 @@ creation_date = "2022/07/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/20" [rule] author = ["Elastic"] @@ -61,37 +63,34 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" and not process.name == "dockerd" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" + [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index c483820f097..b1efaa15b39 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -2,7 +2,9 @@ creation_date = "2020/04/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -52,13 +54,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -68,39 +70,38 @@ process.name == "rmmod" or (process.name == "modprobe" and process.args in ("--r process.parent.name in ("sudo", "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/defense_evasion_kthreadd_masquerading.toml b/rules/linux/defense_evasion_kthreadd_masquerading.toml index 01b696e0dac..110b6c20f3c 100644 --- a/rules/linux/defense_evasion_kthreadd_masquerading.toml +++ b/rules/linux/defense_evasion_kthreadd_masquerading.toml @@ -2,21 +2,25 @@ creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -Monitors for kernel processes with associated process executable fields that are not empty. Unix kernel processes such +Monitors for kernel processes with associated process executable fields that are not empty. Unix kernel processes such as kthreadd and kworker typically do not have process.executable fields associated to them. Attackers may attempt to -hide their malicious programs by masquerading as legitimate kernel processes. +hide their malicious programs by masquerading as legitimate kernel processes. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Executable Masquerading as Kernel Process" -references = ["https://sandflysecurity.com/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/"] +references = [ + "https://sandflysecurity.com/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/", +] risk_score = 21 rule_id = "202829f6-0271-4e88-b882-11a655c590d4" setup = """## Setup @@ -47,42 +51,39 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name : ("kworker*", "kthread*") and process.executable != null ''' - [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.004" name = "Masquerade Task or Service" reference = "https://attack.mitre.org/techniques/T1036/004/" - -[[rule.threat.technique]] -id = "T1564" -name = "Hide Artifacts" -reference = "https://attack.mitre.org/techniques/T1564/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml index 446e8c07c47..ca5cf9311e1 100644 --- a/rules/linux/defense_evasion_log_files_deleted.toml +++ b/rules/linux/defense_evasion_log_files_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/03" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -62,13 +64,13 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -91,22 +93,20 @@ file where host.os.type == "linux" and event.type == "deletion" and not process.name in ("gzip", "executor", "dockerd") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] id = "T1070.002" name = "Clear Linux or Mac System Logs" reference = "https://attack.mitre.org/techniques/T1070/002/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_mount_execution.toml b/rules/linux/defense_evasion_mount_execution.toml index ad3e587dc05..7d28a1ca3d7 100644 --- a/rules/linux/defense_evasion_mount_execution.toml +++ b/rules/linux/defense_evasion_mount_execution.toml @@ -2,25 +2,29 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -Identifies the execution of mount process with hidepid parameter, which can make processes invisible to other users from -the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide the process from other -users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user can see all processes and the -logged-in user can only see their own process. This provides a defense evasion mechanism for the adversaries to hide -their process executions from all other commands such as ps, top, pgrep and more. With the Linux kernel hardening -hidepid option all the user has to do is remount the /proc filesystem with the option, which can now be monitored and -detected. +Identifies the execution of mount process with hidepid parameter, which can make processes invisible to +other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide +the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user +can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for +the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more. +With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option, +which can now be monitored and detected. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Potential Hidden Process via Mount Hidepid" -references = ["https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/"] +references = [ + "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", +] risk_score = 47 rule_id = "dc71c186-9fe4-4437-a4d0-85ebb32b8204" setup = """## Setup @@ -50,34 +54,31 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "mount" and process.args == "/proc" and process.args == "-o" and process.args : "*hidepid=2*" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_potential_proot_exploits.toml b/rules/linux/defense_evasion_potential_proot_exploits.toml index d02281ab704..8acf5345e81 100644 --- a/rules/linux/defense_evasion_potential_proot_exploits.toml +++ b/rules/linux/defense_evasion_potential_proot_exploits.toml @@ -2,27 +2,32 @@ creation_date = "2023/03/07" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -Identifies the execution of the PRoot utility, an open-source tool for user-space implementation of chroot, mount ---bind, and binfmt_misc. Adversaries can leverage an open-source tool PRoot to expand the scope of their operations to -multiple Linux distributions and simplify their necessary efforts. In a normal threat scenario, the scope of an attack -is limited by the varying configurations of each Linux distribution. With PRoot, it provides an attacker with a -consistent operational environment across different Linux distributions, such as Ubuntu, Fedora, and Alpine. PRoot also -provides emulation capabilities that allow for malware built on other architectures, such as ARM, to be run.The -post-exploitation technique called bring your own filesystem (BYOF), can be used by the threat actors to execute -malicious payload or elevate privileges or perform network scans or orchestrate another attack on the environment. -Although PRoot was originally not developed with malicious intent it can be easily tuned to work for one. +Identifies the execution of the PRoot utility, an open-source tool for user-space implementation of +chroot, mount --bind, and binfmt_misc. Adversaries can leverage an open-source tool PRoot +to expand the scope of their operations to multiple Linux distributions and simplify their necessary efforts. +In a normal threat scenario, the scope of an attack is limited by the varying configurations of each Linux distribution. +With PRoot, it provides an attacker with a consistent operational environment across different Linux distributions, +such as Ubuntu, Fedora, and Alpine. PRoot also provides emulation capabilities that allow for malware built on other +architectures, such as ARM, to be run.The post-exploitation technique called bring your own filesystem (BYOF), +can be used by the threat actors to execute malicious payload or elevate privileges or perform network scans or +orchestrate another attack on the environment. Although PRoot was originally not developed with malicious intent +it can be easily tuned to work for one. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Defense Evasion via PRoot" -references = ["https://proot-me.github.io/"] +references = [ + "https://proot-me.github.io/", +] risk_score = 47 rule_id = "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0" setup = """## Setup @@ -52,32 +57,29 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.parent.name == "proot" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1211" name = "Exploitation for Defense Evasion" reference = "https://attack.mitre.org/techniques/T1211/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_rename_esxi_files.toml b/rules/linux/defense_evasion_rename_esxi_files.toml index 114e0492005..b1b0bd4e747 100644 --- a/rules/linux/defense_evasion_rename_esxi_files.toml +++ b/rules/linux/defense_evasion_rename_esxi_files.toml @@ -2,7 +2,9 @@ creation_date = "2023/04/11" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.5.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -47,16 +49,9 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" - query = ''' file where host.os.type == "linux" and event.action == "rename" and file.Ext.original.name : ("*.vmdk", "*.vmx", "*.vmxf", "*.vmsd", "*.vmsn", "*.vswp", "*.vmss", "*.nvram", "*.vmem") @@ -80,5 +75,4 @@ reference = "https://attack.mitre.org/techniques/T1036/003/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - +reference = "https://attack.mitre.org/tactics/TA0005/" \ No newline at end of file diff --git a/rules/linux/defense_evasion_rename_esxi_index_file.toml b/rules/linux/defense_evasion_rename_esxi_index_file.toml index c9061d947da..7160ee85a4a 100644 --- a/rules/linux/defense_evasion_rename_esxi_index_file.toml +++ b/rules/linux/defense_evasion_rename_esxi_index_file.toml @@ -2,14 +2,16 @@ creation_date = "2023/04/11" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.5.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] description = """ Identifies instances where the "index.html" file within the "/usr/lib/vmware/*" directory is renamed on a Linux system. -The rule monitors for the "rename" event action associated with this specific file and path, which could indicate -malicious activity. +The rule monitors for the "rename" event action associated with this specific file and path, +which could indicate malicious activity. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -47,16 +49,9 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" - query = ''' file where host.os.type == "linux" and event.action == "rename" and file.name : "index.html" and file.Ext.original.path : "/usr/lib/vmware/*" @@ -79,5 +74,4 @@ reference = "https://attack.mitre.org/techniques/T1036/003/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - +reference = "https://attack.mitre.org/tactics/TA0005/" \ No newline at end of file diff --git a/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml b/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml index bda9821f54b..1a4cdb2de89 100644 --- a/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml +++ b/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml @@ -2,13 +2,15 @@ creation_date = "2023/09/04" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -This rule monitors for the execution of suspicious commands via screen and tmux. When launching a command and detaching -directly, the commands will be executed in the background via its parent process. Attackers may leverage screen or tmux +This rule monitors for the execution of suspicious commands via screen and tmux. When launching a command and detaching +directly, the commands will be executed in the background via its parent process. Attackers may leverage screen or tmux to execute commands while attempting to evade detection. """ from = "now-9m" @@ -20,16 +22,15 @@ risk_score = 21 rule_id = "e0cc3807-e108-483c-bf66-5a4fbe0d7e89" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.parent.name in ("screen", "tmux") and process.name : ( @@ -38,17 +39,15 @@ process.parent.name in ("screen", "tmux") and process.name : ( ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/discovery_dynamic_linker_via_od.toml b/rules/linux/discovery_dynamic_linker_via_od.toml index 16c7da4dec3..59488c955e8 100644 --- a/rules/linux/discovery_dynamic_linker_via_od.toml +++ b/rules/linux/discovery_dynamic_linker_via_od.toml @@ -2,7 +2,9 @@ creation_date = "2024/02/01" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -48,17 +50,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "od" and process.args in ( @@ -67,17 +68,15 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_esxi_software_via_find.toml b/rules/linux/discovery_esxi_software_via_find.toml index b629270c6cc..a19fca3f14c 100644 --- a/rules/linux/discovery_esxi_software_via_find.toml +++ b/rules/linux/discovery_esxi_software_via_find.toml @@ -2,7 +2,9 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.5.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -17,9 +19,7 @@ index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_mana language = "eql" license = "Elastic License v2" name = "ESXI Discovery via Find" -references = [ - "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/", -] +references = ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"] risk_score = 47 rule_id = "33a6752b-da5e-45f8-b13a-5f094c09522f" setup = """## Setup @@ -49,33 +49,30 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "find" and process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_esxi_software_via_grep.toml b/rules/linux/discovery_esxi_software_via_grep.toml index 1affdffe0c6..961a5e07c2f 100644 --- a/rules/linux/discovery_esxi_software_via_grep.toml +++ b/rules/linux/discovery_esxi_software_via_grep.toml @@ -2,12 +2,14 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.5.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments +Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments related to virtual machine (VM) files, such as "vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", or "vmem". These file extensions are associated with VM-related file formats, and their presence in grep command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system. @@ -17,9 +19,7 @@ index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_mana language = "eql" license = "Elastic License v2" name = "ESXI Discovery via Grep" -references = [ - "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/", -] +references = ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"] risk_score = 47 rule_id = "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4" setup = """## Setup @@ -49,17 +49,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name in ("grep", "egrep", "pgrep") and process.args in ( @@ -67,17 +66,15 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index 271cfcaaabd..d182bf29928 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -2,7 +2,9 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -51,16 +53,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' event.category:process and host.os.type:linux and event.type:start and event.action:(exec or exec_event) and ( (process.name:(lsmod or modinfo)) or @@ -71,15 +72,14 @@ or readykernel or lvm2 or vz-start or iscsi or mdadm or ovalprobes or bcache or weak-modules or zfs) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -88,8 +88,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.command_line", "process.command_line", "host.id"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules/linux/discovery_linux_hping_activity.toml b/rules/linux/discovery_linux_hping_activity.toml index ac1d28f7af0..f59a8f2bdd8 100644 --- a/rules/linux/discovery_linux_hping_activity.toml +++ b/rules/linux/discovery_linux_hping_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -63,33 +65,30 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name in ("hping", "hping2", "hping3") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_linux_nping_activity.toml b/rules/linux/discovery_linux_nping_activity.toml index 9e48fc76e96..f2c110c3e2c 100644 --- a/rules/linux/discovery_linux_nping_activity.toml +++ b/rules/linux/discovery_linux_nping_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -63,33 +65,30 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "nping" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_ping_sweep_detected.toml b/rules/linux/discovery_ping_sweep_detected.toml index 0fa247325c9..c7a655bd561 100644 --- a/rules/linux/discovery_ping_sweep_detected.toml +++ b/rules/linux/discovery_ping_sweep_detected.toml @@ -2,14 +2,16 @@ creation_date = "2023/09/04" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/20" [rule] author = ["Elastic"] description = """ -This threshold rule monitors for the rapid execution of unix utilities that are capable of conducting network scans. -Adversaries may leverage built-in tools such as ping, netcat or socat to execute ping sweeps across the network while -attempting to evade detection or due to the lack of network mapping tools available on the compromised host. +This threshold rule monitors for the rapid execution of unix utilities that are capable of conducting network scans. +Adversaries may leverage built-in tools such as ping, netcat or socat to execute ping sweeps across the network while +attempting to evade detection or due to the lack of network mapping tools available on the compromised host. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -46,31 +48,29 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "threshold" - query = ''' event.category:process and host.os.type:linux and event.action:(exec or exec_event or executed or process_started) and event.type:start and process.name:(ping or nping or hping or hping2 or hping3 or nc or ncat or netcat or socat) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -79,8 +79,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.threshold] field = ["host.id", "process.parent.entity_id", "process.executable"] value = 1 + [[rule.threshold.cardinality]] field = "process.args" value = 100 - - diff --git a/rules/linux/discovery_proc_maps_read.toml b/rules/linux/discovery_proc_maps_read.toml index fa5cc29d2ef..56c21b5fd3b 100644 --- a/rules/linux/discovery_proc_maps_read.toml +++ b/rules/linux/discovery_proc_maps_read.toml @@ -2,7 +2,9 @@ creation_date = "2024/01/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -47,15 +49,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name in ("cat", "grep") and process.args : "/proc/*/maps" and process.entry_leader.name in ( @@ -63,17 +64,15 @@ process.name in ("cat", "grep") and process.args : "/proc/*/maps" and process.en ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_pspy_process_monitoring_detected.toml b/rules/linux/discovery_pspy_process_monitoring_detected.toml index 95a14458afb..3c02f0ea084 100644 --- a/rules/linux/discovery_pspy_process_monitoring_detected.toml +++ b/rules/linux/discovery_pspy_process_monitoring_detected.toml @@ -2,14 +2,16 @@ creation_date = "2023/07/20" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/19" [rule] author = ["Elastic"] description = """ -This rule leverages auditd to monitor for processes scanning different processes within the /proc directory using the -openat syscall. This is a strong indication for the usage of the pspy utility. Attackers may leverage the pspy process -monitoring utility to monitor system processes without requiring root permissions, in order to find potential privilege +This rule leverages auditd to monitor for processes scanning different processes within the /proc directory using the +openat syscall. This is a strong indication for the usage of the pspy utility. Attackers may leverage the pspy process +monitoring utility to monitor system processes without requiring root permissions, in order to find potential privilege escalation vectors. """ from = "now-9m" @@ -46,23 +48,22 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "low" tags = [ - "Data Source: Auditd Manager", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", -] + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery" + ] type = "eql" - query = ''' sequence by process.pid, host.id with maxspan=5s [file where host.os.type == "linux" and auditd.data.syscall == "openat" and file.path == "/proc" and auditd.data.a0 : ("ffffffffffffff9c", "ffffff9c") and auditd.data.a2 : ("80000", "88000") ] with runs=10 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1057" name = "Process Discovery" @@ -73,9 +74,7 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_sudo_allowed_command_enumeration.toml b/rules/linux/discovery_sudo_allowed_command_enumeration.toml index 5e29c5d85ea..f9719cca5e6 100644 --- a/rules/linux/discovery_sudo_allowed_command_enumeration.toml +++ b/rules/linux/discovery_sudo_allowed_command_enumeration.toml @@ -2,14 +2,16 @@ creation_date = "2023/08/30" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/20" [rule] author = ["Elastic"] description = """ -This rule monitors for the usage of the sudo -l command, which is used to list the allowed and forbidden commands for -the invoking user. Attackers may execute this command to enumerate commands allowed to be executed with sudo -permissions, potentially allowing to escalate privileges to root. +This rule monitors for the usage of the sudo -l command, which is used to list the allowed and forbidden commands for +the invoking user. Attackers may execute this command to enumerate commands allowed to be executed with sudo permissions, +potentially allowing to escalate privileges to root. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -45,15 +47,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "sudo" and process.args == "-l" and process.args_count == 2 and @@ -61,17 +62,15 @@ process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish not group.Ext.real.id : "0" and not user.Ext.real.id : "0" and not process.args == "dpkg" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1033" name = "System Owner/User Discovery" reference = "https://attack.mitre.org/techniques/T1033/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_suid_sguid_enumeration.toml b/rules/linux/discovery_suid_sguid_enumeration.toml index 73fd48e341d..4b6179ebf8b 100644 --- a/rules/linux/discovery_suid_sguid_enumeration.toml +++ b/rules/linux/discovery_suid_sguid_enumeration.toml @@ -2,15 +2,17 @@ creation_date = "2023/07/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] description = """ -This rule monitors for the usage of the "find" command in conjunction with SUID and SGUID permission arguments. SUID -(Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the -privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In case -an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this +This rule monitors for the usage of the "find" command in conjunction with SUID and SGUID permission arguments. SUID +(Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the +privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In +case an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this misconfiguration to escalate privileges by exploiting vulnerabilities or built-in features in the privileged program. """ from = "now-9m" @@ -46,17 +48,9 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "find" and process.args : "-perm" and process.args : ( @@ -67,36 +61,37 @@ process.name == "find" and process.args : "-perm" and process.args : ( ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1083" name = "File and Directory Discovery" reference = "https://attack.mitre.org/techniques/T1083/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.001" name = "Setuid and Setgid" reference = "https://attack.mitre.org/techniques/T1548/001/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -104,4 +99,3 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/discovery_suspicious_which_command_execution.toml b/rules/linux/discovery_suspicious_which_command_execution.toml index 76595d4412a..99dfe0b87bd 100644 --- a/rules/linux/discovery_suspicious_which_command_execution.toml +++ b/rules/linux/discovery_suspicious_which_command_execution.toml @@ -2,14 +2,16 @@ creation_date = "2023/08/30" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may -leverage the which command to enumerate the system for useful installed utilities that may be used after compromising a -system to escalate privileges or move latteraly across the network. +This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may leverage +the which command to enumerate the system for useful installed utilities that may be used after compromising a system to +escalate privileges or move latteraly across the network. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -20,16 +22,15 @@ risk_score = 21 rule_id = "5b18eef4-842c-4b47-970f-f08d24004bde" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "which" and process.args_count >= 10 and not process.parent.name == "jem" and @@ -38,20 +39,18 @@ not process.args == "--tty-only" /* potential tuning if rule would turn out to be noisy and process.args in ("nmap", "nc", "ncat", "netcat", nc.traditional", "gcc", "g++", "socat") and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") -*/ +*/ ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_unusual_user_enumeration_via_id.toml b/rules/linux/discovery_unusual_user_enumeration_via_id.toml index 860c3e226b4..d36e05269c7 100644 --- a/rules/linux/discovery_unusual_user_enumeration_via_id.toml +++ b/rules/linux/discovery_unusual_user_enumeration_via_id.toml @@ -2,13 +2,15 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ This rule monitors for a sequence of 20 "id" command executions within 1 second by the same parent process. This -behavior is unusual, and may be indicative of the execution of an enumeration script such as LinPEAS or LinEnum. These +behavior is unusual, and may be indicative of the execution of an enumeration script such as LinPEAS or LinEnum. These scripts leverage the "id" command to enumerate the privileges of all users present on the system. """ from = "now-9m" @@ -44,15 +46,8 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] type = "eql" - query = ''' sequence by host.id, process.parent.entity_id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -60,17 +55,15 @@ sequence by host.id, process.parent.entity_id with maxspan=1s not (process.parent.name == "rpm" or process.parent.args : "/var/tmp/rpm-tmp*")] with runs=20 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1033" name = "System Owner/User Discovery" reference = "https://attack.mitre.org/techniques/T1033/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml index 62990271aa5..58b5f00493c 100644 --- a/rules/linux/discovery_virtual_machine_fingerprinting.toml +++ b/rules/linux/discovery_virtual_machine_fingerprinting.toml @@ -2,7 +2,9 @@ creation_date = "2020/04/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -62,14 +64,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml index ebd86e57f93..8ce0819392b 100644 --- a/rules/linux/execution_abnormal_process_id_file_created.toml +++ b/rules/linux/execution_abnormal_process_id_file_created.toml @@ -2,7 +2,9 @@ creation_date = "2022/05/11" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/02/20" [rule] author = ["Elastic"] @@ -98,15 +100,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Threat: BPFDoor", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Threat: BPFDoor", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -124,15 +126,14 @@ vzctl or ifup or rpcbind or runc or gitlab-runner-helper or elastic-agent or met not file.name : (jem.*.pid) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1106" name = "Native API" reference = "https://attack.mitre.org/techniques/T1106/" - [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -141,8 +142,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "file.path"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml b/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml index 668a851f9f6..ae5eff02ebe 100644 --- a/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml +++ b/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml @@ -2,18 +2,20 @@ creation_date = "2023/10/11" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Linux environment variable capture feature via the Elastic Defend Integration was added in 8.6." +min_stack_version = "8.6.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction +Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction with an unusual command line length. A flaw in curl version <= 8.3 makes curl vulnerable to a heap based buffer overflow -during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be -executed with and without the use of environment variables. For increased visibility, enable the collection of -http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of -this rule. +during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be executed +with and without the use of environment variables. For increased visibility, enable the collection of http_proxy, +HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of this rule. """ + from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" @@ -22,7 +24,7 @@ name = "Potential curl CVE-2023-38545 Exploitation" references = [ "https://curl.se/docs/CVE-2023-38545.html", "https://daniel.haxx.se/blog/2023/10/11/curl-8-4-0/", - "https://twitter.com/_JohnHammond/status/1711986412554531015", + "https://twitter.com/_JohnHammond/status/1711986412554531015" ] risk_score = 47 rule_id = "f41296b4-9975-44d6-9486-514c6f635b2d" @@ -66,16 +68,15 @@ For more information on capturing environment variables refer to the [helper gui """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Use Case: Vulnerability", - "Tactic: Execution", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Use Case: Vulnerability", + "Tactic: Execution", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "curl" and ( @@ -86,17 +87,15 @@ not process.parent.name in ("cf-agent", "agent-run", "agent-check", "rudder", "a not process.args == "/opt/rudder/bin/curl" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_file_execution_followed_by_deletion.toml b/rules/linux/execution_file_execution_followed_by_deletion.toml index c6b2f93a4b1..a65032f833e 100644 --- a/rules/linux/execution_file_execution_followed_by_deletion.toml +++ b/rules/linux/execution_file_execution_followed_by_deletion.toml @@ -2,13 +2,15 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ This rule monitors for the creation of a file, followed by its execution and self-deletion in a short timespan within a -directory often used for malicious purposes by threat actors. This behavior is often used by malware to execute +directory often used for malicious purposes by threat actors. This behavior is often used by malware to execute malicious code and delete itself to hide its tracks. """ from = "now-9m" @@ -44,15 +46,8 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" - query = ''' sequence by host.id, user.id with maxspan=1m [file where host.os.type == "linux" and event.action == "creation" and @@ -66,22 +61,20 @@ sequence by host.id, user.id with maxspan=1m "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*")] by file.name ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml index 4e0c64c9bb5..56c2f746912 100644 --- a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml +++ b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -109,14 +111,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/linux/execution_interpreter_tty_upgrade.toml b/rules/linux/execution_interpreter_tty_upgrade.toml index 791a62e3941..d607c959f17 100644 --- a/rules/linux/execution_interpreter_tty_upgrade.toml +++ b/rules/linux/execution_interpreter_tty_upgrade.toml @@ -2,13 +2,15 @@ creation_date = "2023/09/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/08" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] description = """ -Identifies when a non-interactive terminal (tty) is being upgraded to a fully interactive shell. Attackers may upgrade a -simple reverse shell to a fully interactive tty after obtaining initial access to a host, in order to obtain a more +Identifies when a non-interactive terminal (tty) is being upgraded to a fully interactive shell. Attackers may upgrade +a simple reverse shell to a fully interactive tty after obtaining initial access to a host, in order to obtain a more stable connection. """ from = "now-9m" @@ -44,17 +46,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] timestamp_override = "event.ingested" +tags = ["Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( (process.name == "stty" and process.args == "raw" and process.args == "-echo" and process.args_count >= 3) or @@ -63,22 +63,20 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_nc_listener_via_rlwrap.toml b/rules/linux/execution_nc_listener_via_rlwrap.toml index d629fd28e01..bda20e74850 100644 --- a/rules/linux/execution_nc_listener_via_rlwrap.toml +++ b/rules/linux/execution_nc_listener_via_rlwrap.toml @@ -2,13 +2,15 @@ creation_date = "2023/09/22" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ Monitors for the execution of a netcat listener via rlwrap. rlwrap is a 'readline wrapper', a small utility that uses -the GNU Readline library to allow the editing of keyboard input for any command. This utility can be used in conjunction +the GNU Readline library to allow the editing of keyboard input for any command. This utility can be used in conjunction with netcat to gain a more stable reverse shell. """ false_positives = [ @@ -52,39 +54,35 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] +tags = ["Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "rlwrap" and process.args in ("nc", "ncat", "netcat", "nc.openbsd", "socat") and process.args : "*l*" and process.args_count >= 4 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml b/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml index 205b2b1e18a..24d545add14 100644 --- a/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml +++ b/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml @@ -2,24 +2,28 @@ creation_date = "2024/03/13" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "The sampling feature within EQL was introduced in 8.6.0" +min_stack_version = "8.6.0" +updated_date = "2024/03/13" [rule] author = ["Elastic"] description = """ -Monitors for the execution of a unix binary with read, write and execute memory region permissions, followed by a +Monitors for the execution of a unix binary with read, write and execute memory region permissions, followed by a network connection. The mprotect() system call is used to change the access protections on a region of memory that has already been allocated. This syscall allows a process to modify the permissions of pages in its virtual address space, enabling or disabling permissions such as read, write, and execute for those pages. RWX permissions on memory is in many -cases overly permissive, and should (especially in conjunction with an outbound network connection) be analyzed -thoroughly. +cases overly permissive, and should (especially in conjunction with an outbound network connection) be analyzed +thoroughly. """ from = "now-9m" index = ["logs-endpoint.events.*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Network Connection from Binary with RWX Memory Region" -references = ["https://man7.org/linux/man-pages/man2/mprotect.2.html"] +references = [ + "https://man7.org/linux/man-pages/man2/mprotect.2.html" +] risk_score = 47 rule_id = "32300431-c2d5-432d-8ec8-0e03f9924756" setup = """## Setup @@ -41,16 +45,15 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' sample by host.id, process.pid, process.name /* auditd.data.a2 == "7" translates to RWX memory region protection (PROT_READ | PROT_WRITE | PROT_EXEC) */ @@ -59,34 +62,33 @@ sample by host.id, process.pid, process.name not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] -id = "TA0011" name = "Command and Control" +id = "TA0011" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_network_event_post_compilation.toml b/rules/linux/execution_network_event_post_compilation.toml index f35e2868e42..e1f236cfb81 100644 --- a/rules/linux/execution_network_event_post_compilation.toml +++ b/rules/linux/execution_network_event_post_compilation.toml @@ -2,13 +2,15 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent network -connection event. This behavior can indicate the set up of a reverse tcp connection to a command-and-control server. +This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent network +connection event. This behavior can indicate the set up of a reverse tcp connection to a command-and-control server. Attackers may spawn reverse shells to establish persistence onto a target system. """ from = "now-9m" @@ -45,14 +47,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id with maxspan=1m [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -63,34 +64,33 @@ sequence by host.id with maxspan=1m not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] by process.name ''' - [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] -id = "TA0011" name = "Command and Control" +id = "TA0011" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml index e8399decc4a..35a7229b11d 100644 --- a/rules/linux/execution_perl_tty_shell.toml +++ b/rules/linux/execution_perl_tty_shell.toml @@ -2,7 +2,9 @@ creation_date = "2020/04/16" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -55,14 +57,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/execution_potential_hack_tool_executed.toml b/rules/linux/execution_potential_hack_tool_executed.toml index 345349b911a..7f496983ab4 100644 --- a/rules/linux/execution_potential_hack_tool_executed.toml +++ b/rules/linux/execution_potential_hack_tool_executed.toml @@ -2,12 +2,14 @@ creation_date = "2023/09/22" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/08" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] description = """ -Monitors for the execution of different processes that might be used by attackers for malicious intent. An alert from +Monitors for the execution of different processes that might be used by attackers for malicious intent. An alert from this rule should be investigated further, as hack tools are commonly used by blue teamers and system administrators as well. """ @@ -45,18 +47,17 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", -] timestamp_override = "event.ingested" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name in ( @@ -77,7 +78,6 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" @@ -85,4 +85,3 @@ framework = "MITRE ATT&CK" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_process_started_from_process_id_file.toml b/rules/linux/execution_process_started_from_process_id_file.toml index 2cc5578a982..cbe81a44d46 100644 --- a/rules/linux/execution_process_started_from_process_id_file.toml +++ b/rules/linux/execution_process_started_from_process_id_file.toml @@ -2,7 +2,9 @@ creation_date = "2022/05/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/20" [rule] author = ["Elastic"] @@ -66,15 +68,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Threat: BPFDoor", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Threat: BPFDoor", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" @@ -83,17 +85,15 @@ process where host.os.type == "linux" and event.type == "start" and user.id == " process.executable regex~ """/var/run/\w+\.(pid|lock|reboot)""" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_process_started_in_shared_memory_directory.toml b/rules/linux/execution_process_started_in_shared_memory_directory.toml index f3f896a29d3..fa6d47407d7 100644 --- a/rules/linux/execution_process_started_in_shared_memory_directory.toml +++ b/rules/linux/execution_process_started_in_shared_memory_directory.toml @@ -2,7 +2,9 @@ creation_date = "2022/05/10" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/13" [rule] author = ["Elastic"] @@ -57,14 +59,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Threat: BPFDoor", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Threat: BPFDoor", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -75,15 +77,14 @@ not process.executable : ("/var/run/docker/*", "/var/run/utsns/*", "/var/run/s6/ "/var/run/argo/argoexec") and not process.parent.command_line : "/usr/bin/runc init" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index 04af725fae9..e419b51a46a 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -2,7 +2,9 @@ creation_date = "2020/04/15" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/08" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] @@ -43,15 +45,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] timestamp_override = "event.ingested" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] type = "eql" query = ''' @@ -64,22 +66,20 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.006" name = "Python" reference = "https://attack.mitre.org/techniques/T1059/006/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_remote_code_execution_via_postgresql.toml b/rules/linux/execution_remote_code_execution_via_postgresql.toml index 37031b2bf7d..f5db5c61332 100644 --- a/rules/linux/execution_remote_code_execution_via_postgresql.toml +++ b/rules/linux/execution_remote_code_execution_via_postgresql.toml @@ -2,16 +2,18 @@ creation_date = "2022/06/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within a -PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a public -facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection attacks, -which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities for -unauthorized access and malicious actions. +This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within +a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a +public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection +attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities +for unauthorized access and malicious actions. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -46,14 +48,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -65,22 +66,20 @@ user.name == "postgres" and ( ) and not process.parent.name : "puppet" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml index 648294234e5..b3bef3b27d8 100644 --- a/rules/linux/execution_shell_evasion_linux_binary.toml +++ b/rules/linux/execution_shell_evasion_linux_binary.toml @@ -2,13 +2,15 @@ creation_date = "2022/05/06" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] description = """ -Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive -system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, +Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive +system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary. """ from = "now-9m" @@ -125,17 +127,9 @@ Session View uses process data collected by the Elastic Defend integration, but For more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and ( @@ -190,22 +184,20 @@ process where host.os.type == "linux" and event.type == "start" and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_shell_via_background_process.toml b/rules/linux/execution_shell_via_background_process.toml index 2c768bc4152..43075372068 100644 --- a/rules/linux/execution_shell_via_background_process.toml +++ b/rules/linux/execution_shell_via_background_process.toml @@ -2,13 +2,15 @@ creation_date = "2023/09/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -Monitors for the execution of background processes with process arguments capable of opening a socket in the /dev/tcp -channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further. +Monitors for the execution of background processes with process arguments capable of opening a socket in the /dev/tcp +channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -43,51 +45,49 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] timestamp_override = "event.ingested" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name in ("setsid", "nohup") and process.args : "*/dev/tcp/*0>&1*" and process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] -id = "TA0011" name = "Command and Control" +id = "TA0011" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_shell_via_child_tcp_utility_linux.toml b/rules/linux/execution_shell_via_child_tcp_utility_linux.toml index dcbcb5da900..0369a74e6ca 100644 --- a/rules/linux/execution_shell_via_child_tcp_utility_linux.toml +++ b/rules/linux/execution_shell_via_child_tcp_utility_linux.toml @@ -2,7 +2,9 @@ creation_date = "2023/11/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/17" [rule] author = ["Elastic"] @@ -17,7 +19,7 @@ language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Child" references = [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" ] risk_score = 47 rule_id = "2138bb70-5a5e-42fd-be5e-b38edf6a6777" @@ -50,14 +52,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id, process.entity_id with maxspan=5s [network where event.type == "start" and host.os.type == "linux" and @@ -70,34 +71,33 @@ sequence by host.id, process.entity_id with maxspan=5s )] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] -id = "TA0011" name = "Command and Control" +id = "TA0011" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_shell_via_java_revshell_linux.toml b/rules/linux/execution_shell_via_java_revshell_linux.toml index 8294a0bd405..ef459002a9a 100644 --- a/rules/linux/execution_shell_via_java_revshell_linux.toml +++ b/rules/linux/execution_shell_via_java_revshell_linux.toml @@ -2,7 +2,9 @@ creation_date = "2023/07/04" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/13" [rule] author = ["Elastic"] @@ -16,7 +18,7 @@ language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Java" references = [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" ] risk_score = 47 rule_id = "5a3d5447-31c9-409a-aed1-72f9921594fd" @@ -47,14 +49,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id with maxspan=5s [network where host.os.type == "linux" and event.action in ("connection_accepted", "connection_attempted") and @@ -76,34 +77,33 @@ sequence by host.id with maxspan=5s )] by process.parent.entity_id ''' - [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] -id = "TA0011" name = "Command and Control" +id = "TA0011" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml index 4d5cb20854a..a01e4390428 100644 --- a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml +++ b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml @@ -2,13 +2,15 @@ creation_date = "2023/07/04" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/13" [rule] author = ["Elastic"] description = """ -This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by -the specified utilities that are initialized from a single process followed by a network connection attempt will be +This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by +the specified utilities that are initialized from a single process followed by a network connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system. """ from = "now-9m" @@ -17,7 +19,7 @@ language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Suspicious Child Process" references = [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" ] risk_score = 47 rule_id = "76e4d92b-61c1-4a95-ab61-5fd94179a1ee" @@ -48,14 +50,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id, process.entity_id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "fork") and ( @@ -85,34 +86,33 @@ sequence by host.id, process.entity_id with maxspan=1s destination.ip != null and not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] -id = "TA0011" name = "Command and Control" +id = "TA0011" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_shell_via_meterpreter_linux.toml b/rules/linux/execution_shell_via_meterpreter_linux.toml index 789d77cf14f..d8400c11b21 100644 --- a/rules/linux/execution_shell_via_meterpreter_linux.toml +++ b/rules/linux/execution_shell_via_meterpreter_linux.toml @@ -2,14 +2,16 @@ creation_date = "2023/08/10" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "The sampling feature within EQL was introduced in 8.6.0" +min_stack_version = "8.6.0" +updated_date = "2024/02/19" [rule] author = ["Elastic"] description = """ -This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged +This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged by the Metasploit Meterpreter shell to gather information about the target that it is executing its shell on. Detecting -this pattern is indicative of a successful meterpreter shell connection. +this pattern is indicative of a successful meterpreter shell connection. """ from = "now-9m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -58,15 +60,14 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "medium" tags = [ - "Data Source: Auditd Manager", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", -] + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' sample by host.id, process.pid, user.id [file where host.os.type == "linux" and auditd.data.syscall == "open" and auditd.data.a2 == "1b6" and file.path == "/etc/machine-id"] @@ -76,34 +77,33 @@ sample by host.id, process.pid, user.id [file where host.os.type == "linux" and auditd.data.syscall == "open" and auditd.data.a2 == "1b6" and file.path == "/proc/net/if_inet6"] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] -id = "TA0011" name = "Command and Control" +id = "TA0011" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_shell_via_suspicious_binary.toml b/rules/linux/execution_shell_via_suspicious_binary.toml index 3e79f5cfac4..47e3831d96c 100644 --- a/rules/linux/execution_shell_via_suspicious_binary.toml +++ b/rules/linux/execution_shell_via_suspicious_binary.toml @@ -2,14 +2,16 @@ creation_date = "2023/07/05" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ This detection rule detects the creation of a shell through a chain consisting of the execution of a suspicious binary (located in a commonly abused location or executed manually) followed by a network event and ending with a shell being -spawned. Stageless reverse tcp shells display this behaviour. Attackers may spawn reverse shells to establish +spawned. Stageless reverse tcp shells display this behaviour. Attackers may spawn reverse shells to establish persistence onto a target system. """ from = "now-9m" @@ -18,7 +20,7 @@ language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Suspicious Binary" references = [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" ] risk_score = 47 rule_id = "fa3a59dc-33c3-43bf-80a9-e8437a922c7f" @@ -49,14 +51,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id, process.entity_id with maxspan=1s [ process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -78,34 +79,33 @@ sequence by host.id, process.entity_id with maxspan=1s process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] -id = "TA0011" name = "Command and Control" +id = "TA0011" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" \ No newline at end of file diff --git a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml index 56c51e0f506..5d69e71986d 100644 --- a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml @@ -2,7 +2,9 @@ creation_date = "2023/07/04" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/17" [rule] author = ["Elastic"] @@ -17,7 +19,7 @@ language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell" references = [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" ] risk_score = 47 rule_id = "48b3d2e3-f4e8-41e6-95e6-9b2091228db3" @@ -48,14 +50,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id with maxspan=5s [network where event.type == "start" and host.os.type == "linux" and @@ -68,34 +69,33 @@ sequence by host.id with maxspan=5s )] by process.parent.entity_id ''' - [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] -id = "TA0011" name = "Command and Control" +id = "TA0011" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml index 0a453512b3b..0f609ef4385 100644 --- a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml @@ -2,14 +2,16 @@ creation_date = "2023/07/04" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "The sampling feature within EQL was introduced in 8.6.0" +min_stack_version = "8.6.0" +updated_date = "2024/03/13" [rule] author = ["Elastic"] description = """ -This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This +This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This activity consists of a sample of an execve, socket and connect syscall executed by the same process, where the -auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux +auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux UDP reverse shell to bypass traditional firewall restrictions and gain remote access to a target system covertly. """ from = "now-9m" @@ -18,7 +20,7 @@ language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via UDP" references = [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" ] risk_score = 47 rule_id = "a5eb21b7-13cc-4b94-9fe2-29bb2914e037" @@ -63,11 +65,10 @@ tags = [ "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", - "Tactic: Execution", -] + "Tactic: Execution" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' sample by host.id, process.pid, process.parent.pid [process where host.os.type == "linux" and event.type == "start" and event.action == "executed" and process.name : ( @@ -86,34 +87,33 @@ sample by host.id, process.pid, process.parent.pid not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] -id = "TA0011" name = "Command and Control" +id = "TA0011" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml index 95c59d6022f..0f19dd5052c 100644 --- a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml +++ b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml @@ -2,7 +2,9 @@ creation_date = "2023/06/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -17,7 +19,9 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Content Extracted or Decompressed via Funzip" -references = ["https://attack.mitre.org/software/S0482/"] +references = [ + "https://attack.mitre.org/software/S0482/" +] risk_score = 47 rule_id = "dc0b7782-0df0-47ff-8337-db0d678bdb66" setup = """## Setup @@ -46,17 +50,9 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.action in ("exec", "exec_event") and ((process.args == "tail" and process.args == "-c" and process.args == "funzip")) and @@ -65,39 +61,38 @@ not process.parent.executable : ("/usr/bin/dracut", "/sbin/dracut", "/usr/bin/xa not (process.parent.name in ("sh", "sudo") and process.parent.command_line : "*nessus_su*") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] -id = "T1059.004" name = "Unix Shell" +id = "T1059.004" reference = "https://attack.mitre.org/techniques/T1059/004/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Defense Evasion" +id = "TA0005" +reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat.technique]] -id = "T1027" name = "Obfuscated Files or Information" +id = "T1027" reference = "https://attack.mitre.org/techniques/T1027/" [[rule.threat.technique]] -id = "T1140" name = "Deobfuscate/Decode Files or Information" +id = "T1140" reference = "https://attack.mitre.org/techniques/T1140/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/execution_suspicious_executable_running_system_commands.toml b/rules/linux/execution_suspicious_executable_running_system_commands.toml index 39074a87aef..f0bf6422447 100644 --- a/rules/linux/execution_suspicious_executable_running_system_commands.toml +++ b/rules/linux/execution_suspicious_executable_running_system_commands.toml @@ -2,15 +2,17 @@ creation_date = "2023/06/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] description = """ This rule monitors for the execution of several commonly used system commands executed by a previously unknown -executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially -malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code. -Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the +executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially +malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code. +Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise. """ from = "now-9m" @@ -46,14 +48,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "new_terms" @@ -69,30 +64,28 @@ process.executable:( not process.parent.executable:(/bin/* or /usr/bin/* or /run/k3s/* or /etc/network/* or /opt/Elastic/*) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] -id = "T1059" name = "Command and Scripting Interpreter" +id = "T1059" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] -id = "T1059.004" name = "Unix Shell" +id = "T1059.004" reference = "https://attack.mitre.org/techniques/T1059/004/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules/linux/execution_suspicious_mining_process_creation_events.toml b/rules/linux/execution_suspicious_mining_process_creation_events.toml index 6578d9e15bd..35ee9d990ea 100644 --- a/rules/linux/execution_suspicious_mining_process_creation_events.toml +++ b/rules/linux/execution_suspicious_mining_process_creation_events.toml @@ -2,7 +2,9 @@ creation_date = "2023/02/08" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -44,37 +46,34 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' file where host.os.type == "linux" and event.type == "creation" and event.action : ("creation", "file_create_event") and file.name : ("aliyun.service", "moneroocean_miner.service", "c3pool_miner.service", "pnsd.service", "apache4.service", "pastebin.service", "xvf.service") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] -id = "T1059" name = "Command and Scripting Interpreter" +id = "T1059" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] -id = "T1059.004" name = "Unix Shell" +id = "T1059.004" reference = "https://attack.mitre.org/techniques/T1059/004/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_tc_bpf_filter.toml b/rules/linux/execution_tc_bpf_filter.toml index 1422ba8d48e..80dbb34e51f 100644 --- a/rules/linux/execution_tc_bpf_filter.toml +++ b/rules/linux/execution_tc_bpf_filter.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2022/07/11" -integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/20" +integration = ["endpoint"] [rule] author = ["Elastic"] @@ -50,14 +52,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Threat: TripleCross", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Threat: TripleCross", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -67,22 +69,20 @@ process.args == "filter" and process.args == "add" and process.args == "bpf" and not process.parent.executable == "/usr/sbin/libvirtd" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml b/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml index 27ee5bebed4..28e6322f5f2 100644 --- a/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml +++ b/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml @@ -2,7 +2,9 @@ creation_date = "2024/03/13" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/03/13" [rule] author = ["Elastic"] @@ -11,14 +13,16 @@ Monitors for the execution of a previously unknown unix binary with read, write The mprotect() system call is used to change the access protections on a region of memory that has already been allocated. This syscall allows a process to modify the permissions of pages in its virtual address space, enabling or disabling permissions such as read, write, and execute for those pages. RWX permissions on memory is in many cases -overly permissive, and should be analyzed thoroughly. +overly permissive, and should be analyzed thoroughly. """ from = "now-9m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "kuery" license = "Elastic License v2" name = "Unknown Execution of Binary with RWX Memory Region" -references = ["https://man7.org/linux/man-pages/man2/mprotect.2.html"] +references = [ + "https://man7.org/linux/man-pages/man2/mprotect.2.html" +] risk_score = 47 rule_id = "23bcd283-2bc0-4db2-81d4-273fc051e5c0" setup = """## Setup @@ -40,43 +44,40 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' event.category:process and host.os.type:linux and auditd.data.syscall:mprotect and auditd.data.a2:7 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" - - diff --git a/rules/linux/impact_data_encrypted_via_openssl.toml b/rules/linux/impact_data_encrypted_via_openssl.toml index 2e7a762d6bc..f2d6c90908f 100644 --- a/rules/linux/impact_data_encrypted_via_openssl.toml +++ b/rules/linux/impact_data_encrypted_via_openssl.toml @@ -2,7 +2,9 @@ creation_date = "2023/06/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -17,8 +19,8 @@ language = "eql" license = "Elastic License v2" name = "Suspicious Data Encryption via OpenSSL Utility" references = [ - "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", - "https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html", + "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", + "https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html", ] risk_score = 47 rule_id = "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73" @@ -48,15 +50,8 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Impact", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"] type = "eql" - query = ''' sequence by host.id, user.name, process.parent.entity_id with maxspan=5s [ process where host.os.type == "linux" and event.action == "exec" and @@ -67,17 +62,15 @@ sequence by host.id, user.name, process.parent.entity_id with maxspan=5s not process.args in ("-d", "-a", "-A", "-base64", "-none", "-nosalt") ] with runs=10 ''' - [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1486" -name = "Data Encrypted for Impact" -reference = "https://attack.mitre.org/techniques/T1486/" - [rule.threat.tactic] -id = "TA0040" name = "Impact" +id = "TA0040" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat.technique]] +name = "Data Encrypted for Impact" +id = "T1486" +reference = "https://attack.mitre.org/techniques/T1486/" diff --git a/rules/linux/impact_esxi_process_kill.toml b/rules/linux/impact_esxi_process_kill.toml index bc58c8a9c8c..8b90034686f 100644 --- a/rules/linux/impact_esxi_process_kill.toml +++ b/rules/linux/impact_esxi_process_kill.toml @@ -2,15 +2,17 @@ creation_date = "2023/04/11" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.5.0" +updated_date = "2024/02/20" [rule] author = ["Elastic"] description = """ -Identifies instances where VMware processes, such as "vmware-vmx" or "vmx," are terminated on a Linux system by a "kill" -command. The rule monitors for the "end" event type, which signifies the termination of a process. The presence of a -"kill" command as the parent process for terminating VMware processes may indicate that a threat actor is attempting to -interfere with the virtualized environment on the targeted system. +Identifies instances where VMware processes, such as "vmware-vmx" or "vmx," are terminated on a Linux system +by a "kill" command. The rule monitors for the "end" event type, which signifies the termination of a process. +The presence of a "kill" command as the parent process for terminating VMware processes may indicate that a +threat actor is attempting to interfere with the virtualized environment on the targeted system. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -49,32 +51,29 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Impact", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "end" and process.name in ("vmware-vmx", "vmx") and process.parent.name == "kill" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1489" name = "Service Stop" reference = "https://attack.mitre.org/techniques/T1489/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml b/rules/linux/impact_potential_linux_ransomware_file_encryption.toml index ad559bb91c5..f88c579f28c 100644 --- a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml +++ b/rules/linux/impact_potential_linux_ransomware_file_encryption.toml @@ -2,15 +2,17 @@ creation_date = "2023/03/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/21" [rule] author = ["Elastic"] description = """ -This rule identifies a sequence of 100 file extension rename events within a set of common file paths by the same -process in a timespan of 1 second. Ransomware is a type of malware that encrypts a victim's files or systems and demands -payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack -is the mass encryption of the file system, after which a new file extension is added to the file. +This rule identifies a sequence of 100 file extension rename events within a set of common file paths by the same +process in a timespan of 1 second. Ransomware is a type of malware that encrypts a victim's files or systems and +demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware +attack is the mass encryption of the file system, after which a new file extension is added to the file. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -46,14 +48,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Impact", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by process.entity_id, host.id with maxspan=1s [file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*" @@ -70,17 +71,15 @@ sequence by process.entity_id, host.id with maxspan=1s ] with runs=25 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1486" name = "Data Encrypted for Impact" reference = "https://attack.mitre.org/techniques/T1486/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/linux/impact_potential_linux_ransomware_note_detected.toml b/rules/linux/impact_potential_linux_ransomware_note_detected.toml index c7ffba1b304..347b2c6a512 100644 --- a/rules/linux/impact_potential_linux_ransomware_note_detected.toml +++ b/rules/linux/impact_potential_linux_ransomware_note_detected.toml @@ -2,16 +2,18 @@ creation_date = "2023/03/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/21" [rule] author = ["Elastic"] description = """ -This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a -file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of +This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with +a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a -new file extension is added to the file. +new file extension is added to the file. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -47,14 +49,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Impact", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by process.entity_id, host.id with maxspan=1s [file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*" @@ -74,17 +75,15 @@ sequence by process.entity_id, host.id with maxspan=1s ] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1486" name = "Data Encrypted for Impact" reference = "https://attack.mitre.org/techniques/T1486/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/linux/impact_process_kill_threshold.toml b/rules/linux/impact_process_kill_threshold.toml index 3115bb5696b..dcbc680f361 100644 --- a/rules/linux/impact_process_kill_threshold.toml +++ b/rules/linux/impact_process_kill_threshold.toml @@ -2,11 +2,15 @@ creation_date = "2022/07/27" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/21" [rule] author = ["Elastic"] -description = "This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.\n" +description = """ +This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period. +""" from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "kuery" @@ -74,31 +78,30 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", -] -timestamp_override = "event.ingested" + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] type = "threshold" +timestamp_override = "event.ingested" query = ''' event.category:process and host.os.type:linux and event.type:start and process.name:"pkill" and process.args:"-f" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1489" name = "Service Stop" reference = "https://attack.mitre.org/techniques/T1489/" - [rule.threat.tactic] id = "TA0040" name = "Impact" @@ -107,4 +110,3 @@ reference = "https://attack.mitre.org/tactics/TA0040/" [rule.threshold] field = ["host.id", "process.executable", "user.name"] value = 10 - diff --git a/rules/linux/lateral_movement_ssh_it_worm_download.toml b/rules/linux/lateral_movement_ssh_it_worm_download.toml index a09d873ebb1..c84fb498998 100644 --- a/rules/linux/lateral_movement_ssh_it_worm_download.toml +++ b/rules/linux/lateral_movement_ssh_it_worm_download.toml @@ -2,13 +2,15 @@ creation_date = "2023/09/21" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -Identifies processes that are capable of downloading files with command line arguments containing URLs to SSH-IT's -autonomous SSH worm. This worm intercepts outgoing SSH connections every time a user uses ssh. +Identifies processes that are capable of downloading files with command line arguments containing URLs to SSH-IT's +autonomous SSH worm. This worm intercepts outgoing SSH connections every time a user uses ssh. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -46,17 +48,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name in ("curl", "wget") and process.args : ( @@ -65,32 +66,30 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" - [[rule.threat.technique]] id = "T1563" name = "Remote Service Session Hijacking" reference = "https://attack.mitre.org/techniques/T1563/" + [[rule.threat.technique.subtechnique]] id = "T1563.001" name = "SSH Hijacking" reference = "https://attack.mitre.org/techniques/T1563/001/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index b994203c66d..f2186f9954b 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -2,7 +2,9 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/21" [rule] author = ["Elastic"] @@ -65,14 +67,13 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by process.entity_id [process where host.os.type == "linux" and process.name == "telnet" and event.type == "start"] @@ -86,17 +87,15 @@ sequence by process.entity_id ] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/linux/lateral_movement_telnet_network_activity_internal.toml b/rules/linux/lateral_movement_telnet_network_activity_internal.toml index 9775b55351f..b50c4c107d8 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_internal.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_internal.toml @@ -2,7 +2,9 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/21" [rule] author = ["Elastic"] @@ -65,14 +67,13 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by process.entity_id [process where host.os.type == "linux" and process.name == "telnet" and event.type == "start"] @@ -86,17 +87,15 @@ sequence by process.entity_id ] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/linux/persistence_apt_package_manager_execution.toml b/rules/linux/persistence_apt_package_manager_execution.toml index 30d1a3012de..97a17fe29ae 100644 --- a/rules/linux/persistence_apt_package_manager_execution.toml +++ b/rules/linux/persistence_apt_package_manager_execution.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2024/02/01" -integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" +integration = ["endpoint"] [rule] author = ["Elastic"] @@ -48,16 +50,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id with maxspan=5s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -72,9 +73,9 @@ sequence by host.id with maxspan=5s ] by process.parent.entity_id ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -85,28 +86,29 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -114,4 +116,3 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/persistence_apt_package_manager_netcon.toml b/rules/linux/persistence_apt_package_manager_netcon.toml index f61fea40231..696c037e108 100644 --- a/rules/linux/persistence_apt_package_manager_netcon.toml +++ b/rules/linux/persistence_apt_package_manager_netcon.toml @@ -1,14 +1,16 @@ [metadata] creation_date = "2024/02/01" -integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" +integration = ["endpoint"] [rule] author = ["Elastic"] description = """ -Detects suspicious network events executed by the APT package manager, potentially indicating persistence through an APT -backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based +Detects suspicious network events executed by the APT package manager, potentially indicating persistence through an +APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management. @@ -48,16 +50,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Command and Control", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Command and Control", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id with maxspan=5s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -69,9 +70,9 @@ sequence by host.id with maxspan=5s ] by process.parent.entity_id ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -82,11 +83,11 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -94,6 +95,7 @@ framework = "MITRE ATT&CK" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -101,4 +103,3 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/persistence_chkconfig_service_add.toml b/rules/linux/persistence_chkconfig_service_add.toml index 040bc52f6ed..a5905a23379 100644 --- a/rules/linux/persistence_chkconfig_service_add.toml +++ b/rules/linux/persistence_chkconfig_service_add.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2022/07/22" -integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/13" +integration = ["endpoint"] [transform] [[transform.osquery]] @@ -12,11 +14,20 @@ query = "SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/etc/ [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS -file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS -file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT -JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/init.d/%' OR path LIKE -'/etc/rc%.d/%') +SELECT + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f + LEFT JOIN users u ON f.uid = u.uid + LEFT JOIN groups g ON f.gid = g.gid +WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/etc/rc%.d/%') """ [[transform.osquery]] @@ -43,13 +54,12 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" - [rule] author = ["Elastic"] description = """ Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has -either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run +either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence. """ from = "now-9m" @@ -132,7 +142,9 @@ This rule monitors the usage of the `chkconfig` binary to manually add a service - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -references = ["https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"] +references = [ + "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" +] risk_score = 47 rule_id = "b910f25a-2d44-47f2-a873-aabdc0d355e6" setup = """## Setup @@ -162,14 +174,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Threat: Lightning Framework", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Threat: Lightning Framework", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -183,22 +195,20 @@ not process.parent.name in ("rpm", "qualys-scan-util", "qualys-cloud-agent", "up not process.parent.args : ("/var/tmp/rpm*", "/var/lib/waagent/*") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" + [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml index 7a8e8107c31..d50db9ab003 100644 --- a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml +++ b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/21" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" - [rule] author = ["Elastic"] description = """ @@ -146,18 +147,17 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Persistence", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Persistence", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "query" - query = ''' event.category:file and host.os.type:linux and event.type:change and process.name:(* and not (dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron or platform-python)) and @@ -169,56 +169,56 @@ event.category:file and host.os.type:linux and event.type:change and not process.executable:/usr/share/elasticsearch/* ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" - [[rule.threat.technique]] id = "T1563" name = "Remote Service Session Hijacking" reference = "https://attack.mitre.org/techniques/T1563/" + [[rule.threat.technique.subtechnique]] id = "T1563.001" name = "SSH Hijacking" reference = "https://attack.mitre.org/techniques/T1563/001/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/linux/persistence_cron_job_creation.toml b/rules/linux/persistence_cron_job_creation.toml index 875666ccf5a..8f52ebce84e 100644 --- a/rules/linux/persistence_cron_job_creation.toml +++ b/rules/linux/persistence_cron_job_creation.toml @@ -2,33 +2,59 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" +min_stack_version = "8.6.0" +updated_date = "2024/02/21" [transform] [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" query = """ -SELECT * FROM file WHERE ( path LIKE '/etc/cron.allow.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE -'/etc/cron.hourly/%' OR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR path LIKE -'/etc/cron.monthly/%' ) +SELECT * FROM file WHERE ( + path LIKE '/etc/cron.allow.d/%' OR + path LIKE '/etc/cron.d/%' OR + path LIKE '/etc/cron.hourly/%' OR + path LIKE '/etc/cron.daily/%' OR + path LIKE '/etc/cron.weekly/%' OR + path LIKE '/etc/cron.monthly/%' +) """ - [[transform.osquery]] label = "Osquery - Retrieve rc-local.service File Information" query = """ -SELECT * FROM file WHERE ( path = '/etc/cron.allow' OR path = '/etc/cron.deny' OR path = '/etc/crontab' OR path = -'/usr/sbin/cron' OR path = '/usr/sbin/anacron' ) +SELECT * FROM file WHERE ( + path = '/etc/cron.allow' OR + path = '/etc/cron.deny' OR + path = '/etc/crontab' OR + path = '/usr/sbin/cron' OR + path = '/usr/sbin/anacron' +) """ [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS -file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS -file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT -JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/cron.allow.d/%' OR path LIKE -'/etc/cron.d/%' OR path LIKE '/etc/cron.hourly/%' OR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR -path LIKE '/etc/cron.monthly/%' ) +SELECT + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f + LEFT JOIN users u ON f.uid = u.uid + LEFT JOIN groups g ON f.gid = g.gid +WHERE ( + path LIKE '/etc/cron.allow.d/%' OR + path LIKE '/etc/cron.d/%' OR + path LIKE '/etc/cron.hourly/%' OR + path LIKE '/etc/cron.daily/%' OR + path LIKE '/etc/cron.weekly/%' OR + path LIKE '/etc/cron.monthly/%' +) """ [[transform.osquery]] @@ -51,7 +77,6 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" - [rule] author = ["Elastic"] description = """ @@ -135,7 +160,7 @@ This rule monitors the creation of previously unknown cron jobs by monitoring fo - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = [ - "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/", + "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" ] risk_score = 47 rule_id = "ff10d4d8-fea7-422d-afb1-e5a2702369a9" @@ -166,18 +191,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type : "linux" and event.action : ("change" or "file_modify_event" or "creation" or "file_create_event") and file.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or @@ -192,54 +216,55 @@ and not ( ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -248,8 +273,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "file.path", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" - - diff --git a/rules/linux/persistence_dynamic_linker_backup.toml b/rules/linux/persistence_dynamic_linker_backup.toml index bc8cf7caff4..ff7bf2fbdf8 100644 --- a/rules/linux/persistence_dynamic_linker_backup.toml +++ b/rules/linux/persistence_dynamic_linker_backup.toml @@ -1,27 +1,48 @@ [metadata] creation_date = "2022/07/12" -integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/19" +integration = ["endpoint"] + [transform] [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" query = """ -SELECT * FROM file WHERE ( path = '/etc/ld.so.preload' OR path = '/lib64/ld-linux-x86-64.so.2' OR path = -'/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR path = '/usr/lib64/ld-linux-x86-64.so.2' OR path = -'/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' ) +SELECT * FROM file WHERE ( + path = '/etc/ld.so.preload' OR + path = '/lib64/ld-linux-x86-64.so.2' OR + path = '/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR + path = '/usr/lib64/ld-linux-x86-64.so.2' OR + path = '/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' +) """ [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS -file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS -file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT -JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path = '/etc/ld.so.preload' OR path = -'/lib64/ld-linux-x86-64.so.2' OR path = '/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR path = -'/usr/lib64/ld-linux-x86-64.so.2' OR path = '/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' ) +SELECT + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f + LEFT JOIN users u ON f.uid = u.uid + LEFT JOIN groups g ON f.gid = g.gid +WHERE ( + path = '/etc/ld.so.preload' OR + path = '/lib64/ld-linux-x86-64.so.2' OR + path = '/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR + path = '/usr/lib64/ld-linux-x86-64.so.2' OR + path = '/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' +) """ [[transform.osquery]] @@ -44,14 +65,13 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" - [rule] author = ["Elastic"] description = """ -Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup -copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to -inject and preload a malicious shared object file. This activity should never occur and if it does then it should be -considered highly suspicious or malicious. +Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a +backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in +order to inject and preload a malicious shared object file. This activity should never occur and if it does then it +should be considered highly suspicious or malicious. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -125,7 +145,9 @@ The detection rule 'Dynamic Linker Copy' is designed to identify such abuse by m - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -references = ["https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/"] +references = [ + "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/" +] risk_score = 73 rule_id = "df6f62d9-caab-4b88-affa-044f4395a1e0" setup = """## Setup @@ -155,13 +177,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Threat: Orbit", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Threat: Orbit", + "Data Source: Elastic Defend" + ] type = "eql" query = ''' @@ -174,20 +196,19 @@ sequence by process.entity_id with maxspan=1m [file where host.os.type == "linux" and event.action == "creation" and file.extension == "so"] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_etc_file_creation.toml b/rules/linux/persistence_etc_file_creation.toml index 36ed51d363e..a8f67c739c7 100644 --- a/rules/linux/persistence_etc_file_creation.toml +++ b/rules/linux/persistence_etc_file_creation.toml @@ -2,26 +2,49 @@ creation_date = "2022/07/22" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/21" [transform] [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" query = """ -SELECT * FROM file WHERE ( path LIKE '/etc/ld.so.conf.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE '/etc/sudoers.d/%' -OR path LIKE '/etc/rc%.d/%' OR path LIKE '/etc/init.d/%' OR path LIKE '/etc/systemd/system/%' OR path LIKE -'/usr/lib/systemd/system/%' ) +SELECT * FROM file WHERE ( + path LIKE '/etc/ld.so.conf.d/%' OR + path LIKE '/etc/cron.d/%' OR + path LIKE '/etc/sudoers.d/%' OR + path LIKE '/etc/rc%.d/%' OR + path LIKE '/etc/init.d/%' OR + path LIKE '/etc/systemd/system/%' OR + path LIKE '/usr/lib/systemd/system/%' +) """ - [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS -file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS -file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT -JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/ld.so.conf.d/%' OR path LIKE -'/etc/cron.d/%' OR path LIKE '/etc/sudoers.d/%' OR path LIKE '/etc/rc%.d/%' OR path LIKE '/etc/init.d/%' OR path LIKE -'/etc/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' ) +SELECT + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f + LEFT JOIN users u ON f.uid = u.uid + LEFT JOIN groups g ON f.gid = g.gid +WHERE ( + path LIKE '/etc/ld.so.conf.d/%' OR + path LIKE '/etc/cron.d/%' OR + path LIKE '/etc/sudoers.d/%' OR + path LIKE '/etc/rc%.d/%' OR + path LIKE '/etc/init.d/%' OR + path LIKE '/etc/systemd/system/%' OR + path LIKE '/usr/lib/systemd/system/%' +) """ [[transform.osquery]] @@ -48,7 +71,6 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" - [rule] author = ["Elastic"] description = """ @@ -135,7 +157,7 @@ This rule monitors for the creation of the most common system-wide configuration """ references = [ "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", - "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/", + "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" ] risk_score = 47 rule_id = "1c84dd64-7e6c-4bad-ac73-a5014ee37042" @@ -166,18 +188,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Threat: Orbit", - "Threat: Lightning Framework", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Threat: Orbit", + "Threat: Lightning Framework", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' file where host.os.type == "linux" and event.type in ("creation", "file_create_event") and user.id == "0" and file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*", @@ -192,76 +213,76 @@ file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/r ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" + [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" - -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1543.002" -name = "Systemd Service" -reference = "https://attack.mitre.org/techniques/T1543/002/" - - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.002" +name = "Systemd Service" +reference = "https://attack.mitre.org/techniques/T1543/002/" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" - - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/persistence_init_d_file_creation.toml b/rules/linux/persistence_init_d_file_creation.toml index 6bded3ec8e1..1af1b17782b 100644 --- a/rules/linux/persistence_init_d_file_creation.toml +++ b/rules/linux/persistence_init_d_file_creation.toml @@ -2,7 +2,9 @@ creation_date = "2023/03/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/02/21" [transform] [[transform.osquery]] @@ -16,11 +18,20 @@ query = "SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/ [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS -file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS -file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT -JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/init.d/%' OR path LIKE -'/run/systemd/generator.late/%') +SELECT + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f + LEFT JOIN users u ON f.uid = u.uid + LEFT JOIN groups g ON f.gid = g.gid +WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%') """ [[transform.osquery]] @@ -31,14 +42,14 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" - [rule] author = ["Elastic"] description = """ Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts -or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the "systemd-sysv-generator" -can convert init.d files to service unit files that run at boot. Adversaries may add or alter files located in the -/etc/init.d/ directory to execute malicious code upon boot in order to gain persistence on the system. +or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the +"systemd-sysv-generator" can convert init.d files to service unit files that run at boot. Adversaries may add or +alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence +on the system. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -110,7 +121,8 @@ This rule looks for the creation of new files within the `/etc/init.d/` director references = [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", - "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/", + "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/" + ] risk_score = 47 rule_id = "474fd20e-14cc-49c5-8160-d9ab4ba16c8b" @@ -141,17 +153,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and file.path : /etc/init.d/* and not ( @@ -164,15 +175,14 @@ file.path : /etc/init.d/* and not ( ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -181,8 +191,7 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["file.path", "process.name", "host.id"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" - - diff --git a/rules/linux/persistence_insmod_kernel_module_load.toml b/rules/linux/persistence_insmod_kernel_module_load.toml index 60f5ef56b26..866b0d00050 100644 --- a/rules/linux/persistence_insmod_kernel_module_load.toml +++ b/rules/linux/persistence_insmod_kernel_module_load.toml @@ -2,7 +2,9 @@ creation_date = "2022/07/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/21" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" - [rule] author = ["Elastic"] description = """ @@ -116,7 +117,7 @@ The detection rule 'Kernel module load via insmod' is designed to identify insta - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = [ - "https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/", + "https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/" ] risk_score = 47 rule_id = "2339f03c-f53f-40fa-834b-40c5983fc41f" @@ -147,38 +148,35 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Threat: Rootkit", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Threat: Rootkit", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index bebb8f3e449..34f92ac319f 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -2,51 +2,68 @@ creation_date = "2021/01/06" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/19" [transform] [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" query = """ -SELECT * FROM file WHERE ( path LIKE '/home/%/.config/autostart/%.sh' OR path LIKE '/home/%/.config/autostart/%.desktop' -OR path LIKE '/root/.config/autostart/%.sh' OR path LIKE '/root/.config/autostart/%.desktop' OR path LIKE -'/home/%/.kde/Autostart/%.sh' OR path LIKE '/home/%/.kde/Autostart/%.desktop' OR path LIKE '/root/.kde/Autostart/%.sh' -OR path LIKE '/root/.kde/Autostart/%.desktop' OR path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE -'/home/%/.kde4/Autostart/%.desktop' OR path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE -'/root/.kde4/Autostart/%.desktop' OR path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE -'/home/%/.kde/share/autostart/%.desktop' OR path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE -'/root/.kde/share/autostart/%.desktop' OR path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE -'/home/%/.kde4/share/autostart/%.desktop' OR path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE -'/root/.kde4/share/autostart/%.desktop' OR path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE -'/home/%/.local/share/autostart/%.desktop' OR path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE -'/root/.local/share/autostart/%.desktop' OR path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE -'/home/%/.config/autostart-scripts/%.desktop' OR path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE -'/root/.config/autostart-scripts/%.desktop' OR path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE -'/etc/xdg/autostart/%.desktop' OR path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' ) +SELECT * FROM file WHERE ( + path LIKE '/home/%/.config/autostart/%.sh' OR path LIKE '/home/%/.config/autostart/%.desktop' OR + path LIKE '/root/.config/autostart/%.sh' OR path LIKE '/root/.config/autostart/%.desktop' OR + path LIKE '/home/%/.kde/Autostart/%.sh' OR path LIKE '/home/%/.kde/Autostart/%.desktop' OR + path LIKE '/root/.kde/Autostart/%.sh' OR path LIKE '/root/.kde/Autostart/%.desktop' OR + path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE '/home/%/.kde4/Autostart/%.desktop' OR + path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE '/root/.kde4/Autostart/%.desktop' OR + path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE '/home/%/.kde/share/autostart/%.desktop' OR + path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE '/root/.kde/share/autostart/%.desktop' OR + path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE '/home/%/.kde4/share/autostart/%.desktop' OR + path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE '/root/.kde4/share/autostart/%.desktop' OR + path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE '/home/%/.local/share/autostart/%.desktop' OR + path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE '/root/.local/share/autostart/%.desktop' OR + path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE '/home/%/.config/autostart-scripts/%.desktop' OR + path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE '/root/.config/autostart-scripts/%.desktop' OR + path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE '/etc/xdg/autostart/%.desktop' OR + path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' +) """ [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS -file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS -file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT -JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/home/%/.config/autostart/%.sh' OR -path LIKE '/home/%/.config/autostart/%.desktop' OR path LIKE '/root/.config/autostart/%.sh' OR path LIKE -'/root/.config/autostart/%.desktop' OR path LIKE '/home/%/.kde/Autostart/%.sh' OR path LIKE -'/home/%/.kde/Autostart/%.desktop' OR path LIKE '/root/.kde/Autostart/%.sh' OR path LIKE -'/root/.kde/Autostart/%.desktop' OR path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE -'/home/%/.kde4/Autostart/%.desktop' OR path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE -'/root/.kde4/Autostart/%.desktop' OR path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE -'/home/%/.kde/share/autostart/%.desktop' OR path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE -'/root/.kde/share/autostart/%.desktop' OR path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE -'/home/%/.kde4/share/autostart/%.desktop' OR path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE -'/root/.kde4/share/autostart/%.desktop' OR path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE -'/home/%/.local/share/autostart/%.desktop' OR path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE -'/root/.local/share/autostart/%.desktop' OR path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE -'/home/%/.config/autostart-scripts/%.desktop' OR path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE -'/root/.config/autostart-scripts/%.desktop' OR path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE -'/etc/xdg/autostart/%.desktop' OR path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' ) +SELECT + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f + LEFT JOIN users u ON f.uid = u.uid + LEFT JOIN groups g ON f.gid = g.gid +WHERE ( + path LIKE '/home/%/.config/autostart/%.sh' OR path LIKE '/home/%/.config/autostart/%.desktop' OR + path LIKE '/root/.config/autostart/%.sh' OR path LIKE '/root/.config/autostart/%.desktop' OR + path LIKE '/home/%/.kde/Autostart/%.sh' OR path LIKE '/home/%/.kde/Autostart/%.desktop' OR + path LIKE '/root/.kde/Autostart/%.sh' OR path LIKE '/root/.kde/Autostart/%.desktop' OR + path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE '/home/%/.kde4/Autostart/%.desktop' OR + path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE '/root/.kde4/Autostart/%.desktop' OR + path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE '/home/%/.kde/share/autostart/%.desktop' OR + path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE '/root/.kde/share/autostart/%.desktop' OR + path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE '/home/%/.kde4/share/autostart/%.desktop' OR + path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE '/root/.kde4/share/autostart/%.desktop' OR + path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE '/home/%/.local/share/autostart/%.desktop' OR + path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE '/root/.local/share/autostart/%.desktop' OR + path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE '/home/%/.config/autostart-scripts/%.desktop' OR + path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE '/root/.config/autostart-scripts/%.desktop' OR + path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE '/etc/xdg/autostart/%.desktop' OR + path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' +) """ [[transform.osquery]] @@ -73,7 +90,6 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" - [rule] author = ["Elastic"] description = """ @@ -196,13 +212,13 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -224,15 +240,14 @@ file where host.os.type == "linux" and event.type != "deletion" and "rpm", "pacman", "podman", "nautilus", "remmina", "cinnamon-settings.py") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_kernel_driver_load.toml b/rules/linux/persistence_kernel_driver_load.toml index 97ba74fa43d..e727ca8e00a 100644 --- a/rules/linux/persistence_kernel_driver_load.toml +++ b/rules/linux/persistence_kernel_driver_load.toml @@ -2,15 +2,17 @@ creation_date = "2023/10/26" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/22" [rule] author = ["Elastic"] description = """ -Detects the loading of a Linux kernel module through system calls. Threat actors may leverage Linux kernel modules to +Detects the loading of a Linux kernel module through system calls. Threat actors may leverage Linux kernel modules to load a rootkit on a system providing them with complete control and the ability to hide from security products. As other -rules monitor for the addition of Linux kernel modules through system utilities or .ko files, this rule covers the gap -that evasive rootkits leverage by monitoring for kernel module additions on the lowest level through auditd_manager. +rules monitor for the addition of Linux kernel modules through system utilities or .ko files, this rule covers the gap +that evasive rootkits leverage by monitoring for kernel module additions on the lowest level through auditd_manager. """ from = "now-9m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -42,49 +44,47 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen """ severity = "low" tags = [ - "Data Source: Auditd Manager", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", -] + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and auditd.data.syscall in ("init_module", "finit_module") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +name = "Rootkit" +id = "T1014" +reference = "https://attack.mitre.org/techniques/T1014/" diff --git a/rules/linux/persistence_kernel_driver_load_by_non_root.toml b/rules/linux/persistence_kernel_driver_load_by_non_root.toml index 216b6be53ed..24f6c7291e5 100644 --- a/rules/linux/persistence_kernel_driver_load_by_non_root.toml +++ b/rules/linux/persistence_kernel_driver_load_by_non_root.toml @@ -2,7 +2,9 @@ creation_date = "2024/01/10" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/19" [rule] author = ["Elastic"] @@ -11,7 +13,7 @@ Detects the loading of a Linux kernel module by a non-root user through system c kernel modules to load a rootkit on a system providing them with complete control and the ability to hide from security products. As other rules monitor for the addition of Linux kernel modules through system utilities or .ko files, this rule covers the gap that evasive rootkits leverage by monitoring for kernel module additions on the lowest level through -auditd_manager. +auditd_manager. """ from = "now-9m" index = ["logs-auditd_manager.auditd-*"] @@ -48,49 +50,48 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "medium" tags = [ - "Data Source: Auditd Manager", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", -] + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and auditd.data.syscall in ("init_module", "finit_module") and user.id != "0" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +name = "Rootkit" +id = "T1014" +reference = "https://attack.mitre.org/techniques/T1014/" + diff --git a/rules/linux/persistence_kworker_file_creation.toml b/rules/linux/persistence_kworker_file_creation.toml index d9e80c23b3c..bc4c38f8a4d 100644 --- a/rules/linux/persistence_kworker_file_creation.toml +++ b/rules/linux/persistence_kworker_file_creation.toml @@ -2,20 +2,33 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/17" [transform] [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" -query = "SELECT * FROM file WHERE path = {{file.path}}\n" - +query = """ +SELECT * FROM file WHERE path = {{file.path}} +""" [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS -file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS -file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT -JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path = {{file.path}} +SELECT + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f + LEFT JOIN users u ON f.uid = u.uid + LEFT JOIN groups g ON f.gid = g.gid +WHERE path = {{file.path}} """ [[transform.osquery]] @@ -42,11 +55,10 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" - [rule] author = ["Elastic"] description = """ -This rule monitors for a file creation event originating from a kworker parent process. kworker, or kernel worker, +This rule monitors for a file creation event originating from a kworker parent process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process. @@ -153,16 +165,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and process.name : "kworker*" and not ( @@ -171,29 +182,29 @@ file where host.os.type == "linux" and event.action in ("creation", "file_create ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +name = "Rootkit" +id = "T1014" +reference = "https://attack.mitre.org/techniques/T1014/" + diff --git a/rules/linux/persistence_linux_backdoor_user_creation.toml b/rules/linux/persistence_linux_backdoor_user_creation.toml index cf4f8a430af..bb0e1ebe66b 100644 --- a/rules/linux/persistence_linux_backdoor_user_creation.toml +++ b/rules/linux/persistence_linux_backdoor_user_creation.toml @@ -2,15 +2,14 @@ creation_date = "2023/03/07" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] label = "Osquery - Retrieve User Accounts with a UID of 0" -query = """ -SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE -'0' -""" +query = "SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE '0'" [[transform.osquery]] label = "Osquery - Retrieve Running Processes by User" @@ -28,11 +27,10 @@ query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" label = "Osquery - Retrieve Information for a Specific Group" query = "SELECT * FROM groups WHERE groupname = {{group.name}}" - [rule] author = ["Elastic"] description = """ -Identifies the attempt to create a new backdoor user by setting the user's UID to 0. Attackers may alter a user's UID to +Identifies the attempt to create a new backdoor user by setting the user's UID to 0. Attackers may alter a user's UID to 0 to establish persistence on a system. """ from = "now-9m" @@ -116,39 +114,36 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "usermod" and process.args : "-u" and process.args : "0" and process.args : "-o" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" + [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_linux_group_creation.toml b/rules/linux/persistence_linux_group_creation.toml index be5b7c048d5..8bdadc05c05 100644 --- a/rules/linux/persistence_linux_group_creation.toml +++ b/rules/linux/persistence_linux_group_creation.toml @@ -2,7 +2,9 @@ creation_date = "2023/02/13" integration = ["system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [transform] [[transform.osquery]] @@ -21,10 +23,11 @@ query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" label = "Osquery - Retrieve Running Processes by User" query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username" - [rule] author = ["Elastic"] -description = "Identifies attempts to create a new group. Attackers may create new groups to establish persistence on a system.\n" +description = """ +Identifies attempts to create a new group. Attackers may create new groups to establish persistence on a system. +""" from = "now-9m" index = ["filebeat-*", "logs-system.auth-*"] language = "eql" @@ -100,37 +103,28 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" - query = ''' iam where host.os.type == "linux" and (event.type == "group" and event.type == "creation") and process.name in ("groupadd", "addgroup") and group.name != null ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" + [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_linux_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml index 42ea56ee044..eeb4603ab03 100644 --- a/rules/linux/persistence_linux_shell_activity_via_web_server.toml +++ b/rules/linux/persistence_linux_shell_activity_via_web_server.toml @@ -2,7 +2,9 @@ creation_date = "2023/03/04" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/21" [transform] [[transform.osquery]] @@ -25,12 +27,11 @@ query = "SELECT name, cmdline, parent, path, uid FROM processes WHERE uid = {{pr label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" - [rule] author = ["Elastic"] description = """ -Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. -Attackers may exploit a vulnerability in a web application to execute commands via a web server, or place a backdoor +Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. +Attackers may exploit a vulnerability in a web application to execute commands via a web server, or place a backdoor file that can be abused to gain code execution as a mechanism for persistence. """ false_positives = [ @@ -130,19 +131,18 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Initial Access", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Initial Access", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.parent.executable : ( @@ -165,34 +165,33 @@ process.name : ( ) and not process.name == "phpquery" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" + [[rule.threat.technique.subtechnique]] id = "T1505.003" name = "Web Shell" reference = "https://attack.mitre.org/techniques/T1505/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/linux/persistence_linux_user_account_creation.toml b/rules/linux/persistence_linux_user_account_creation.toml index 0806394a0dd..18b5500253f 100644 --- a/rules/linux/persistence_linux_user_account_creation.toml +++ b/rules/linux/persistence_linux_user_account_creation.toml @@ -2,7 +2,9 @@ creation_date = "2023/02/13" integration = ["system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [transform] [[transform.osquery]] @@ -21,10 +23,11 @@ query = "SELECT * FROM groups WHERE groupname = {{group.name}}" label = "Osquery - Retrieve Running Processes by User" query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username" - [rule] author = ["Elastic"] -description = "Identifies attempts to create new users. Attackers may add new users to establish persistence on a system.\n" +description = """ +Identifies attempts to create new users. Attackers may add new users to establish persistence on a system. +""" from = "now-9m" index = ["filebeat-*", "logs-system.auth-*"] language = "eql" @@ -99,37 +102,28 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" - query = ''' iam where host.os.type == "linux" and (event.type == "user" and event.type == "creation") and process.name in ("useradd", "adduser") and user.name != null ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" + [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_linux_user_added_to_privileged_group.toml b/rules/linux/persistence_linux_user_added_to_privileged_group.toml index d08a4139b9d..2528e50c246 100644 --- a/rules/linux/persistence_linux_user_added_to_privileged_group.toml +++ b/rules/linux/persistence_linux_user_added_to_privileged_group.toml @@ -2,7 +2,9 @@ creation_date = "2023/02/13" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -21,11 +23,10 @@ query = "SELECT * FROM groups WHERE groupname = {{group.name}}" label = "Osquery - Retrieve Running Processes by User" query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username" - [rule] author = ["Elastic"] description = """ -Identifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to +Identifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to establish persistence on a system. """ from = "now-9m" @@ -108,18 +109,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.args in ( @@ -132,22 +132,20 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" + [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_message_of_the_day_creation.toml b/rules/linux/persistence_message_of_the_day_creation.toml index 85e05d4e851..7afb4ae59ec 100644 --- a/rules/linux/persistence_message_of_the_day_creation.toml +++ b/rules/linux/persistence_message_of_the_day_creation.toml @@ -2,7 +2,9 @@ creation_date = "2023/02/28" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/02/21" [transform] [[transform.osquery]] @@ -16,11 +18,20 @@ query = "SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS -file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS -file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT -JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE -'/usr/lib/update-notifier/%') +SELECT + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f + LEFT JOIN users u ON f.uid = u.uid + LEFT JOIN groups g ON f.gid = g.gid +WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%') """ [[transform.osquery]] @@ -31,7 +42,6 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" - [rule] author = ["Elastic"] description = """ @@ -106,7 +116,7 @@ This rule identifies the creation of new files within the `/etc/update-motd.d/` - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = [ - "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd", + "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" ] risk_score = 47 rule_id = "96d11d31-9a79-480f-8401-da28b194608f" @@ -137,17 +147,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] -timestamp_override = "event.ingested" + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] type = "new_terms" - +timestamp_override = "event.ingested" query = ''' host.os.type :linux and event.action:(creation or file_create_event or rename or file_rename_event) and file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not process.name : ( @@ -158,15 +167,14 @@ file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not process ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -175,8 +183,7 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "file.path", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" - - diff --git a/rules/linux/persistence_message_of_the_day_execution.toml b/rules/linux/persistence_message_of_the_day_execution.toml index ca3cb5b9b2c..219b88f9fc3 100644 --- a/rules/linux/persistence_message_of_the_day_execution.toml +++ b/rules/linux/persistence_message_of_the_day_execution.toml @@ -2,7 +2,9 @@ creation_date = "2023/02/28" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/17" [transform] [[transform.osquery]] @@ -16,11 +18,20 @@ query = "SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS -file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS -file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT -JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE -'/usr/lib/update-notifier/%') +SELECT + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f + LEFT JOIN users u ON f.uid = u.uid + LEFT JOIN groups g ON f.gid = g.gid +WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%') """ [[transform.osquery]] @@ -30,17 +41,15 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u [[transform.osquery]] label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" - - [rule] author = ["Elastic"] description = """ -Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or -a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" and -"/usr/lib/update-notifier/" directories. These scripts run as the root user every time a user connects over SSH or a -serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a -user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially -malicious processes through the MOTD utility. +Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH +or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" and +"/usr/lib/update-notifier/" directories. These scripts run as the root user every time a user connects over SSH or a +serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a +user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially +malicious processes through the MOTD utility. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -106,7 +115,7 @@ This rule identifies the execution of potentially malicious processes from a MOT - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = [ - "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd", + "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" ] risk_score = 73 rule_id = "4ec47004-b34a-42e6-8003-376a123ea447" @@ -137,17 +146,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where event.type == "start" and host.os.type == "linux" and event.action : ("exec", "exec_event") and process.parent.executable : ("/etc/update-motd.d/*", "/usr/lib/update-notifier/*") and ( @@ -178,17 +186,15 @@ not ( ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_rc_script_creation.toml b/rules/linux/persistence_rc_script_creation.toml index e9177e41c18..ce7a4a9ae82 100644 --- a/rules/linux/persistence_rc_script_creation.toml +++ b/rules/linux/persistence_rc_script_creation.toml @@ -2,7 +2,9 @@ creation_date = "2023/02/28" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/01/05" [transform] [[transform.osquery]] @@ -15,24 +17,21 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u [[transform.osquery]] label = "Osquery - Retrieve rc-local.service File Information" -query = """ -SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = -'/run/systemd/generator/multi-user.target.wants/rc-local.service') -""" +query = "SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = '/run/systemd/generator/multi-user.target.wants/rc-local.service')" [[transform.osquery]] label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" - [rule] author = ["Elastic"] description = """ -This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable through the -use of the new terms rule type. The /etc/rc.local file is used to start custom applications, services, scripts or -commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the -"systemd-rc-local-generator", rc.local files can be converted to services that run at boot. Adversaries may alter -rc.local to execute malicious code at start-up, and gain persistence onto the system. +This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable +through the use of the new terms rule type. The /etc/rc.local file is used to start custom applications, +services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. +However, through the "systemd-rc-local-generator", rc.local files can be converted to services that run at +boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the +system. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -101,7 +100,8 @@ Detection alerts from this rule indicate the creation of a new `/etc/rc.local` f references = [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", - "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/", + "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/" + ] risk_score = 47 rule_id = "0f4d35e4-925e-4959-ab24-911be207ee6f" @@ -132,17 +132,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] -timestamp_override = "event.ingested" + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] type = "new_terms" - +timestamp_override = "event.ingested" query = ''' host.os.type : "linux" and event.category : "file" and event.type : ("change" or "file_modify_event" or "creation" or "file_create_event") and @@ -151,20 +150,19 @@ file.path : "/etc/rc.local" and not process.name : ( ) and not file.extension : ("swp" or "swpx") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" + [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -173,8 +171,7 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "user.id"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" - - diff --git a/rules/linux/persistence_setuid_setgid_capability_set.toml b/rules/linux/persistence_setuid_setgid_capability_set.toml index 0aa61d6bc1f..c99e8b13ed1 100644 --- a/rules/linux/persistence_setuid_setgid_capability_set.toml +++ b/rules/linux/persistence_setuid_setgid_capability_set.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/05" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" - [rule] author = ["Elastic"] description = """ @@ -132,22 +133,20 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "setcap" and process.args : "cap_set?id+ep" and not process.parent.name in ("jem", "vzctl") ''' - [[rule.threat]] framework = "MITRE ATT&CK" @@ -155,21 +154,21 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.001" name = "Setuid and Setgid" reference = "https://attack.mitre.org/techniques/T1548/001/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/persistence_shared_object_creation.toml b/rules/linux/persistence_shared_object_creation.toml index 72faf4eb4fe..b9da05228d2 100644 --- a/rules/linux/persistence_shared_object_creation.toml +++ b/rules/linux/persistence_shared_object_creation.toml @@ -2,20 +2,33 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" +min_stack_version = "8.6.0" +updated_date = "2024/02/21" [transform] [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" -query = "SELECT * FROM file WHERE path = {{file.path}}\n" - +query = """ +SELECT * FROM file WHERE path = {{file.path}} +""" [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS -file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS -file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT -JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path = {{file.path}} +SELECT + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f + LEFT JOIN users u ON f.uid = u.uid + LEFT JOIN groups g ON f.gid = g.gid +WHERE path = {{file.path}} """ [[transform.osquery]] @@ -42,7 +55,6 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" - [rule] author = ["Elastic"] description = """ @@ -155,11 +167,10 @@ tags = [ "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* and not ( @@ -169,20 +180,19 @@ file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* an ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -191,8 +201,7 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "file.path", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" - - diff --git a/rules/linux/persistence_shell_configuration_modification.toml b/rules/linux/persistence_shell_configuration_modification.toml index bbdb5484c9f..9f5571f1fc0 100644 --- a/rules/linux/persistence_shell_configuration_modification.toml +++ b/rules/linux/persistence_shell_configuration_modification.toml @@ -2,7 +2,9 @@ creation_date = "2024/04/30" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/04/30" [rule] author = ["Elastic"] @@ -48,16 +50,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] -timestamp_override = "event.ingested" + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] type = "new_terms" - +timestamp_override = "event.ingested" query = ''' event.category:file and host.os.type:linux and event.action:(creation or file_create_event or rename or file_rename_event) and file.path:( @@ -79,20 +80,19 @@ event.action:(creation or file_create_event or rename or file_rename_event) and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.004" name = "Unix Shell Configuration Modification" reference = "https://attack.mitre.org/techniques/T1546/004/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -100,9 +100,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "user.id", "process.executable"] +value = ["host.id", "user.id", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" - - diff --git a/rules/linux/persistence_suspicious_file_opened_through_editor.toml b/rules/linux/persistence_suspicious_file_opened_through_editor.toml index 21922814d76..88458c64bc3 100644 --- a/rules/linux/persistence_suspicious_file_opened_through_editor.toml +++ b/rules/linux/persistence_suspicious_file_opened_through_editor.toml @@ -1,17 +1,19 @@ [metadata] creation_date = "2023/07/25" -integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/17" +integration = ["endpoint"] [rule] author = ["Elastic"] description = """ -This rule monitors for the potential edit of a suspicious file. In Linux, when editing a file through an editor, a +This rule monitors for the potential edit of a suspicious file. In Linux, when editing a file through an editor, a temporary .swp file is created. By monitoring for the creation of this .swp file, we can detect potential file edits of -suspicious files. The execution of this rule is not a clear sign of the file being edited, as just opening the file +suspicious files. The execution of this rule is not a clear sign of the file being edited, as just opening the file through an editor will trigger this event. Attackers may alter any of the files added in this rule to establish -persistence, escalate privileges or perform reconnaisance on the system. +persistence, escalate privileges or perform reconnaisance on the system. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -23,17 +25,16 @@ risk_score = 21 rule_id = "3728c08d-9b70-456b-b6b8-007c7d246128" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and file.extension == "swp" and file.path : ( @@ -56,59 +57,58 @@ file.path : ( ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" + [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" - -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1543.002" -name = "Systemd Service" -reference = "https://attack.mitre.org/techniques/T1543/002/" - - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.002" +name = "Systemd Service" +reference = "https://attack.mitre.org/techniques/T1543/002/" -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" - - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml b/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml index 77654c11f70..61823f66e80 100644 --- a/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml +++ b/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml @@ -2,7 +2,10 @@ creation_date = "2024/04/01" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/01" + [rule] author = ["Elastic"] @@ -15,22 +18,21 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Execution via XZBackdoor" -references = ["https://github.com/amlweems/xzbot", "https://access.redhat.com/security/cve/CVE-2024-3094"] +references =["https://github.com/amlweems/xzbot", "https://access.redhat.com/security/cve/CVE-2024-3094"] risk_score = 73 rule_id = "7afc6cc9-8800-4c7f-be6b-b688d2dea248" severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Persistence", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Persistence", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' sequence by host.id, user.id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "sshd" and @@ -41,56 +43,56 @@ sequence by host.id, user.id with maxspan=1s [network where host.os.type == "linux" and event.type == "end" and event.action == "disconnect_received" and process.name == "sshd"] by process.pid, process.entity_id ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" - [[rule.threat.technique]] id = "T1563" name = "Remote Service Session Hijacking" reference = "https://attack.mitre.org/techniques/T1563/" + [[rule.threat.technique.subtechnique]] id = "T1563.001" name = "SSH Hijacking" reference = "https://attack.mitre.org/techniques/T1563/001/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/linux/persistence_systemd_netcon.toml b/rules/linux/persistence_systemd_netcon.toml index fba0565d1e0..45d82726185 100644 --- a/rules/linux/persistence_systemd_netcon.toml +++ b/rules/linux/persistence_systemd_netcon.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2024/02/01" -integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" +integration = ["endpoint"] [rule] author = ["Elastic"] @@ -48,16 +50,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Command and Control", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Command and Control", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id with maxspan=5s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -69,29 +70,29 @@ sequence by host.id with maxspan=5s ] by process.parent.entity_id ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -99,6 +100,7 @@ framework = "MITRE ATT&CK" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -106,4 +108,3 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/persistence_systemd_scheduled_timer_created.toml b/rules/linux/persistence_systemd_scheduled_timer_created.toml index b021569a802..02f86919669 100644 --- a/rules/linux/persistence_systemd_scheduled_timer_created.toml +++ b/rules/linux/persistence_systemd_scheduled_timer_created.toml @@ -2,7 +2,9 @@ creation_date = "2023/02/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/12/13" [transform] [[transform.osquery]] @@ -12,19 +14,38 @@ query = "SELECT * FROM file WHERE path = {{file.path}}" [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" query = """ -SELECT * FROM file WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE -'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE '/home/user/.config/systemd/user/%' ) +SELECT * FROM file WHERE ( +path LIKE '/etc/systemd/system/%' OR +path LIKE '/usr/local/lib/systemd/system/%' OR +path LIKE '/lib/systemd/system/%' OR +path LIKE '/usr/lib/systemd/system/%' OR +path LIKE '/home/user/.config/systemd/user/%' +) """ [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS -file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS -file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT -JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE -'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path -LIKE '/home/{{user.name}}/.config/systemd/user/%' ) +SELECT + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f + LEFT JOIN users u ON f.uid = u.uid + LEFT JOIN groups g ON f.gid = g.gid +WHERE ( +path LIKE '/etc/systemd/system/%' OR +path LIKE '/usr/local/lib/systemd/system/%' OR +path LIKE '/lib/systemd/system/%' OR +path LIKE '/usr/lib/systemd/system/%' OR +path LIKE '/home/{{user.name}}/.config/systemd/user/%' +) """ [[transform.osquery]] @@ -35,14 +56,13 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" - [rule] author = ["Elastic"] description = """ -Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used -by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd -timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in -case the connection to the infected asset was lost. +Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used +by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd +timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in +case the connection to the infected asset was lost. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -110,7 +130,7 @@ This rule monitors the creation of new systemd timer files, potentially indicati """ references = [ "https://opensource.com/article/20/7/systemd-timers", - "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/", + "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" ] risk_score = 21 rule_id = "7fb500fa-8e24-4bd1-9480-2a819352602c" @@ -141,17 +161,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type : "linux" and event.action : ("creation" or "file_create_event") and file.extension : "timer" and file.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or @@ -164,20 +183,19 @@ file.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/sy ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.006" name = "Systemd Timers" reference = "https://attack.mitre.org/techniques/T1053/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -186,8 +204,7 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "file.path", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" - - diff --git a/rules/linux/persistence_systemd_service_creation.toml b/rules/linux/persistence_systemd_service_creation.toml index aeacc5b90d6..a876bda2545 100644 --- a/rules/linux/persistence_systemd_service_creation.toml +++ b/rules/linux/persistence_systemd_service_creation.toml @@ -2,7 +2,9 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" +min_stack_version = "8.6.0" +updated_date = "2023/12/13" [transform] [[transform.osquery]] @@ -12,19 +14,38 @@ query = "SELECT * FROM file WHERE path = {{file.path}}" [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" query = """ -SELECT * FROM file WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE -'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE '/home/user/.config/systemd/user/%' ) +SELECT * FROM file WHERE ( +path LIKE '/etc/systemd/system/%' OR +path LIKE '/usr/local/lib/systemd/system/%' OR +path LIKE '/lib/systemd/system/%' OR +path LIKE '/usr/lib/systemd/system/%' OR +path LIKE '/home/user/.config/systemd/user/%' +) """ [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS -file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS -file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT -JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE -'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path -LIKE '/home/{{user.name}}/.config/systemd/user/%' ) +SELECT + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f + LEFT JOIN users u ON f.uid = u.uid + LEFT JOIN groups g ON f.gid = g.gid +WHERE ( +path LIKE '/etc/systemd/system/%' OR +path LIKE '/usr/local/lib/systemd/system/%' OR +path LIKE '/lib/systemd/system/%' OR +path LIKE '/usr/lib/systemd/system/%' OR +path LIKE '/home/{{user.name}}/.config/systemd/user/%' +) """ [[transform.osquery]] @@ -51,13 +72,12 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" - [rule] author = ["Elastic"] description = """ -Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious -actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute -malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute +Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious +actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute +malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection. """ from = "now-9m" @@ -139,7 +159,7 @@ This rule monitors the creation of new systemd service files, potentially indica """ references = [ "https://opensource.com/article/20/7/systemd-timers", - "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/", + "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" ] risk_score = 47 rule_id = "17b0a495-4d9f-414c-8ad0-92f018b8e001" @@ -170,14 +190,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -199,37 +219,37 @@ not ( ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" @@ -238,8 +258,7 @@ reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "file.path", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" - - diff --git a/rules/linux/persistence_tainted_kernel_module_load.toml b/rules/linux/persistence_tainted_kernel_module_load.toml index 6cabc894a4d..b9bc99d6679 100644 --- a/rules/linux/persistence_tainted_kernel_module_load.toml +++ b/rules/linux/persistence_tainted_kernel_module_load.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/23" integration = ["system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -42,48 +44,46 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion" + ] timestamp_override = "event.ingested" type = "query" - query = ''' host.os.type:linux and event.dataset:"system.syslog" and process.name:kernel and message:"module verification failed: signature and/or required key missing - tainting kernel" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +name = "Rootkit" +id = "T1014" +reference = "https://attack.mitre.org/techniques/T1014/" diff --git a/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml b/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml index 57ff1986c23..784a655fa49 100644 --- a/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml +++ b/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml @@ -2,12 +2,14 @@ creation_date = "2023/10/26" integration = ["system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/22" [rule] author = ["Elastic"] description = """ -This rule monitors the syslog log file for messages related to instances of a out-of-tree kernel module load, indicating +This rule monitors the syslog log file for messages related to instances of a out-of-tree kernel module load, indicating the taining of the kernel. Rootkits often leverage kernel modules as their main defense evasion technique. Detecting tainted kernel module loads is crucial for ensuring system security and integrity, as malicious or unauthorized modules can compromise the kernel and lead to system vulnerabilities or unauthorized access. @@ -42,48 +44,46 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion" + ] timestamp_override = "event.ingested" type = "query" - query = ''' host.os.type:linux and event.dataset:"system.syslog" and process.name:kernel and message:"loading out-of-tree module taints kernel." ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1014" name = "Rootkit" +id = "T1014" reference = "https://attack.mitre.org/techniques/T1014/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/persistence_udev_rule_creation.toml b/rules/linux/persistence_udev_rule_creation.toml index bcd0e28ad73..219dc0dc583 100644 --- a/rules/linux/persistence_udev_rule_creation.toml +++ b/rules/linux/persistence_udev_rule_creation.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -47,16 +49,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] -timestamp_override = "event.ingested" + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] type = "new_terms" - +timestamp_override = "event.ingested" query = ''' host.os.type:"linux" and event.category:"file" and event.type:("change" or "file_modify_event" or "creation" or "file_create_event") and @@ -66,15 +67,14 @@ file.path:/lib/udev/* and process.executable:* and not ( ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -83,8 +83,7 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "file.path"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml index 6582e466312..c631a2d3ba7 100644 --- a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml +++ b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml @@ -2,13 +2,15 @@ creation_date = "2023/07/28" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ This rule monitors for the execution of the "chown" and "chmod" commands with command line flags that could indicate a -wildcard injection attack. Linux wildcard injection is a type of security vulnerability where attackers manipulate +wildcard injection attack. Linux wildcard injection is a type of security vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways. """ @@ -47,51 +49,49 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name in ("chown", "chmod") and process.args == "-R" and process.args : "--reference=*" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.008" name = "/etc/passwd and /etc/shadow" reference = "https://attack.mitre.org/techniques/T1003/008/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/privilege_escalation_container_util_misconfiguration.toml b/rules/linux/privilege_escalation_container_util_misconfiguration.toml index b5167a53e88..0084ab81f9a 100644 --- a/rules/linux/privilege_escalation_container_util_misconfiguration.toml +++ b/rules/linux/privilege_escalation_container_util_misconfiguration.toml @@ -2,16 +2,18 @@ creation_date = "2023/07/31" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -This rule monitors for the execution of processes that interact with Linux containers through an interactive shell -without root permissions. Utilities such as runc and ctr are universal command-line utilities leveraged to interact with -containers via root permissions. On systems where the access to these utilities are misconfigured, attackers might be -able to create and run a container that mounts the root folder or spawn a privileged container vulnerable to a container -escape attack, which might allow them to escalate privileges and gain further access onto the host file system. +This rule monitors for the execution of processes that interact with Linux containers through an interactive shell +without root permissions. Utilities such as runc and ctr are universal command-line utilities leveraged to interact +with containers via root permissions. On systems where the access to these utilities are misconfigured, attackers might +be able to create and run a container that mounts the root folder or spawn a privileged container vulnerable to a +container escape attack, which might allow them to escalate privileges and gain further access onto the host file system. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -20,8 +22,8 @@ license = "Elastic License v2" name = "Potential Privilege Escalation via Container Misconfiguration" references = [ "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation", - "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation", -] + "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation" + ] risk_score = 47 rule_id = "afe6b0eb-dd9d-4922-b08a-1910124d524d" setup = """## Setup @@ -59,17 +61,9 @@ Session View uses process data collected by the Elastic Defend integration, but For more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Domain: Container", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( (process.name == "runc" and process.args == "run") or @@ -78,17 +72,15 @@ process where host.os.type == "linux" and event.type == "start" and event.action process.interactive == true and process.parent.interactive == true ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1611" name = "Escape to Host" reference = "https://attack.mitre.org/techniques/T1611/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml b/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml index f3fc23dbe44..dadfea9010f 100644 --- a/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml +++ b/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml @@ -2,14 +2,16 @@ creation_date = "2024/01/15" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ Monitors for the execution of a file system mount followed by a chroot execution. Given enough permissions, a user within a container is capable of mounting the root file system of the host, and leveraging chroot to escape its -containarized environment. This behavior pattern is very uncommon and should be investigated. +containarized environment. This behavior pattern is very uncommon and should be investigated. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -17,8 +19,8 @@ language = "eql" license = "Elastic License v2" name = "Potential Chroot Container Escape via Mount" references = [ - "https://book.hacktricks.xyz/v/portugues-ht/linux-hardening/privilege-escalation/escaping-from-limited-bash", -] + "https://book.hacktricks.xyz/v/portugues-ht/linux-hardening/privilege-escalation/escaping-from-limited-bash" + ] risk_score = 47 rule_id = "5ae02ebc-a5de-4eac-afe6-c88de696477d" setup = """## Setup @@ -58,15 +60,14 @@ For more information about the additional fields collected when this setting is """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Domain: Container", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Domain: Container", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id, process.parent.entity_id with maxspan=5m [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -76,17 +77,15 @@ sequence by host.id, process.parent.entity_id with maxspan=5m process.name == "chroot"] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1611" name = "Escape to Host" reference = "https://attack.mitre.org/techniques/T1611/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_kworker_uid_elevation.toml b/rules/linux/privilege_escalation_kworker_uid_elevation.toml index f17fb467fd1..60863460f2e 100644 --- a/rules/linux/privilege_escalation_kworker_uid_elevation.toml +++ b/rules/linux/privilege_escalation_kworker_uid_elevation.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/21" [rule] author = ["Elastic"] @@ -49,50 +51,48 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.action == "session_id_change" and process.name : "kworker*" and user.id == "0" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.013" name = "KernelCallbackTable" reference = "https://attack.mitre.org/techniques/T1574/013/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +name = "Rootkit" +id = "T1014" +reference = "https://attack.mitre.org/techniques/T1014/" diff --git a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml index c1188e26d75..52c674200bb 100644 --- a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml +++ b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/02/21" [rule] author = ["Elastic"] @@ -59,35 +61,33 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type:linux and event.category:file and event.action:(updated or renamed or rename or file_rename_event) and not event.type:deletion and file.path:/etc/ld.so.preload and not process.name:(wine or oneagentinstallaction) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" @@ -96,8 +96,7 @@ reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" - - diff --git a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml index 17842881d45..a7983629c05 100644 --- a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml +++ b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml @@ -2,7 +2,9 @@ creation_date = "2023/07/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -47,17 +49,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "ln" and process.args in ("-s", "-sf") and @@ -80,34 +81,33 @@ process.name == "ln" and process.args in ("-s", "-sf") and not user.Ext.real.id == "0" and not group.Ext.real.id == "0" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.008" name = "/etc/passwd and /etc/shadow" reference = "https://attack.mitre.org/techniques/T1003/008/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml b/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml index 3cef1b9dacb..26f8283c90b 100644 --- a/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml +++ b/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml @@ -2,14 +2,16 @@ creation_date = "2023/07/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -This rule monitors for the execution of the systemd-run command by a user with a UID that is larger than the maximum -allowed UID size (INT_MAX). Some older Linux versions were affected by a bug which allows user accounts with a UID -greater than INT_MAX to escalate privileges by spawning a shell through systemd-run. +This rule monitors for the execution of the systemd-run command by a user with a UID that is larger than the maximum +allowed UID size (INT_MAX). Some older Linux versions were affected by a bug which allows user accounts with a UID +greater than INT_MAX to escalate privileges by spawning a shell through systemd-run. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -17,10 +19,9 @@ language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via UID INT_MAX Bug Detected" references = [ - "https://twitter.com/paragonsec/status/1071152249529884674", + "https://twitter.com/paragonsec/status/1071152249529884674", "https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh", - "https://gitlab.freedesktop.org/polkit/polkit/-/issues/74", -] + "https://gitlab.freedesktop.org/polkit/polkit/-/issues/74"] risk_score = 47 rule_id = "d55436a8-719c-445f-92c4-c113ff2f9ba5" setup = """## Setup @@ -50,32 +51,29 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "systemd-run" and process.args == "-t" and process.args_count >= 3 and user.id >= "1000000000" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml index 9a7f5068b7e..c45f0267678 100644 --- a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml +++ b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml @@ -1,17 +1,19 @@ [metadata] creation_date = "2023/06/09" -integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" +integration = ["endpoint", "auditd_manager"] [rule] author = ["Elastic"] description = """ -This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential -compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different -kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, -escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to -tamper with the system's trusted state, allowing e.g. a VM Escape. +This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential +compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different +kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, +escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to +tamper with the system's trusted state, allowing e.g. a VM Escape. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -21,7 +23,7 @@ name = "Kernel Load or Unload via Kexec Detected" references = [ "https://www.crowdstrike.com/blog/venom-vulnerability-details/", "https://www.makeuseof.com/what-is-venom-vulnerability/", - "https://madaidans-insecurities.github.io/guides/linux-hardening.html", + "https://madaidans-insecurities.github.io/guides/linux-hardening.html" ] risk_score = 47 rule_id = "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957" @@ -52,69 +54,68 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "kexec" and process.args in ("--exec", "-e", "--load", "-l", "--unload", "-u") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1611" name = "Escape to Host" reference = "https://attack.mitre.org/techniques/T1611/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1601" name = "Modify System Image" reference = "https://attack.mitre.org/techniques/T1601/" + [[rule.threat.technique.subtechnique]] id = "T1601.001" name = "Patch System Image" reference = "https://attack.mitre.org/techniques/T1601/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml b/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml index 75d12aa5a97..30b4f2fcdb0 100644 --- a/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml +++ b/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/05" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Linux environment variable capture feature via the Elastic Defend Integration was added in 8.6." +min_stack_version = "8.6.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -15,9 +17,7 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via CVE-2023-4911" -references = [ - "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so", -] +references = ["https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so"] risk_score = 73 rule_id = "6d8685a1-94fa-4ef7-83de-59302e7c4ca8" setup = """## Setup @@ -60,32 +60,29 @@ For more information on capturing environment variables refer to the [helper gui """ severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Vulnerability", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id, process.parent.entity_id, process.executable with maxspan=5s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.env_vars : "*GLIBC_TUNABLES=glibc.*=glibc.*=*"] with runs=5 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml b/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml index eeade4b3a0b..b9d7cdcdfda 100644 --- a/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml +++ b/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml @@ -2,14 +2,16 @@ creation_date = "2024/01/15" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ Detects network connections initiated by the "sudo" binary. This behavior is uncommon and may occur in instances where reverse shell shellcode is injected into a process run with elevated permissions via "sudo". Attackers may attempt to -inject shellcode into processes running as root, to escalate privileges. +inject shellcode into processes running as root, to escalate privileges. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -45,48 +47,45 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "ipv4_connection_attempt_event") and process.name == "sudo" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [[rule.threat.technique.subtechnique]] id = "T1055.008" name = "Ptrace System Calls" reference = "https://attack.mitre.org/techniques/T1055/008/" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml index a62129ec619..8c5e04a7581 100644 --- a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml +++ b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml @@ -2,14 +2,16 @@ creation_date = "2023/07/28" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ Identifies an attempt to exploit a local privilege escalation (CVE-2023-2640 and CVE-2023-32629) via a flaw in Ubuntu's modifications to OverlayFS. These flaws allow the creation of specialized executables, which, upon execution, grant the -ability to escalate privileges to root on the affected machine. +ability to escalate privileges to root on the affected machine. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -18,8 +20,7 @@ license = "Elastic License v2" name = "Potential Privilege Escalation via OverlayFS" references = [ "https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability", - "https://twitter.com/liadeliyahu/status/1684841527959273472", -] + "https://twitter.com/liadeliyahu/status/1684841527959273472"] risk_score = 73 rule_id = "b51dbc92-84e2-4af1-ba47-65183fcd0c57" setup = """## Setup @@ -48,16 +49,8 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"] type = "eql" - query = ''' sequence by process.parent.entity_id, host.id with maxspan=5s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -66,17 +59,15 @@ sequence by process.parent.entity_id, host.id with maxspan=5s user.id == "0"] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml index ca808d17266..e8467a59525 100644 --- a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml +++ b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -44,15 +46,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml b/rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml index d0bdbf799f4..3bd20841255 100644 --- a/rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml +++ b/rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2023/12/11" maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/17" [rule] author = ["Elastic"] @@ -28,42 +30,41 @@ As a higher-order rule (based on other detections), this rule also requires the """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Initial Access", - "Use Case: Vulnerability", - "Rule Type: Higher-Order Rule", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Initial Access", + "Use Case: Vulnerability", + "Rule Type: Higher-Order Rule" + ] timestamp_override = "event.ingested" type = "threshold" - query = ''' kibana.alert.rule.rule_id:"5c81fc9d-1eae-437f-ba07-268472967013" and host.os.type:linux and event.kind:signal ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" diff --git a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml index 3e3d1dbd146..8353f4f697e 100644 --- a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml +++ b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml @@ -2,7 +2,9 @@ creation_date = "2023/07/28" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -46,16 +48,8 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Execution", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" - query = ''' sequence by host.id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -67,29 +61,28 @@ sequence by host.id with maxspan=1s process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] by process.parent.entity_id ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml index ab68d5dbf49..7a36055d1a7 100644 --- a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml +++ b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml @@ -2,15 +2,17 @@ creation_date = "2023/08/30" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -This rule monitors for the usage of the built-in Linux DebugFS utility to access a disk device without root permissions. -Linux users that are part of the "disk" group have sufficient privileges to access all data inside of the machine -through DebugFS. Attackers may leverage DebugFS in conjunction with "disk" permissions to read sensitive files owned by -root, such as the shadow file, root ssh private keys or other sensitive files that may allow them to further escalate +This rule monitors for the usage of the built-in Linux DebugFS utility to access a disk device without root permissions. +Linux users that are part of the "disk" group have sufficient privileges to access all data inside of the machine through +DebugFS. Attackers may leverage DebugFS in conjunction with "disk" permissions to read sensitive files owned by root, +such as the shadow file, root ssh private keys or other sensitive files that may allow them to further escalate privileges. """ from = "now-9m" @@ -18,9 +20,7 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Suspicious DebugFS Root Device Access" -references = [ - "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#disk-group", -] +references = ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#disk-group"] risk_score = 21 rule_id = "2605aa59-29ac-4662-afad-8d86257c7c91" setup = """## Setup @@ -49,39 +49,29 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "debugfs" and process.args : "/dev/sd*" and not process.args == "-R" and not user.Ext.real.id == "0" and not group.Ext.real.id == "0" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_shadow_file_read.toml b/rules/linux/privilege_escalation_shadow_file_read.toml index 52293c9bd1f..ff3852135da 100644 --- a/rules/linux/privilege_escalation_shadow_file_read.toml +++ b/rules/linux/privilege_escalation_shadow_file_read.toml @@ -2,7 +2,9 @@ creation_date = "2022/09/01" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/02/21" [rule] author = ["Elastic"] @@ -46,14 +48,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -64,32 +66,32 @@ host.os.type : "linux" and event.category : "process" and event.action : ("exec" (process.executable : ("/bin/chmod" or "/usr/bin/chmod") and process.args : "640") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.008" name = "/etc/passwd and /etc/shadow" reference = "https://attack.mitre.org/techniques/T1003/008/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" @@ -98,8 +100,7 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [rule.new_terms] field = "new_terms_fields" value = ["process.command_line", "host.id", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" - - diff --git a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml index 757994326b9..a5a59552ec0 100644 --- a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml +++ b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml @@ -2,14 +2,16 @@ creation_date = "2023/08/30" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -This rule monitors for the execution of a suspicious sudo command that is leveraged in CVE-2019-14287 to escalate +This rule monitors for the execution of a suspicious sudo command that is leveraged in CVE-2019-14287 to escalate privileges to root. Sudo does not verify the presence of the designated user ID and proceeds to execute using a user ID -that can be chosen arbitrarily. By using the sudo privileges, the command "sudo -u#-1" translates to an ID of 0, +that can be chosen arbitrarily. By using the sudo privileges, the command "sudo -u#-1" translates to an ID of 0, representing the root user. This exploit may work for sudo versions prior to v1.28. """ from = "now-9m" @@ -47,34 +49,31 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", - "Use Case: Vulnerability", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Use Case: Vulnerability", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "sudo" and process.args == "-u#-1" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_sudo_hijacking.toml b/rules/linux/privilege_escalation_sudo_hijacking.toml index cc224a4bab0..d87321780f1 100644 --- a/rules/linux/privilege_escalation_sudo_hijacking.toml +++ b/rules/linux/privilege_escalation_sudo_hijacking.toml @@ -2,13 +2,15 @@ creation_date = "2023/07/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/02/21" [rule] author = ["Elastic"] description = """ -Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and -replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or +Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and +replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or enable persistence onto the system every time the sudo binary is executed. """ from = "now-9m" @@ -52,42 +54,41 @@ tags = [ "Tactic: Privilege Escalation", "Tactic: Persistence", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type:linux and event.category:file and event.type:("creation" or "file_create_event") and file.path:("/usr/bin/sudo" or "/bin/sudo") and not process.name:(docker or dockerd or pacman) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -96,8 +97,7 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" - - diff --git a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml index 83436532a85..e748504ac7c 100644 --- a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml +++ b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml @@ -2,16 +2,18 @@ creation_date = "2023/07/31" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -This rule detects potential sudo token manipulation attacks through process injection by monitoring the use of a -debugger (gdb) process followed by a successful uid change event during the execution of the sudo process. A sudo token +This rule detects potential sudo token manipulation attacks through process injection by monitoring the use of a +debugger (gdb) process followed by a successful uid change event during the execution of the sudo process. A sudo token manipulation attack is performed by injecting into a process that has a valid sudo token, which can then be used by -attackers to activate their own sudo token. This attack requires ptrace to be enabled in conjunction with the existence -of a living process that has a valid sudo token with the same uid as the current user. +attackers to activate their own sudo token. This attack requires ptrace to be enabled in conjunction with the existence +of a living process that has a valid sudo token with the same uid as the current user. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -47,15 +49,8 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] type = "eql" - query = ''' sequence by host.id, process.session_leader.entity_id with maxspan=15s [ process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -64,32 +59,30 @@ sequence by host.id, process.session_leader.entity_id with maxspan=15s process.name == "sudo" and process.user.id == "0" and process.group.id == "0" ] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [[rule.threat.technique.subtechnique]] id = "T1055.008" name = "Ptrace System Calls" reference = "https://attack.mitre.org/techniques/T1055/008/" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml b/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml index 099c3d7462e..5e32f77fff6 100644 --- a/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml +++ b/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml @@ -2,16 +2,18 @@ creation_date = "2023/09/05" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -This detection rule monitors for the execution of a system command with setuid or setgid capabilities via Python, +This detection rule monitors for the execution of a system command with setuid or setgid capabilities via Python, followed by a uid or gid change to the root user. This sequence of events may indicate successful privilege escalation. -Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated -privileges, based on the file owner or group. Threat actors can exploit these attributes to escalate privileges to the -privileges that are set on the binary that is being executed. +Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated +privileges, based on the file owner or group. Threat actors can exploit these attributes to escalate privileges to the +privileges that are set on the binary that is being executed. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -47,15 +49,8 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] type = "eql" - query = ''' sequence by host.id, process.entity_id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -64,9 +59,9 @@ sequence by host.id, process.entity_id with maxspan=1s (user.id == "0" or group.id == "0")] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -76,13 +71,12 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.001" name = "Setuid and Setgid" reference = "https://attack.mitre.org/techniques/T1548/001/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml b/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml index 0b8d920fccf..ab23c2c4825 100644 --- a/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml +++ b/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml @@ -2,7 +2,9 @@ creation_date = "2024/01/22" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/19" [rule] author = ["Elastic"] @@ -69,15 +71,14 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "medium" tags = [ - "Data Source: Auditd Manager", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", -] + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id, process.parent.pid with maxspan=1m [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -86,17 +87,15 @@ sequence by host.id, process.parent.pid with maxspan=1m not auditd.data.a2 == "80000" and event.outcome == "success" and user.id != "0"] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_uid_change_post_compilation.toml b/rules/linux/privilege_escalation_uid_change_post_compilation.toml index 64e954706a1..9f8d47e5a87 100644 --- a/rules/linux/privilege_escalation_uid_change_post_compilation.toml +++ b/rules/linux/privilege_escalation_uid_change_post_compilation.toml @@ -2,13 +2,15 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent -alteration of UID permissions to root privileges. This behavior can potentially indicate the execution of a kernel or +This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent +alteration of UID permissions to root privileges. This behavior can potentially indicate the execution of a kernel or software privilege escalation exploit. """ from = "now-9m" @@ -44,16 +46,8 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"] type = "eql" - query = ''' sequence by host.id with maxspan=1m [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -66,17 +60,15 @@ sequence by host.id with maxspan=1m user.id == "0"] by process.name ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml b/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml index f7b1532585e..91c4d09bf06 100644 --- a/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml +++ b/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/02/21" [rule] author = ["Elastic"] @@ -46,16 +48,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type:"linux" and event.category:"process" and event.action:"uid_change" and event.type:"change" and user.id:"0" and process.parent.name:("bash" or "dash" or "sh" or "tcsh" or "csh" or "zsh" or "ksh" or "fish") and not ( @@ -71,42 +72,42 @@ and process.parent.name:("bash" or "dash" or "sh" or "tcsh" or "csh" or "zsh" or ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.013" name = "KernelCallbackTable" reference = "https://attack.mitre.org/techniques/T1574/013/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +name = "Rootkit" +id = "T1014" +reference = "https://attack.mitre.org/techniques/T1014/" + [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "process.command_line"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - diff --git a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml index bf460f0459c..c27fcc55b06 100644 --- a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml +++ b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/30" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -61,16 +63,15 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "exec_event") and process.executable: "/usr/bin/unshare" and @@ -78,17 +79,15 @@ not process.parent.executable: ("/usr/bin/udevadm", "*/lib/systemd/systemd-udevd not process.args == "/usr/bin/snap" and not process.parent.name in ("zz-proxmox-boot", "java") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_writable_docker_socket.toml b/rules/linux/privilege_escalation_writable_docker_socket.toml index be6a9360a51..66a4907ba56 100644 --- a/rules/linux/privilege_escalation_writable_docker_socket.toml +++ b/rules/linux/privilege_escalation_writable_docker_socket.toml @@ -2,14 +2,16 @@ creation_date = "2023/07/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] description = """ -This rule monitors for the usage of Docker runtime sockets to escalate privileges on Linux systems. Docker sockets by -default are only be writable by the root user and docker group. Attackers that have permissions to write to these -sockets may be able to create and run a container that allows them to escalate privileges and gain further access onto +This rule monitors for the usage of Docker runtime sockets to escalate privileges on Linux systems. Docker sockets by +default are only be writable by the root user and docker group. Attackers that have permissions to write to these +sockets may be able to create and run a container that allows them to escalate privileges and gain further access onto the host file system. """ from = "now-9m" @@ -17,9 +19,7 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation through Writable Docker Socket" -references = [ - "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#automatic-enumeration-and-escape", -] +references = ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#automatic-enumeration-and-escape"] risk_score = 47 rule_id = "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8" setup = """## Setup @@ -48,14 +48,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Domain: Container", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -68,17 +61,15 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) and not user.Ext.real.id : "0" and not group.Ext.real.id : "0" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1611" name = "Escape to Host" reference = "https://attack.mitre.org/techniques/T1611/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/macos/credential_access_credentials_keychains.toml b/rules/macos/credential_access_credentials_keychains.toml index 10a16206576..ba6e92684fb 100644 --- a/rules/macos/credential_access_credentials_keychains.toml +++ b/rules/macos/credential_access_credentials_keychains.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: process.Ext.effective_parent" +min_stack_version = "8.7.0" +updated_date = "2024/03/19" [rule] author = ["Elastic"] @@ -48,13 +50,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml index 4eea3dcd5ff..36af1b87a67 100644 --- a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml +++ b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -48,13 +50,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/credential_access_dumping_keychain_security.toml b/rules/macos/credential_access_dumping_keychain_security.toml index e9e879c94a9..c437c128e2c 100644 --- a/rules/macos/credential_access_dumping_keychain_security.toml +++ b/rules/macos/credential_access_dumping_keychain_security.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/04" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -16,9 +18,6 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Dumping of Keychain Content via Security Command" -references = ["https://ss64.com/osx/security.html"] -risk_score = 73 -rule_id = "565d6ca5-75ba-4c82-9b13-add25353471c" setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -44,14 +43,11 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ +references = ["https://ss64.com/osx/security.html"] +risk_score = 73 +rule_id = "565d6ca5-75ba-4c82-9b13-add25353471c" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/credential_access_kerberosdump_kcc.toml b/rules/macos/credential_access_kerberosdump_kcc.toml index ef37c8198c4..91fb75396f6 100644 --- a/rules/macos/credential_access_kerberosdump_kcc.toml +++ b/rules/macos/credential_access_kerberosdump_kcc.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -47,13 +49,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml index fc4b71083a3..f0e7ef6fcea 100644 --- a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml +++ b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml @@ -2,7 +2,9 @@ creation_date = "2020/01/06" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/06" [rule] author = ["Elastic"] @@ -51,13 +53,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/credential_access_mitm_localhost_webproxy.toml b/rules/macos/credential_access_mitm_localhost_webproxy.toml index 6e915a16c92..1378d970acf 100644 --- a/rules/macos/credential_access_mitm_localhost_webproxy.toml +++ b/rules/macos/credential_access_mitm_localhost_webproxy.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: process.Ext.effective_parent" +min_stack_version = "8.7.0" +updated_date = "2024/03/19" [rule] author = ["Elastic"] @@ -48,13 +50,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml b/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml index 40b3b2d181e..31068ac424d 100644 --- a/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml +++ b/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/16" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/01/05" [rule] author = ["Elastic"] @@ -44,15 +46,9 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", -] -timestamp_override = "event.ingested" +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] type = "threshold" +timestamp_override = "event.ingested" query = ''' event.category:process and host.os.type:macos and event.type:start and process.name:"sshd-keygen-wrapper" and process.parent.name:launchd diff --git a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml index ac83ec10af5..2ed4b55b6fb 100644 --- a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml +++ b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/16" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: process.Ext.effective_parent" +min_stack_version = "8.7.0" +updated_date = "2024/05/17" [rule] author = ["Elastic"] @@ -47,13 +49,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/credential_access_systemkey_dumping.toml b/rules/macos/credential_access_systemkey_dumping.toml index 01434aa4c83..f61a002dced 100644 --- a/rules/macos/credential_access_systemkey_dumping.toml +++ b/rules/macos/credential_access_systemkey_dumping.toml @@ -2,7 +2,9 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: process.Ext.effective_parent" +min_stack_version = "8.7.0" +updated_date = "2024/02/06" [rule] author = ["Elastic"] @@ -45,13 +47,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_apple_softupdates_modification.toml b/rules/macos/defense_evasion_apple_softupdates_modification.toml index 44a47192117..d4ff6923175 100644 --- a/rules/macos/defense_evasion_apple_softupdates_modification.toml +++ b/rules/macos/defense_evasion_apple_softupdates_modification.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/15" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -45,13 +47,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml index 651cb2eae28..5d8a845c8e8 100644 --- a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml +++ b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml @@ -2,14 +2,16 @@ creation_date = "2020/08/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/17" [rule] author = ["Elastic"] description = """ -Detects deletion of the quarantine attribute by an unusual process (xattr). In macOS, when applications or programs are -downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper -defense program at execution time. An adversary may disable this attribute to evade defenses. +Detects deletion of the quarantine attribute by an unusual process (xattr). In macOS, when applications or programs are downloaded from +the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. +An adversary may disable this attribute to evade defenses. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -48,13 +50,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml index 9cf185bb72a..9371e7606cc 100644 --- a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml +++ b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -47,13 +49,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_install_root_certificate.toml b/rules/macos/defense_evasion_install_root_certificate.toml index c4d2d688080..d2063929773 100644 --- a/rules/macos/defense_evasion_install_root_certificate.toml +++ b/rules/macos/defense_evasion_install_root_certificate.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/13" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -47,13 +49,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml index 044d6b27ab3..5323edd7f46 100644 --- a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml +++ b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -49,13 +51,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml index 0e9e1000b8e..73685fd4de8 100644 --- a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml +++ b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml @@ -2,7 +2,9 @@ creation_date = "2020/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -47,14 +49,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/defense_evasion_safari_config_change.toml b/rules/macos/defense_evasion_safari_config_change.toml index 599eef17f93..d17b16d0b50 100644 --- a/rules/macos/defense_evasion_safari_config_change.toml +++ b/rules/macos/defense_evasion_safari_config_change.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -45,13 +47,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml index 0c821e217e4..5fe54a81d59 100644 --- a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml +++ b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -49,13 +51,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml index 8accc83b579..7b51eb13802 100644 --- a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml +++ b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml @@ -2,7 +2,9 @@ creation_date = "2020/01/04" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -45,14 +47,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml index 332860d1f4b..dfe03dda702 100644 --- a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml +++ b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml @@ -2,7 +2,9 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -40,13 +42,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index bc38d1d3874..5d903cf4d7a 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/12" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: process.Ext.effective_parent" +min_stack_version = "8.7.0" +updated_date = "2024/02/06" [rule] author = ["Elastic"] @@ -43,13 +45,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -88,7 +84,6 @@ id = "T1069.001" name = "Local Groups" reference = "https://attack.mitre.org/techniques/T1069/001/" - [[rule.threat.technique]] id = "T1087" name = "Account Discovery" @@ -98,8 +93,6 @@ id = "T1087.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1087/001/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml index 37396801ec4..01c2ed6cfcb 100644 --- a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml +++ b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml @@ -2,7 +2,9 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -48,14 +50,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml index a0c384dc8ef..698e23e3087 100644 --- a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml +++ b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/07" [rule] author = ["Elastic"] @@ -48,14 +50,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Execution", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/execution_installer_package_spawned_network_event.toml b/rules/macos/execution_installer_package_spawned_network_event.toml index 2e53cc22289..1638639bbfe 100644 --- a/rules/macos/execution_installer_package_spawned_network_event.toml +++ b/rules/macos/execution_installer_package_spawned_network_event.toml @@ -2,7 +2,9 @@ creation_date = "2021/02/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/07" [rule] author = ["Elastic"] @@ -57,14 +59,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Command and Control", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Command and Control", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/macos/execution_script_via_automator_workflows.toml b/rules/macos/execution_script_via_automator_workflows.toml index 55faccc4136..136bfe59059 100644 --- a/rules/macos/execution_script_via_automator_workflows.toml +++ b/rules/macos/execution_script_via_automator_workflows.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -45,13 +47,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml index d643bd904f1..b1f11d979d8 100644 --- a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml +++ b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -47,14 +49,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Tactic: Execution", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/macos/execution_shell_execution_via_apple_scripting.toml b/rules/macos/execution_shell_execution_via_apple_scripting.toml index c0c517e9ea0..a7a99bdb56d 100644 --- a/rules/macos/execution_shell_execution_via_apple_scripting.toml +++ b/rules/macos/execution_shell_execution_via_apple_scripting.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/07" [rule] author = ["Elastic"] @@ -47,13 +49,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml index 9013d41a7ab..5d97ac0117c 100644 --- a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml +++ b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml @@ -2,7 +2,9 @@ creation_date = "2020/01/12" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -44,14 +46,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/lateral_movement_mounting_smb_share.toml b/rules/macos/lateral_movement_mounting_smb_share.toml index 567c47b2457..226042e1403 100644 --- a/rules/macos/lateral_movement_mounting_smb_share.toml +++ b/rules/macos/lateral_movement_mounting_smb_share.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -44,13 +46,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml index c312d9699ad..3e6f70a9794 100644 --- a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml +++ b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -45,13 +47,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/lateral_movement_vpn_connection_attempt.toml b/rules/macos/lateral_movement_vpn_connection_attempt.toml index 6388074a40d..f54ba8e7070 100644 --- a/rules/macos/lateral_movement_vpn_connection_attempt.toml +++ b/rules/macos/lateral_movement_vpn_connection_attempt.toml @@ -2,7 +2,9 @@ creation_date = "2020/01/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -48,13 +50,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_account_creation_hide_at_logon.toml b/rules/macos/persistence_account_creation_hide_at_logon.toml index 88551bdc5f7..841b7e47907 100644 --- a/rules/macos/persistence_account_creation_hide_at_logon.toml +++ b/rules/macos/persistence_account_creation_hide_at_logon.toml @@ -2,7 +2,9 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -44,13 +46,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_creation_change_launch_agents_file.toml b/rules/macos/persistence_creation_change_launch_agents_file.toml index 043c9618c04..1b0f3cb86ea 100644 --- a/rules/macos/persistence_creation_change_launch_agents_file.toml +++ b/rules/macos/persistence_creation_change_launch_agents_file.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -47,13 +49,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/macos/persistence_creation_hidden_login_item_osascript.toml b/rules/macos/persistence_creation_hidden_login_item_osascript.toml index 1b48ca3d708..776e5346745 100644 --- a/rules/macos/persistence_creation_hidden_login_item_osascript.toml +++ b/rules/macos/persistence_creation_hidden_login_item_osascript.toml @@ -2,7 +2,9 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -43,14 +45,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml index 0c3009d0cc4..a6aeb4b2850 100644 --- a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml +++ b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -47,13 +49,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml index 86b2ab22a1b..7b3faa66c76 100644 --- a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml +++ b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/13" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/07" [rule] author = ["Elastic"] @@ -48,13 +50,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_crontab_creation.toml b/rules/macos/persistence_crontab_creation.toml index b8396765b58..d0f9b622d31 100644 --- a/rules/macos/persistence_crontab_creation.toml +++ b/rules/macos/persistence_crontab_creation.toml @@ -2,7 +2,9 @@ creation_date = "2022/04/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -47,13 +49,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml index 66941650995..dde96a35b72 100644 --- a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml +++ b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml @@ -2,7 +2,9 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -48,14 +50,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_directory_services_plugins_modification.toml b/rules/macos/persistence_directory_services_plugins_modification.toml index 6212dfc742d..18298068747 100644 --- a/rules/macos/persistence_directory_services_plugins_modification.toml +++ b/rules/macos/persistence_directory_services_plugins_modification.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/13" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -45,13 +47,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_docker_shortcuts_plist_modification.toml b/rules/macos/persistence_docker_shortcuts_plist_modification.toml index 25ac05e33e9..06cb5f257f1 100644 --- a/rules/macos/persistence_docker_shortcuts_plist_modification.toml +++ b/rules/macos/persistence_docker_shortcuts_plist_modification.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/07" [rule] author = ["Elastic"] @@ -46,13 +48,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_emond_rules_file_creation.toml b/rules/macos/persistence_emond_rules_file_creation.toml index e6bbcdc0bd2..98d49da565b 100644 --- a/rules/macos/persistence_emond_rules_file_creation.toml +++ b/rules/macos/persistence_emond_rules_file_creation.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -47,13 +49,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_emond_rules_process_execution.toml b/rules/macos/persistence_emond_rules_process_execution.toml index c597f0d3fe8..54d9a27965f 100644 --- a/rules/macos/persistence_emond_rules_process_execution.toml +++ b/rules/macos/persistence_emond_rules_process_execution.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -45,13 +47,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_enable_root_account.toml b/rules/macos/persistence_enable_root_account.toml index 47a4bdcfee6..071bdeec631 100644 --- a/rules/macos/persistence_enable_root_account.toml +++ b/rules/macos/persistence_enable_root_account.toml @@ -2,7 +2,9 @@ creation_date = "2020/01/04" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -44,13 +46,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml index 0b84f1c374e..91ca171a562 100644 --- a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml +++ b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml @@ -2,7 +2,9 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -46,14 +48,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_folder_action_scripts_runtime.toml b/rules/macos/persistence_folder_action_scripts_runtime.toml index 18b114cfaf4..2ab48693331 100644 --- a/rules/macos/persistence_folder_action_scripts_runtime.toml +++ b/rules/macos/persistence_folder_action_scripts_runtime.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/07" [rule] author = ["Elastic"] @@ -45,14 +47,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_login_logout_hooks_defaults.toml b/rules/macos/persistence_login_logout_hooks_defaults.toml index b0ef9cdda7d..27b66280de9 100644 --- a/rules/macos/persistence_login_logout_hooks_defaults.toml +++ b/rules/macos/persistence_login_logout_hooks_defaults.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -47,13 +49,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_loginwindow_plist_modification.toml b/rules/macos/persistence_loginwindow_plist_modification.toml index f75f8d19192..7abf4edf782 100644 --- a/rules/macos/persistence_loginwindow_plist_modification.toml +++ b/rules/macos/persistence_loginwindow_plist_modification.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/19" [rule] author = ["Elastic"] @@ -47,13 +49,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml index b83bfe38aae..2a42dcc351a 100644 --- a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml +++ b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -44,13 +46,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml index fda11158c76..b27ce05a75d 100644 --- a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml +++ b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -48,13 +50,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml index c2c9d4d7c3b..7509ec421b4 100644 --- a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml +++ b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/05" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -56,13 +58,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_screensaver_plist_file_modification.toml b/rules/macos/persistence_screensaver_plist_file_modification.toml index f7280bcfa47..09eaadca5ea 100644 --- a/rules/macos/persistence_screensaver_plist_file_modification.toml +++ b/rules/macos/persistence_screensaver_plist_file_modification.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/05" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -54,13 +56,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_suspicious_calendar_modification.toml b/rules/macos/persistence_suspicious_calendar_modification.toml index d9e648f11f1..11859698a7d 100644 --- a/rules/macos/persistence_suspicious_calendar_modification.toml +++ b/rules/macos/persistence_suspicious_calendar_modification.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/19" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -49,13 +51,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_via_atom_init_file_modification.toml b/rules/macos/persistence_via_atom_init_file_modification.toml index f281678818e..47d8aa87af7 100644 --- a/rules/macos/persistence_via_atom_init_file_modification.toml +++ b/rules/macos/persistence_via_atom_init_file_modification.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -47,13 +49,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml index b05b7f04238..5cd2ed8d6ec 100644 --- a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml +++ b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -48,14 +50,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml index 2fbd033a24f..62f86ac76f3 100644 --- a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml +++ b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/19" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -54,7 +56,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/privilege_escalation_root_crontab_filemod.toml b/rules/macos/privilege_escalation_root_crontab_filemod.toml index 3e51714cdd2..619fe287223 100644 --- a/rules/macos/privilege_escalation_root_crontab_filemod.toml +++ b/rules/macos/privilege_escalation_root_crontab_filemod.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -47,13 +49,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml index 11ced2586f4..757b1664cbe 100644 --- a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml +++ b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/27" [rule] anomaly_threshold = 50 @@ -28,13 +30,9 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "91f02f01-969f-4167-8f66-07827ac3bdd9" severity = "low" -tags = [ - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Command and Control", -] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -47,4 +45,3 @@ reference = "https://attack.mitre.org/techniques/T1572/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml index 7a933193649..43d92a09915 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/27" [rule] anomaly_threshold = 50 @@ -31,28 +33,23 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "746edc4c-c54c-49c6-97a1-651223819448" severity = "low" -tags = [ - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Command and Control", -] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" -[[rule.threat.technique.subtechnique]] -id = "T1071.004" -name = "DNS" -reference = "https://attack.mitre.org/techniques/T1071/004/" + [[rule.threat.technique.subtechnique]] + id = "T1071.004" + name = "DNS" + reference = "https://attack.mitre.org/techniques/T1071/004/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - +reference = "https://attack.mitre.org/tactics/TA0011/" \ No newline at end of file diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml index f5f645da58c..c68d24c0453 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/27" [rule] anomaly_threshold = 50 @@ -34,25 +36,22 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "91f02f01-969f-4167-8f55-07827ac3acc9" severity = "low" -tags = [ - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Command and Control", -] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" -[[rule.threat.technique.subtechnique]] -id = "T1071.001" -name = "Web Protocols" -reference = "https://attack.mitre.org/techniques/T1071/001/" + [[rule.threat.technique.subtechnique]] + id = "T1071.001" + name = "Web Protocols" + reference = "https://attack.mitre.org/techniques/T1071/001/" + [rule.threat.tactic] id = "TA0011" diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml b/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml index 80d1ea8c12a..449a6ff3eb4 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/27" [rule] anomaly_threshold = 50 @@ -32,25 +34,22 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "91f02f01-969f-4167-8d77-07827ac4cee0" severity = "low" -tags = [ - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Command and Control", -] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" -[[rule.threat.technique.subtechnique]] -id = "T1071.001" -name = "Web Protocols" -reference = "https://attack.mitre.org/techniques/T1071/001/" + [[rule.threat.technique.subtechnique]] + id = "T1071.001" + name = "Web Protocols" + reference = "https://attack.mitre.org/techniques/T1071/001/" + [rule.threat.tactic] id = "TA0011" diff --git a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml index b1686ca28d2..7d5f0f82db8 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 @@ -58,15 +60,9 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "99dcf974-6587-4f65-9252-d866a3fdfd9c" severity = "low" -tags = [ - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Credential Access", - "Resources: Investigation Guide", -] +tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access", "Resources: Investigation Guide"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -78,5 +74,4 @@ reference = "https://attack.mitre.org/techniques/T1110/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - +reference = "https://attack.mitre.org/tactics/TA0006/" \ No newline at end of file diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml index 7bef2ab7db8..108d1f6a6d8 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 @@ -26,14 +28,9 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9" severity = "low" -tags = [ - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Credential Access", -] +tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,5 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1110/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - +reference = "https://attack.mitre.org/tactics/TA0006/" \ No newline at end of file diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml index a7db1669252..5a7340a19d0 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml @@ -2,14 +2,16 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job found an unusually large spike in successful authentication events from a particular source IP -address. This can be due to password spraying, user enumeration or brute force activity. +A machine learning job found an unusually large spike in successful authentication events from a particular +source IP address. This can be due to password spraying, user enumeration or brute force activity. """ false_positives = [ """ @@ -51,16 +53,9 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "e26aed74-c816-40d3-a810-48d6fbd8b2fd" severity = "low" -tags = [ - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Credential Access", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", -] +tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access", "Tactic: Defense Evasion", "Resources: Investigation Guide"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -83,14 +78,11 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" - [[rule.threat.technique.subtechnique]] id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml index 99b868e36b7..208bb5ed2c4 100644 --- a/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -25,26 +27,20 @@ name = "Unusual Linux Process Calling the Metadata Service" risk_score = 21 rule_id = "9d302377-d226-4e12-b54c-1906b5aec4f6" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Credential Access", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" -[[rule.threat.technique.subtechnique]] -id = "T1552.005" -name = "Cloud Instance Metadata API" -reference = "https://attack.mitre.org/techniques/T1552/005/" + [[rule.threat.technique.subtechnique]] + id = "T1552.005" + name = "Cloud Instance Metadata API" + reference = "https://attack.mitre.org/techniques/T1552/005/" [rule.threat.tactic] diff --git a/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml b/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml index c9b15fd4751..70948500db1 100644 --- a/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml +++ b/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 @@ -25,30 +27,23 @@ name = "Unusual Linux User Calling the Metadata Service" risk_score = 21 rule_id = "1faec04b-d902-4f89-8aff-92cd9043c16f" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Credential Access", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" -[[rule.threat.technique.subtechnique]] -id = "T1552.005" -name = "Cloud Instance Metadata API" -reference = "https://attack.mitre.org/techniques/T1552/005/" + [[rule.threat.technique.subtechnique]] + id = "T1552.005" + name = "Cloud Instance Metadata API" + reference = "https://attack.mitre.org/techniques/T1552/005/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/ml/credential_access_ml_suspicious_login_activity.toml b/rules/ml/credential_access_ml_suspicious_login_activity.toml index ce9acc37043..3520d541d95 100644 --- a/rules/ml/credential_access_ml_suspicious_login_activity.toml +++ b/rules/ml/credential_access_ml_suspicious_login_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -23,14 +25,9 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "4330272b-9724-4bc6-a3ca-f1532b81e5c2" severity = "low" -tags = [ - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Credential Access", -] +tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml index 708f48dd65d..2885596e757 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -25,30 +27,24 @@ name = "Unusual Windows Process Calling the Metadata Service" risk_score = 21 rule_id = "abae61a8-c560-4dbd-acca-1e1438bff36b" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Credential Access", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" -[[rule.threat.technique.subtechnique]] -id = "T1552.005" -name = "Cloud Instance Metadata API" -reference = "https://attack.mitre.org/techniques/T1552/005/" + [[rule.threat.technique.subtechnique]] + id = "T1552.005" + name = "Cloud Instance Metadata API" + reference = "https://attack.mitre.org/techniques/T1552/005/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - +reference = "https://attack.mitre.org/tactics/TA0006/" \ No newline at end of file diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml index 783424170e7..4ef68ed7067 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 @@ -25,30 +27,24 @@ name = "Unusual Windows User Calling the Metadata Service" risk_score = 21 rule_id = "df197323-72a8-46a9-a08e-3f5b04a4a97a" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Credential Access", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" -[[rule.threat.technique.subtechnique]] -id = "T1552.005" -name = "Cloud Instance Metadata API" -reference = "https://attack.mitre.org/techniques/T1552/005/" + [[rule.threat.technique.subtechnique]] + id = "T1552.005" + name = "Cloud Instance Metadata API" + reference = "https://attack.mitre.org/techniques/T1552/005/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - +reference = "https://attack.mitre.org/tactics/TA0006/" \ No newline at end of file diff --git a/rules/ml/discovery_ml_linux_system_information_discovery.toml b/rules/ml/discovery_ml_linux_system_information_discovery.toml index c796520526c..ed009b8739c 100644 --- a/rules/ml/discovery_ml_linux_system_information_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_information_discovery.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 @@ -27,14 +29,7 @@ name = "Unusual Linux System Information Discovery Activity" risk_score = 21 rule_id = "d4af3a06-1e0a-48ec-b96a-faf2309fae46" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Discovery", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml b/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml index 016916bf3cc..8dde1a9c8a4 100644 --- a/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/27" [rule] anomaly_threshold = 25 @@ -27,14 +29,7 @@ name = "Unusual Linux Network Configuration Discovery" risk_score = 21 rule_id = "f9590f47-6bd5-4a49-bd49-a2f886476fb9" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Discovery", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml b/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml index 240ea84f8e6..d92e316c95f 100644 --- a/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 25 @@ -27,14 +29,7 @@ name = "Unusual Linux Network Connection Discovery" risk_score = 21 rule_id = "c28c4d8c-f014-40ef-88b6-79a1d67cd499" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Discovery", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/discovery_ml_linux_system_process_discovery.toml b/rules/ml/discovery_ml_linux_system_process_discovery.toml index 236077e3190..13dc6631526 100644 --- a/rules/ml/discovery_ml_linux_system_process_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_process_discovery.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -27,14 +29,7 @@ name = "Unusual Linux Process Discovery Activity" risk_score = 21 rule_id = "5c983105-4681-46c3-9890-0c66d05e776b" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Discovery", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/discovery_ml_linux_system_user_discovery.toml b/rules/ml/discovery_ml_linux_system_user_discovery.toml index fedcc03086d..8ef0695868e 100644 --- a/rules/ml/discovery_ml_linux_system_user_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_user_discovery.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 @@ -27,14 +29,7 @@ name = "Unusual Linux User Discovery Activity" risk_score = 21 rule_id = "59756272-1998-4b8c-be14-e287035c4d10" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Discovery", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/execution_ml_windows_anomalous_script.toml b/rules/ml/execution_ml_windows_anomalous_script.toml index 6818f720d45..9d4ac076c7f 100644 --- a/rules/ml/execution_ml_windows_anomalous_script.toml +++ b/rules/ml/execution_ml_windows_anomalous_script.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -24,35 +26,28 @@ machine_learning_job_id = ["v3_windows_anomalous_script"] name = "Suspicious Powershell Script" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"] risk_score = 21 rule_id = "1781d055-5c66-4adf-9d60-fc0fa58337b6" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Execution", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Execution"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" + [[rule.threat.technique.subtechnique]] + id = "T1059.001" + name = "PowerShell" + reference = "https://attack.mitre.org/techniques/T1059/001/" + [rule.threat.tactic] id = "TA0002" name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - +reference = "https://attack.mitre.org/tactics/TA0002/" \ No newline at end of file diff --git a/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml b/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml index 5c318758f9f..62b9e5aa4e5 100644 --- a/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml +++ b/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 @@ -45,15 +47,9 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "745b0119-0560-43ba-860a-7235dd8cee8d" severity = "low" -tags = [ - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Initial Access", - "Resources: Investigation Guide", -] +tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access", "Resources: Investigation Guide"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -66,4 +62,3 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml index 5a1520d9f3b..8246bb11033 100644 --- a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml +++ b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 @@ -23,14 +25,9 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "d4b73fa0-9d43-465e-b8bf-50230da6718b" severity = "low" -tags = [ - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Initial Access", -] +tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -43,4 +40,3 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/ml/initial_access_ml_auth_rare_user_logon.toml b/rules/ml/initial_access_ml_auth_rare_user_logon.toml index 18af4302fd7..d8d0e3fb33c 100644 --- a/rules/ml/initial_access_ml_auth_rare_user_logon.toml +++ b/rules/ml/initial_access_ml_auth_rare_user_logon.toml @@ -2,15 +2,17 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ A machine learning job found an unusual user name in the authentication logs. An unusual user name is one way of -detecting credentialed access by means of a new or dormant user account. An inactive user account (because the user has -left the organization) that becomes active may be due to credentialed access using a compromised account password. +detecting credentialed access by means of a new or dormant user account. An inactive user account (because the user +has left the organization) that becomes active may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application. """ false_positives = [ @@ -52,15 +54,9 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "138c5dd5-838b-446e-b1ac-c995c7f8108a" severity = "low" -tags = [ - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Initial Access", - "Resources: Investigation Guide", -] +tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access", "Resources: Investigation Guide"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -71,16 +67,12 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" - [[rule.threat.technique.subtechnique]] id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/ml/initial_access_ml_linux_anomalous_user_name.toml b/rules/ml/initial_access_ml_linux_anomalous_user_name.toml index bc5582d144b..686ef15bb28 100644 --- a/rules/ml/initial_access_ml_linux_anomalous_user_name.toml +++ b/rules/ml/initial_access_ml_linux_anomalous_user_name.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -39,15 +41,9 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "b347b919-665f-4aac-b9e8-68369bf2340c" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Initial Access", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml index 7bae0eb9882..ffd6ad72338 100644 --- a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml +++ b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -40,15 +42,9 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "1781d055-5c66-4adf-9c59-fc0fa58336a5" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Initial Access", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -59,14 +55,11 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" - [[rule.threat.technique.subtechnique]] id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" diff --git a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml index 66e6ed0a0d2..b5289e0ad42 100644 --- a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml +++ b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -33,15 +35,9 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "1781d055-5c66-4adf-9e93-fc0fa69550c9" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Initial Access", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -53,5 +49,4 @@ reference = "https://attack.mitre.org/techniques/T1078/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - +reference = "https://attack.mitre.org/tactics/TA0001/" \ No newline at end of file diff --git a/rules/ml/ml_high_count_network_denies.toml b/rules/ml/ml_high_count_network_denies.toml index e953addcff0..22fb46f5804 100644 --- a/rules/ml/ml_high_count_network_denies.toml +++ b/rules/ml/ml_high_count_network_denies.toml @@ -2,23 +2,25 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/27" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job detected an unusually large spike in network traffic that was denied by network access control -lists (ACLs) or firewall rules. Such a burst of denied traffic is usually caused by either 1) a mis-configured -application or firewall or 2) suspicious or malicious activity. Unsuccessful attempts at network transit, in order to -connect to command-and-control (C2), or engage in data exfiltration, may produce a burst of failed connections. This -could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or -traffic floods may also produce such a surge in traffic. +A machine learning job detected an unusually large spike in network traffic that was +denied by network access control lists (ACLs) or firewall rules. Such a burst of denied traffic is usually caused by +either 1) a mis-configured application or firewall or 2) suspicious or malicious activity. +Unsuccessful attempts at network transit, in order to connect to command-and-control (C2), +or engage in data exfiltration, may produce a burst of failed connections. This could also +be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service +attacks or traffic floods may also produce such a surge in traffic. """ false_positives = [ """ - A misconfgured network application or firewall may trigger this alert. Security scans or test cycles may trigger - this alert. + A misconfgured network application or firewall may trigger this alert. Security scans or test cycles may trigger this alert. """, ] from = "now-30m" @@ -30,6 +32,5 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "eaa77d63-9679-4ce3-be25-3ba8b795e5fa" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] type = "machine_learning" - diff --git a/rules/ml/ml_high_count_network_events.toml b/rules/ml/ml_high_count_network_events.toml index 1218c64e54e..6679f414745 100644 --- a/rules/ml/ml_high_count_network_events.toml +++ b/rules/ml/ml_high_count_network_events.toml @@ -2,22 +2,25 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/27" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, if not caused by a -surge in business activity, can be due to suspicious or malicious activity. Large-scale data exfiltration may produce a -burst of network traffic; this could also be due to unusually large amounts of reconnaissance or enumeration traffic. -Denial-of-service attacks or traffic floods may also produce such a surge in traffic. +A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, +if not caused by a surge in business activity, can be due to suspicious or malicious activity. +Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually +large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may +also produce such a surge in traffic. """ false_positives = [ """ - Business workflows that occur very occasionally, and involve an unusual surge in network traffic, can trigger this - alert. A new business workflow or a surge in business activity may trigger this alert. A misconfigured network - application or firewall may trigger this alert. + Business workflows that occur very occasionally, and involve an unusual surge in network traffic, + can trigger this alert. A new business workflow or a surge in business activity may trigger this alert. + A misconfigured network application or firewall may trigger this alert. """, ] from = "now-30m" @@ -29,6 +32,5 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "b240bfb8-26b7-4e5e-924e-218144a3fa71" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] type = "machine_learning" - diff --git a/rules/ml/ml_linux_anomalous_network_activity.toml b/rules/ml/ml_linux_anomalous_network_activity.toml index 97ddd9a53ec..b1e96b6762a 100644 --- a/rules/ml/ml_linux_anomalous_network_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -32,12 +34,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "52afbdc5-db15-485e-bc24-f5707f820c4b" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] type = "machine_learning" diff --git a/rules/ml/ml_linux_anomalous_network_port_activity.toml b/rules/ml/ml_linux_anomalous_network_port_activity.toml index 8b0838f66cb..c27a15a5c57 100644 --- a/rules/ml/ml_linux_anomalous_network_port_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_port_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -22,12 +24,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "3c7e32e6-6104-46d9-a06e-da0f8b5795a0" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] type = "machine_learning" diff --git a/rules/ml/ml_packetbeat_rare_server_domain.toml b/rules/ml/ml_packetbeat_rare_server_domain.toml index f8623cc1f77..4dcc51b2f79 100644 --- a/rules/ml/ml_packetbeat_rare_server_domain.toml +++ b/rules/ml/ml_packetbeat_rare_server_domain.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/27" [rule] anomaly_threshold = 50 @@ -31,6 +33,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "17e68559-b274-4948-ad0b-f8415bb31126" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] type = "machine_learning" diff --git a/rules/ml/ml_rare_destination_country.toml b/rules/ml/ml_rare_destination_country.toml index b496dfbd435..875c9fe0987 100644 --- a/rules/ml/ml_rare_destination_country.toml +++ b/rules/ml/ml_rare_destination_country.toml @@ -2,26 +2,30 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/27" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job detected a rare destination country name in the network logs. This can be due to initial access, -persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing -email or opens a malicious document, a request may be sent to download and run a payload from a server in a country -which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms -may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual -destination country for the source network. +A machine learning job detected a rare destination country name in the network logs. +This can be due to initial access, persistence, command-and-control, or exfiltration activity. +For example, when a user clicks on a link in a phishing email or opens a malicious document, +a request may be sent to download and run a payload from a server in a country which does not +normally appear in network traffic or business work-flows. Malware instances and persistence +mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, +which may be an unusual destination country for the source network. """ false_positives = [ """ - Business workflows that occur very occasionally, and involve a business relationship with an organization in a - country that does not routinely appear in network events, can trigger this alert. A new business workflow with an - organization in a country with which no workflows previously existed may trigger this alert - although the model - will learn that the new destination country is no longer anomalous as the activity becomes ongoing. Business - travelers who roam to many countries for brief periods may trigger this alert. + Business workflows that occur very occasionally, and involve a business relationship with an + organization in a country that does not routinely appear in network events, can trigger this alert. + A new business workflow with an organization in a country with which no workflows previously + existed may trigger this alert - although the model will learn that the new destination country + is no longer anomalous as the activity becomes ongoing. Business travelers who roam to many + countries for brief periods may trigger this alert. """, ] from = "now-30m" @@ -33,6 +37,5 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "35f86980-1fb1-4dff-b311-3be941549c8d" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] type = "machine_learning" - diff --git a/rules/ml/ml_spike_in_traffic_to_a_country.toml b/rules/ml/ml_spike_in_traffic_to_a_country.toml index 9066dda2475..7e7d8b45901 100644 --- a/rules/ml/ml_spike_in_traffic_to_a_country.toml +++ b/rules/ml/ml_spike_in_traffic_to_a_country.toml @@ -2,7 +2,9 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/27" [rule] anomaly_threshold = 75 @@ -16,10 +18,10 @@ infrastructure in their country of origin, which may be an unusual destination c """ false_positives = [ """ - Business workflows that occur very occasionally, and involve an unusual surge in network traffic to one destination - country, can trigger this alert. A new business workflow or a surge in business activity in a particular country may - trigger this alert. Business travelers who roam to many countries for brief periods may trigger this alert if they - engage in volumetric network activity. + Business workflows that occur very occasionally, and involve an unusual surge in network traffic + to one destination country, can trigger this alert. A new business workflow or a surge in business + activity in a particular country may trigger this alert. Business travelers who roam to many + countries for brief periods may trigger this alert if they engage in volumetric network activity. """, ] from = "now-30m" @@ -68,6 +70,5 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "c7db5533-ca2a-41f6-a8b0-ee98abe0f573" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] type = "machine_learning" - diff --git a/rules/ml/ml_windows_anomalous_network_activity.toml b/rules/ml/ml_windows_anomalous_network_activity.toml index 56b7637a327..33889273961 100644 --- a/rules/ml/ml_windows_anomalous_network_activity.toml +++ b/rules/ml/ml_windows_anomalous_network_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -35,12 +37,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "ba342eb2-583c-439f-b04d-1fdd7c1417cc" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] type = "machine_learning" diff --git a/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml index 8de5f286491..75f0ca41666 100644 --- a/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -64,31 +66,24 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "647fc812-7996-4795-8869-9c4ea595fe88" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Resources: Investigation Guide"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1543.003" -name = "Windows Service" -reference = "https://attack.mitre.org/techniques/T1543/003/" + [[rule.threat.technique.subtechnique]] + id = "T1543.003" + name = "Windows Service" + reference = "https://attack.mitre.org/techniques/T1543/003/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/ml/persistence_ml_rare_process_by_host_linux.toml b/rules/ml/persistence_ml_rare_process_by_host_linux.toml index 224077d6f73..a5e44c9f7f6 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_linux.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_linux.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -64,30 +66,24 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "46f804f5-b289-43d6-a881-9387cf594f75" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Persistence", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1543.002" -name = "Systemd Service" -reference = "https://attack.mitre.org/techniques/T1543/002/" + [[rule.threat.technique.subtechnique]] + id = "T1543.002" + name = "Systemd Service" + reference = "https://attack.mitre.org/techniques/T1543/002/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - +reference = "https://attack.mitre.org/tactics/TA0003/" \ No newline at end of file diff --git a/rules/ml/persistence_ml_rare_process_by_host_windows.toml b/rules/ml/persistence_ml_rare_process_by_host_windows.toml index 280215b6f2f..93bfc627f4e 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_windows.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_windows.toml @@ -2,33 +2,26 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] -[[transform.osquery]] -label = "Osquery - Retrieve DNS Cache" -query = "SELECT * FROM dns_cache" - -[[transform.osquery]] -label = "Osquery - Retrieve All Services" -query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" - -[[transform.osquery]] -label = "Osquery - Retrieve Services Running on User Accounts" -query = """ -SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE -NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR -user_account == null) -""" + [[transform.osquery]] + label = "Osquery - Retrieve DNS Cache" + query = "SELECT * FROM dns_cache" -[[transform.osquery]] -label = "Retrieve Service Unisgned Executables with Virustotal Link" -query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, -services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = -authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' -""" + [[transform.osquery]] + label = "Osquery - Retrieve All Services" + query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + + [[transform.osquery]] + label = "Osquery - Retrieve Services Running on User Accounts" + query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)" + [[transform.osquery]] + label = "Retrieve Service Unisgned Executables with Virustotal Link" + query = "SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'" [rule] anomaly_threshold = 50 @@ -114,28 +107,22 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "6d448b96-c922-4adb-b51c-b767f1ea5b76" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Resources: Investigation Guide"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1543.003" -name = "Windows Service" -reference = "https://attack.mitre.org/techniques/T1543/003/" + [[rule.threat.technique.subtechnique]] + id = "T1543.003" + name = "Windows Service" + reference = "https://attack.mitre.org/techniques/T1543/003/" + [rule.threat.tactic] id = "TA0003" diff --git a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml index dbcb5d48cfd..b326a14ace5 100644 --- a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml +++ b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -29,28 +31,22 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "445a342e-03fb-42d0-8656-0367eb2dead5" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Persistence", - "Tactic: Execution", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Execution"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1543.003" -name = "Windows Service" -reference = "https://attack.mitre.org/techniques/T1543/003/" + [[rule.threat.technique.subtechnique]] + id = "T1543.003" + name = "Windows Service" + reference = "https://attack.mitre.org/techniques/T1543/003/" + [rule.threat.tactic] id = "TA0003" @@ -62,12 +58,13 @@ framework = "MITRE ATT&CK" id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" -[[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" + [[rule.threat.technique.subtechnique]] + id = "T1204.002" + name = "Malicious File" + reference = "https://attack.mitre.org/techniques/T1204/002/" + [rule.threat.tactic] id = "TA0002" diff --git a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml index b3a28a2b751..dd5bcb42486 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -114,15 +116,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "6e40d56f-5c0e-4ac6-aece-bee96645b172" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Persistence", - "Tactic: Execution", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Execution"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml index e7d43de5ed1..f6c91534371 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -117,15 +119,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/persistence_ml_windows_anomalous_service.toml b/rules/ml/persistence_ml_windows_anomalous_service.toml index ebd2420f362..301458aaeb3 100644 --- a/rules/ml/persistence_ml_windows_anomalous_service.toml +++ b/rules/ml/persistence_ml_windows_anomalous_service.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -27,30 +29,24 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "1781d055-5c66-4adf-9c71-fc0fa58338c7" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Persistence", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1543.003" -name = "Windows Service" -reference = "https://attack.mitre.org/techniques/T1543/003/" + [[rule.threat.technique.subtechnique]] + id = "T1543.003" + name = "Windows Service" + reference = "https://attack.mitre.org/techniques/T1543/003/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml index adc9dacabe5..93d94089aa8 100644 --- a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml +++ b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 @@ -25,14 +27,7 @@ name = "Unusual Sudo Activity" risk_score = 21 rule_id = "1e9fc667-9ff1-4b33-9f40-fefca8537eb0" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Privilege Escalation"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml index 62175943783..9aa047528d8 100644 --- a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml +++ b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -27,20 +29,12 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "1781d055-5c66-4adf-9d82-fc0fa58449c8" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Privilege Escalation"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml index ca7bed0a274..03c4d43ef56 100644 --- a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml +++ b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -26,30 +28,22 @@ name = "Anomalous Linux Compiler Activity" risk_score = 21 rule_id = "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Resource Development", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Resource Development"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1588" name = "Obtain Capabilities" reference = "https://attack.mitre.org/techniques/T1588/" -[[rule.threat.technique.subtechnique]] -id = "T1588.001" -name = "Malware" -reference = "https://attack.mitre.org/techniques/T1588/001/" - + [[rule.threat.technique.subtechnique]] + id = "T1588.001" + name = "Malware" + reference = "https://attack.mitre.org/techniques/T1588/001/" [rule.threat.tactic] id = "TA0042" name = "Resource Development" -reference = "https://attack.mitre.org/tactics/TA0042/" - +reference = "https://attack.mitre.org/tactics/TA0042/" \ No newline at end of file diff --git a/rules/network/command_and_control_accepted_default_telnet_port_connection.toml b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml index 832e6fb03bd..276db49d014 100644 --- a/rules/network/command_and_control_accepted_default_telnet_port_connection.toml +++ b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/01" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_cobalt_strike_beacon.toml b/rules/network/command_and_control_cobalt_strike_beacon.toml index be14096630a..de552073757 100644 --- a/rules/network/command_and_control_cobalt_strike_beacon.toml +++ b/rules/network/command_and_control_cobalt_strike_beacon.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/06" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/16" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml index 6086b36e1b0..facaf30f05a 100644 --- a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml +++ b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/05" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/01" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_download_rar_powershell_from_internet.toml b/rules/network/command_and_control_download_rar_powershell_from_internet.toml index 22f2f919a57..fbade0aa655 100644 --- a/rules/network/command_and_control_download_rar_powershell_from_internet.toml +++ b/rules/network/command_and_control_download_rar_powershell_from_internet.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/02" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/01" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_fin7_c2_behavior.toml b/rules/network/command_and_control_fin7_c2_behavior.toml index 5766270a1ac..f4e43921e1c 100644 --- a/rules/network/command_and_control_fin7_c2_behavior.toml +++ b/rules/network/command_and_control_fin7_c2_behavior.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/06" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/21" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_halfbaked_beacon.toml b/rules/network/command_and_control_halfbaked_beacon.toml index db956efc006..3cbbd7070eb 100644 --- a/rules/network/command_and_control_halfbaked_beacon.toml +++ b/rules/network/command_and_control_halfbaked_beacon.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/06" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/16" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml index 94a0c475033..8c76d249a3d 100644 --- a/rules/network/command_and_control_nat_traversal_port_activity.toml +++ b/rules/network/command_and_control_nat_traversal_port_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/17" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml index d25a8aeb18b..8f2fdafa60d 100644 --- a/rules/network/command_and_control_port_26_activity.toml +++ b/rules/network/command_and_control_port_26_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/18" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml index 6cfbbf0697e..1b1cc835db8 100644 --- a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml +++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/17" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml index d410f7aaafd..5c07d16045f 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/17" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml index 09da32e8eed..450ea79d329 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/17" [rule] author = ["Elastic"] diff --git a/rules/network/discovery_potential_network_sweep_detected.toml b/rules/network/discovery_potential_network_sweep_detected.toml index 2fc61ba3226..856e8943d86 100644 --- a/rules/network/discovery_potential_network_sweep_detected.toml +++ b/rules/network/discovery_potential_network_sweep_detected.toml @@ -2,19 +2,21 @@ creation_date = "2023/05/17" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/01/05" [rule] author = ["Elastic"] -description = """ -This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, -identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. -This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data -theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one -source host to 10 or more destination hosts on commonly used network services. -""" +description = ''' +This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target +network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and +weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized +access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts +from one source host to 10 or more destination hosts on commonly used network services. +''' from = "now-9m" -index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*"] +index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*",] language = "kuery" license = "Elastic License v2" max_signals = 5 @@ -22,46 +24,44 @@ name = "Potential Network Sweep Detected" risk_score = 21 rule_id = "781f8746-2180-4691-890c-4c96d11ca91d" severity = "low" -tags = [ - "Domain: Network", - "Tactic: Discovery", - "Tactic: Reconnaissance", - "Use Case: Network Security Monitoring", -] -timestamp_override = "event.ingested" +tags = ["Domain: Network", + "Tactic: Discovery", + "Tactic: Reconnaissance", + "Use Case: Network Security Monitoring" + ] type = "threshold" +timestamp_override = "event.ingested" query = ''' destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1595" name = "Active Scanning" reference = "https://attack.mitre.org/techniques/T1595/" + [[rule.threat.technique.subtechnique]] id = "T1595.001" name = "Scanning IP Blocks" reference = "https://attack.mitre.org/techniques/T1595/001/" - - [rule.threat.tactic] id = "TA0043" name = "Reconnaissance" @@ -71,7 +71,6 @@ reference = "https://attack.mitre.org/tactics/TA0043/" field = ["source.ip"] value = 1 [[rule.threshold.cardinality]] + field = "destination.ip" value = 100 - - diff --git a/rules/network/discovery_potential_port_scan_detected.toml b/rules/network/discovery_potential_port_scan_detected.toml index 1593f34d2f3..fb8c8d8566d 100644 --- a/rules/network/discovery_potential_port_scan_detected.toml +++ b/rules/network/discovery_potential_port_scan_detected.toml @@ -2,18 +2,20 @@ creation_date = "2023/05/17" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/01/05" [rule] author = ["Elastic"] -description = """ +description = ''' This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a -target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By -mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining +target system or network for open ports, allowing them to identify available services and potential vulnerabilities. +By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further -exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from -one source host to 20 or more destination ports. -""" +exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts +from one source host to 20 or more destination ports. +''' from = "now-9m" index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "filebeat-*", "auditbeat-*"] language = "kuery" @@ -23,45 +25,44 @@ name = "Potential Network Scan Detected" risk_score = 21 rule_id = "0171f283-ade7-4f87-9521-ac346c68cc9b" severity = "low" -tags = [ - "Domain: Network", - "Tactic: Discovery", - "Tactic: Reconnaissance", - "Use Case: Network Security Monitoring", -] -timestamp_override = "event.ingested" +tags = ["Domain: Network", + "Tactic: Discovery", + "Tactic: Reconnaissance", + "Use Case: Network Security Monitoring" + ] type = "threshold" +timestamp_override = "event.ingested" query = ''' destination.port : * and event.action : "network_flow" and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1595" name = "Active Scanning" reference = "https://attack.mitre.org/techniques/T1595/" + [[rule.threat.technique.subtechnique]] id = "T1595.001" name = "Scanning IP Blocks" reference = "https://attack.mitre.org/techniques/T1595/001/" - - [rule.threat.tactic] id = "TA0043" name = "Reconnaissance" @@ -70,8 +71,7 @@ reference = "https://attack.mitre.org/tactics/TA0043/" [rule.threshold] field = ["destination.ip", "source.ip"] value = 1 + [[rule.threshold.cardinality]] field = "destination.port" value = 250 - - diff --git a/rules/network/discovery_potential_syn_port_scan_detected.toml b/rules/network/discovery_potential_syn_port_scan_detected.toml index f5a5dca5273..2ad59638ed8 100644 --- a/rules/network/discovery_potential_syn_port_scan_detected.toml +++ b/rules/network/discovery_potential_syn_port_scan_detected.toml @@ -2,18 +2,20 @@ creation_date = "2023/05/17" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/01/05" [rule] author = ["Elastic"] -description = """ +description = ''' This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a -target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this -method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch -targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading -to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts -from one source host to 10 or more destination ports using 2 or less packets per port. -""" +target network for open ports by sending SYN packets to multiple ports and observing the response. +Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, +allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its +security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic +to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port. +''' from = "now-9m" index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "auditbeat-*", "filebeat-*"] language = "kuery" @@ -23,45 +25,44 @@ name = "Potential SYN-Based Network Scan Detected" risk_score = 21 rule_id = "bbaa96b9-f36c-4898-ace2-581acb00a409" severity = "low" -tags = [ - "Domain: Network", - "Tactic: Discovery", - "Tactic: Reconnaissance", - "Use Case: Network Security Monitoring", -] -timestamp_override = "event.ingested" +tags = ["Domain: Network", + "Tactic: Discovery", + "Tactic: Reconnaissance", + "Use Case: Network Security Monitoring" + ] type = "threshold" +timestamp_override = "event.ingested" query = ''' destination.port : * and network.packets <= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1595" name = "Active Scanning" reference = "https://attack.mitre.org/techniques/T1595/" + [[rule.threat.technique.subtechnique]] id = "T1595.001" name = "Scanning IP Blocks" reference = "https://attack.mitre.org/techniques/T1595/001/" - - [rule.threat.tactic] id = "TA0043" name = "Reconnaissance" @@ -70,8 +71,7 @@ reference = "https://attack.mitre.org/tactics/TA0043/" [rule.threshold] field = ["destination.ip", "source.ip"] value = 1 + [[rule.threshold.cardinality]] field = "destination.port" value = 250 - - diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml index 1d7743ba002..3dcd1d6438f 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/17" [rule] author = ["Elastic"] diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml index 0f11c90843c..ce2e6f9b0c3 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml @@ -2,7 +2,10 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/17" + [rule] author = ["Elastic"] diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml index cdb0744ec99..78207358281 100644 --- a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml +++ b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml @@ -2,7 +2,10 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/17" + [rule] author = ["Elastic"] diff --git a/rules/network/initial_access_unsecure_elasticsearch_node.toml b/rules/network/initial_access_unsecure_elasticsearch_node.toml index 8f51cb76b9c..fa1a06c6aba 100644 --- a/rules/network/initial_access_unsecure_elasticsearch_node.toml +++ b/rules/network/initial_access_unsecure_elasticsearch_node.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/11" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/16" [rule] author = ["Elastic"] diff --git a/rules/network/lateral_movement_dns_server_overflow.toml b/rules/network/lateral_movement_dns_server_overflow.toml index 38b0ec200b3..ad311c66b4c 100644 --- a/rules/network/lateral_movement_dns_server_overflow.toml +++ b/rules/network/lateral_movement_dns_server_overflow.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/16" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/01" [rule] author = ["Elastic"] diff --git a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml index a438cc58550..d643f37fbe6 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml @@ -1,14 +1,16 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in -the rule.reference column for additional information. +Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link +in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -30,26 +32,24 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access"] -timestamp_override = "event.ingested" type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" -[[rule.threat.technique.subtechnique]] -id = "T1003.001" -name = "LSASS Memory" -reference = "https://attack.mitre.org/techniques/T1003/001/" - + [[rule.threat.technique.subtechnique]] + id = "T1003.001" + name = "LSASS Memory" + reference = "https://attack.mitre.org/techniques/T1003/001/" [rule.threat.tactic] id = "TA0006" diff --git a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml index 54622033143..08734f9dda1 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml @@ -1,14 +1,16 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in -the rule.reference column for additional information. +Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link +in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -30,29 +32,26 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access"] -timestamp_override = "event.ingested" type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" -[[rule.threat.technique.subtechnique]] -id = "T1003.001" -name = "LSASS Memory" -reference = "https://attack.mitre.org/techniques/T1003/001/" - + [[rule.threat.technique.subtechnique]] + id = "T1003.001" + name = "LSASS Memory" + reference = "https://attack.mitre.org/techniques/T1003/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/promotions/endgame_adversary_behavior_detected.toml b/rules/promotions/endgame_adversary_behavior_detected.toml index 37dae90c425..8866e3f788d 100644 --- a/rules/promotions/endgame_adversary_behavior_detected.toml +++ b/rules/promotions/endgame_adversary_behavior_detected.toml @@ -1,14 +1,16 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in -the rule.reference column for additional information. +Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the +link in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -30,8 +32,8 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Endgame"] -timestamp_override = "event.ingested" type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event) diff --git a/rules/promotions/endgame_malware_detected.toml b/rules/promotions/endgame_malware_detected.toml index cbf07ce6b21..c8865ab255e 100644 --- a/rules/promotions/endgame_malware_detected.toml +++ b/rules/promotions/endgame_malware_detected.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -30,8 +32,8 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "critical" tags = ["Data Source: Elastic Endgame"] -timestamp_override = "event.ingested" type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) diff --git a/rules/promotions/endgame_malware_prevented.toml b/rules/promotions/endgame_malware_prevented.toml index d00be854558..22c4fdbc579 100644 --- a/rules/promotions/endgame_malware_prevented.toml +++ b/rules/promotions/endgame_malware_prevented.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -30,8 +32,8 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame"] -timestamp_override = "event.ingested" type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) diff --git a/rules/promotions/endgame_ransomware_detected.toml b/rules/promotions/endgame_ransomware_detected.toml index 917f0ab088b..58870383f83 100644 --- a/rules/promotions/endgame_ransomware_detected.toml +++ b/rules/promotions/endgame_ransomware_detected.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -30,8 +32,8 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "critical" tags = ["Data Source: Elastic Endgame"] -timestamp_override = "event.ingested" type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) diff --git a/rules/promotions/endgame_ransomware_prevented.toml b/rules/promotions/endgame_ransomware_prevented.toml index d6e5e4b7667..f8509c3a851 100644 --- a/rules/promotions/endgame_ransomware_prevented.toml +++ b/rules/promotions/endgame_ransomware_prevented.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -30,8 +32,8 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame"] -timestamp_override = "event.ingested" type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) diff --git a/rules/promotions/execution_endgame_exploit_detected.toml b/rules/promotions/execution_endgame_exploit_detected.toml index 891c48a3e07..fff5c779778 100644 --- a/rules/promotions/execution_endgame_exploit_detected.toml +++ b/rules/promotions/execution_endgame_exploit_detected.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -29,20 +31,14 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" -tags = [ - "Data Source: Elastic Endgame", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Privilege Escalation", -] -timestamp_override = "event.ingested" +tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"] type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) ''' - [[rule.threat]] framework = "MITRE ATT&CK" @@ -50,6 +46,7 @@ framework = "MITRE ATT&CK" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -57,9 +54,7 @@ id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/promotions/execution_endgame_exploit_prevented.toml b/rules/promotions/execution_endgame_exploit_prevented.toml index 8d924b7e725..b9e85a7bde9 100644 --- a/rules/promotions/execution_endgame_exploit_prevented.toml +++ b/rules/promotions/execution_endgame_exploit_prevented.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -29,20 +31,14 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" -tags = [ - "Data Source: Elastic Endgame", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Privilege Escalation", -] -timestamp_override = "event.ingested" +tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"] type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) ''' - [[rule.threat]] framework = "MITRE ATT&CK" @@ -50,6 +46,7 @@ framework = "MITRE ATT&CK" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -57,9 +54,7 @@ id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/promotions/external_alerts.toml b/rules/promotions/external_alerts.toml index 1eb2d1a0d7d..8f657c450fb 100644 --- a/rules/promotions/external_alerts.toml +++ b/rules/promotions/external_alerts.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/07/08" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -10,15 +12,7 @@ description = """ Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app. """ -index = [ - "apm-*-transaction*", - "traces-apm*", - "auditbeat-*", - "filebeat-*", - "logs-*", - "packetbeat-*", - "winlogbeat-*", -] +index = ["apm-*-transaction*", "traces-apm*", "auditbeat-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"] language = "kuery" license = "Elastic License v2" max_signals = 10000 @@ -53,25 +47,25 @@ value = "" [[rule.severity_mapping]] field = "event.severity" operator = "equals" -severity = "low" value = "21" +severity = "low" [[rule.severity_mapping]] field = "event.severity" operator = "equals" -severity = "medium" value = "47" +severity = "medium" [[rule.severity_mapping]] field = "event.severity" operator = "equals" -severity = "high" value = "73" +severity = "high" [[rule.severity_mapping]] field = "event.severity" operator = "equals" -severity = "critical" value = "99" +severity = "critical" diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml index 8155bb2f92e..caef5f6abe9 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml @@ -1,14 +1,16 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link -in the rule.reference column for additional information. +Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the +link in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -30,14 +32,13 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] -timestamp_override = "event.ingested" type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,9 +46,9 @@ id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml index 3d28513a582..b9ddee16d41 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml @@ -1,14 +1,16 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link -in the rule.reference column for additional information. +Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the +link in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -30,14 +32,13 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] -timestamp_override = "event.ingested" type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,9 +46,7 @@ id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml index 2e8870a4bed..0a81cdd2fe7 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml @@ -1,14 +1,16 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the -rule.reference column for additional information. +Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in +the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -30,14 +32,13 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] -timestamp_override = "event.ingested" type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,9 +46,7 @@ id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml index 24e914d7863..5c4cd362f22 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml @@ -1,14 +1,16 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the -rule.reference column for additional information. +Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in +the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -30,14 +32,13 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] -timestamp_override = "event.ingested" type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,9 +46,7 @@ id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml index 1eea20d6f70..430a3a2c8ae 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml @@ -1,14 +1,16 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the -rule.reference column for additional information. +Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in +the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -30,14 +32,13 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] -timestamp_override = "event.ingested" type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,9 +46,7 @@ id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml index 8b96514519b..3451dafac36 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml @@ -1,14 +1,16 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in -the rule.reference column for additional information. +Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link +in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -30,14 +32,13 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] -timestamp_override = "event.ingested" type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,9 +46,7 @@ id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/collection_email_outlook_mailbox_via_com.toml b/rules/windows/collection_email_outlook_mailbox_via_com.toml index 6999edfe0cc..b035f8891dc 100644 --- a/rules/windows/collection_email_outlook_mailbox_via_com.toml +++ b/rules/windows/collection_email_outlook_mailbox_via_com.toml @@ -2,13 +2,15 @@ creation_date = "2023/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.4.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] description = """ -Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may -target user email to collect sensitive information or send email on their behalf via API. +Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may target user email to collect +sensitive information or send email on their behalf via API. """ from = "now-9m" index = ["logs-endpoint.events.process*"] @@ -21,13 +23,7 @@ references = [ risk_score = 47 rule_id = "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend"] type = "eql" query = ''' @@ -55,32 +51,34 @@ framework = "MITRE ATT&CK" id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" + [[rule.threat.technique.subtechnique]] id = "T1114.001" name = "Local Email Collection" reference = "https://attack.mitre.org/techniques/T1114/001/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1559" name = "Inter-Process Communication" reference = "https://attack.mitre.org/techniques/T1559/" + [[rule.threat.technique.subtechnique]] id = "T1559.001" name = "Component Object Model" reference = "https://attack.mitre.org/techniques/T1559/001/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index 28a89c21a4a..b31607b495e 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [rule] author = ["Elastic"] @@ -12,14 +14,7 @@ mailbox or archive to a .pst file. Adversaries may target user email to collect """ false_positives = ["Legitimate exchange system administration activity."] from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Exporting Exchange Mailbox via PowerShell" @@ -79,17 +74,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" @@ -122,6 +107,7 @@ reference = "https://attack.mitre.org/techniques/T1114/002/" id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml index 83b9dd436a5..cf05245b64e 100644 --- a/rules/windows/collection_posh_audio_capture.toml +++ b/rules/windows/collection_posh_audio_capture.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -73,14 +75,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/collection_posh_keylogger.toml b/rules/windows/collection_posh_keylogger.toml index 31e807680ad..b6f3ca45e0c 100644 --- a/rules/windows/collection_posh_keylogger.toml +++ b/rules/windows/collection_posh_keylogger.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -78,14 +80,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/collection_posh_mailbox.toml b/rules/windows/collection_posh_mailbox.toml index b0ce9e211c5..55925895ec6 100644 --- a/rules/windows/collection_posh_mailbox.toml +++ b/rules/windows/collection_posh_mailbox.toml @@ -2,7 +2,9 @@ creation_date = "2023/01/11" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -79,14 +81,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/collection_posh_screen_grabber.toml b/rules/windows/collection_posh_screen_grabber.toml index bf6cba3bc82..ac8582774c2 100644 --- a/rules/windows/collection_posh_screen_grabber.toml +++ b/rules/windows/collection_posh_screen_grabber.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -74,14 +76,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/collection_posh_webcam_video_capture.toml b/rules/windows/collection_posh_webcam_video_capture.toml index 1def216d61c..f695abe94bf 100644 --- a/rules/windows/collection_posh_webcam_video_capture.toml +++ b/rules/windows/collection_posh_webcam_video_capture.toml @@ -2,7 +2,9 @@ creation_date = "2023/07/18" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -15,9 +17,7 @@ index = ["winlogbeat-*", "logs-windows.powershell*"] language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Webcam Video Capture Capabilities" -references = [ - "https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py", -] +references = ["https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py"] risk_score = 47 rule_id = "eb44611f-62a8-4036-a5ef-587098be6c43" setup = """## Setup @@ -39,13 +39,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index 9c69091a8f2..723a176a9ac 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -59,15 +61,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -97,11 +91,6 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1005" -name = "Data from Local System" -reference = "https://attack.mitre.org/techniques/T1005/" - [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" @@ -111,6 +100,11 @@ id = "T1560.001" name = "Archive via Utility" reference = "https://attack.mitre.org/techniques/T1560/001/" +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + [rule.threat.tactic] diff --git a/rules/windows/command_and_control_certreq_postdata.toml b/rules/windows/command_and_control_certreq_postdata.toml index ceaf3e4b869..81677f328ac 100644 --- a/rules/windows/command_and_control_certreq_postdata.toml +++ b/rules/windows/command_and_control_certreq_postdata.toml @@ -2,7 +2,9 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -29,21 +31,13 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ -Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to download files or upload data to a -remote URL. +Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to download files or upload data to a remote URL. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Potential File Transfer via Certreq" @@ -104,16 +98,7 @@ references = ["https://lolbas-project.github.io/lolbas/Binaries/Certreq/"] risk_score = 47 rule_id = "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Command and Control", - "Tactic: Exfiltration", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -135,6 +120,8 @@ reference = "https://attack.mitre.org/techniques/T1105/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -147,6 +134,7 @@ reference = "https://attack.mitre.org/techniques/T1218/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -154,7 +142,6 @@ id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index f294ae46563..d7592550d09 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/04" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/10" [transform] [[transform.osquery]] diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml index 0c1b178a324..d16761b8f6e 100644 --- a/rules/windows/command_and_control_dns_tunneling_nslookup.toml +++ b/rules/windows/command_and_control_dns_tunneling_nslookup.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/11" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ This rule identifies a large number (15) of nslookup.exe executions with an expl may indicate command and control activity utilizing the DNS protocol. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Potential DNS Tunneling via NsLookup" @@ -66,7 +62,7 @@ tags = [ "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] type = "eql" @@ -88,13 +84,11 @@ id = "T1071.004" name = "DNS" reference = "https://attack.mitre.org/techniques/T1071/004/" - [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml index 798d6db68e5..de1adf85abd 100644 --- a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml +++ b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -26,14 +28,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_headless_browser.toml b/rules/windows/command_and_control_headless_browser.toml index f435dd9dd0a..8c844b616e4 100644 --- a/rules/windows/command_and_control_headless_browser.toml +++ b/rules/windows/command_and_control_headless_browser.toml @@ -2,7 +2,10 @@ creation_date = "2024/05/10" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/10" + [rule] author = ["Elastic"] @@ -11,13 +14,7 @@ Identifies the use of a browser to download a file from a remote URL and from a may use browsers to avoid ingress tool transfer restrictions. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Potential File Download via a Headless Browser" @@ -49,16 +46,7 @@ references = ["https://lolbas-project.github.io/lolbas/Binaries/Msedge/"] risk_score = 73 rule_id = "5f2f463e-6997-478c-8405-fb41cc283281" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Resources: Investigation Guide", - "Data Source: Windows", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Windows", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -85,4 +73,3 @@ reference = "https://attack.mitre.org/techniques/T1105/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/windows/command_and_control_iexplore_via_com.toml b/rules/windows/command_and_control_iexplore_via_com.toml index 79424244132..7c6e094806e 100644 --- a/rules/windows/command_and_control_iexplore_via_com.toml +++ b/rules/windows/command_and_control_iexplore_via_com.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/28" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -20,13 +22,7 @@ name = "Potential Command and Control via Internet Explorer" risk_score = 47 rule_id = "acd611f3-2b93-47b3-a0a3-7723bcc46f6d" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/command_and_control_ingress_transfer_bits.toml b/rules/windows/command_and_control_ingress_transfer_bits.toml index d0be4efa74a..372f5589dbc 100644 --- a/rules/windows/command_and_control_ingress_transfer_bits.toml +++ b/rules/windows/command_and_control_ingress_transfer_bits.toml @@ -2,7 +2,9 @@ creation_date = "2023/01/13" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -29,11 +31,10 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ -Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). +Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). Adversaries could leverage Windows BITS transfer jobs to download remote payloads. """ from = "now-9m" @@ -114,14 +115,7 @@ references = ["https://attack.mitre.org/techniques/T1197/"] risk_score = 21 rule_id = "f95972d3-c23b-463b-89a8-796b3f369b49" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Command and Control", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -157,6 +151,8 @@ reference = "https://attack.mitre.org/techniques/T1105/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -169,4 +165,3 @@ reference = "https://attack.mitre.org/techniques/T1197/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml index c4ba502002c..a317700b84c 100644 --- a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml +++ b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml @@ -2,7 +2,9 @@ creation_date = "2023/04/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" +min_stack_version = "8.4.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -13,17 +15,12 @@ when a process is started whose name or code signature resembles commonly abused indicating the host has not seen this RAT process started before within the last 30 days. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "endgame-*", - "winlogbeat-*", - "logs-windows.*", - "logs-system.security*", -] +index = ["logs-endpoint.events.process-*", "endgame-*", "winlogbeat-*", "logs-windows.*", "logs-system.security*"] language = "kuery" license = "Elastic License v2" name = "First Time Seen Commonly Abused Remote Access Tool Execution" -note = """## Triage and analysis +note = """ +## Triage and analysis ### Investigating First Time Seen Commonly Abused Remote Access Tool Execution @@ -59,20 +56,12 @@ This rule detects when a remote access tool is seen in the environment for the f references = [ "https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/", "https://attack.mitre.org/techniques/T1219/", - "https://github.com/redcanaryco/surveyor/blob/master/definitions/remote-admin.json", + "https://github.com/redcanaryco/surveyor/blob/master/definitions/remote-admin.json" ] risk_score = 47 rule_id = "6e1a2cc4-d260-11ed-8829-f661ea17fbcc" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/windows/command_and_control_port_forwarding_added_registry.toml b/rules/windows/command_and_control_port_forwarding_added_registry.toml index 2437a7dedaf..0db2f71ea81 100644 --- a/rules/windows/command_and_control_port_forwarding_added_registry.toml +++ b/rules/windows/command_and_control_port_forwarding_added_registry.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies the creation of a new port forwarding rule. An adversary may abuse th segmentation restrictions. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.registry-*", - "logs-windows.sysmon_operational-*", - "endgame-*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Port Forwarding Rule Addition" @@ -86,7 +82,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: SentinelOne", + "Data Source: SentinelOne" ] timestamp_override = "event.ingested" type = "eql" @@ -112,6 +108,7 @@ reference = "https://attack.mitre.org/techniques/T1572/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -119,7 +116,6 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index c89ed31c685..1499e8c0dd8 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/14" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [rule] author = ["Elastic"] @@ -11,14 +13,7 @@ Identifies potential use of an SSH utility to establish RDP over a reverse SSH T enable routing of network packets that would otherwise not reach their intended destination. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Remote Desktop Tunneling Detected" @@ -77,7 +72,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: SentinelOne", + "Data Source: SentinelOne" ] timestamp_override = "event.ingested" type = "eql" @@ -102,6 +97,7 @@ reference = "https://attack.mitre.org/techniques/T1572/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -119,4 +115,3 @@ reference = "https://attack.mitre.org/techniques/T1021/004/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index 80a061822cb..1ebdb84c2b9 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index 96ac992cd70..42c16fe3f07 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] diff --git a/rules/windows/command_and_control_remote_file_copy_powershell.toml b/rules/windows/command_and_control_remote_file_copy_powershell.toml index 27a223a2d66..092dbd69dd2 100644 --- a/rules/windows/command_and_control_remote_file_copy_powershell.toml +++ b/rules/windows/command_and_control_remote_file_copy_powershell.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/30" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/04/08" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml index 40905e4241c..26e228aa908 100644 --- a/rules/windows/command_and_control_remote_file_copy_scripts.toml +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/04/08" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -37,12 +39,7 @@ Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) bei from a remote destination. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.network-*", - "logs-endpoint.events.file-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.network-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Remote File Download via Script Interpreter" @@ -99,16 +96,7 @@ This rule looks for DLLs and executables downloaded using `cscript.exe` or `wscr risk_score = 47 rule_id = "1d276579-3380-4095-ad38-e596a01bc64f" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' @@ -132,6 +120,7 @@ reference = "https://attack.mitre.org/techniques/T1105/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/command_and_control_screenconnect_childproc.toml b/rules/windows/command_and_control_screenconnect_childproc.toml index 0deeef487c3..6fb210442f4 100644 --- a/rules/windows/command_and_control_screenconnect_childproc.toml +++ b/rules/windows/command_and_control_screenconnect_childproc.toml @@ -2,29 +2,23 @@ creation_date = "2024/03/27" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" + [rule] author = ["Elastic"] description = """ -Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate -execution abusing unauthorized access to the ScreenConnect remote access software. +Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate execution +abusing unauthorized access to the ScreenConnect remote access software. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.sysmon_operational-*", - "logs-system.security*", - "endgame-*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Suspicious ScreenConnect Client Child Process" -references = [ - "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", -] +references = ["https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"] risk_score = 47 rule_id = "78de1aeb-5225-4067-b8cc-f4a1de8a8546" severity = "medium" @@ -37,7 +31,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: SentinelOne", + "Data Source: SentinelOne" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml index fd34ad33bac..d1c62d1fc43 100644 --- a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml +++ b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -97,14 +99,7 @@ references = [ risk_score = 73 rule_id = "22599847-5d13-48cb-8872-5796fee8692b" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index d7526688acf..b5c92ad1e3b 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -88,9 +90,7 @@ TeamViewer is a remote access and remote control tool used by helpdesks and syst - Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -references = [ - "http://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html", -] +references = ["http://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"] risk_score = 47 rule_id = "b25a7df2-120a-4db2-bd3f-3e4b86b24bee" setup = """## Setup @@ -109,7 +109,7 @@ tags = [ "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_adidns_wildcard.toml b/rules/windows/credential_access_adidns_wildcard.toml index c917c234ff0..2efd54755c8 100644 --- a/rules/windows/credential_access_adidns_wildcard.toml +++ b/rules/windows/credential_access_adidns_wildcard.toml @@ -2,7 +2,9 @@ creation_date = "2024/03/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/26" [rule] author = ["Elastic"] @@ -11,8 +13,7 @@ Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues, such as wildcard records, mainly because of the default permission (Any authenticated users) to create DNS-named records. Attackers can create wildcard records to redirect traffic that doesn't explicitly match -records contained in the zone, becoming the Man-in-the-Middle and being able to abuse DNS similarly to LLMNR/NBNS -spoofing. +records contained in the zone, becoming the Man-in-the-Middle and being able to abuse DNS similarly to LLMNR/NBNS spoofing. """ from = "now-9m" index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] @@ -21,7 +22,7 @@ license = "Elastic License v2" name = "Potential ADIDNS Poisoning via Wildcard Record Creation" references = [ "https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/", - "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/adidns-spoofing", + "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/adidns-spoofing" ] risk_score = 73 rule_id = "8f242ffb-b191-4803-90ec-0f19942e17fd" @@ -54,7 +55,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", - "Use Case: Active Directory Monitoring", + "Use Case: Active Directory Monitoring" ] timestamp_override = "event.ingested" type = "eql" @@ -73,6 +74,7 @@ name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_bruteforce_admin_account.toml b/rules/windows/credential_access_bruteforce_admin_account.toml index 3fbdbc21801..1862372c9e1 100644 --- a/rules/windows/credential_access_bruteforce_admin_account.toml +++ b/rules/windows/credential_access_bruteforce_admin_account.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -103,13 +105,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml index 401b9edca43..72152568381 100644 --- a/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml +++ b/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -107,13 +109,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml index 008bf363ef3..ec73c39053f 100644 --- a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml +++ b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -97,10 +98,10 @@ This rule identifies potential password guessing/brute force activity from a sin - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624", - "https://social.technet.microsoft.com/Forums/ie/en-US/c82ac4f3-a235-472c-9fd3-53aa646cfcfd/network-information-missing-in-event-id-4624?forum=winserversecurity", - "https://serverfault.com/questions/379092/remote-desktop-failed-logon-event-4625-not-logging-ip-address-on-2008-terminal-s/403638#403638", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624", + "https://social.technet.microsoft.com/Forums/ie/en-US/c82ac4f3-a235-472c-9fd3-53aa646cfcfd/network-information-missing-in-event-id-4624?forum=winserversecurity", + "https://serverfault.com/questions/379092/remote-desktop-failed-logon-event-4625-not-logging-ip-address-on-2008-terminal-s/403638#403638", ] risk_score = 47 rule_id = "48b6edfc-079d-4907-b43c-baffa243270d" @@ -109,13 +110,7 @@ setup = """## Setup - In some cases the source network address in Windows events 4625/4624 is not populated due to Microsoft logging limitations (examples in the references links). This edge case will break the rule condition and it won't trigger an alert. """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index bf507361849..ae6317cf163 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies the execution of known Windows utilities often abused to dump LSASS m (NTDS.dit) in preparation for credential access. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Potential Credential Access via Windows Utilities" @@ -75,7 +71,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" @@ -138,6 +134,7 @@ reference = "https://attack.mitre.org/techniques/T1003/003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index adeb495cf61..c456ca719ca 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic", "Austin Songer"] description = """ @@ -37,13 +38,7 @@ Identifies a copy operation of the Active Directory Domain Database (ntds.dit) o Those files contain sensitive information including hashed domain and/or local credentials. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" max_signals = 33 @@ -120,14 +115,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index 55c55eb6b13..31b2b52835a 100644 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/04/08" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -38,12 +40,7 @@ credential management. This technique is sometimes used for credential dumping. """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.library-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Potential Credential Access via Trusted Developer Utility" @@ -103,16 +100,7 @@ This rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, risk_score = 73 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' @@ -129,6 +117,7 @@ framework = "MITRE ATT&CK" id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.002" name = "Security Account Manager" @@ -144,12 +133,11 @@ id = "T1555.004" name = "Windows Credential Manager" reference = "https://attack.mitre.org/techniques/T1555/004/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml index 02e0d783a19..920ae22025c 100644 --- a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml +++ b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml @@ -2,14 +2,16 @@ creation_date = "2022/12/19" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" +min_stack_version = "8.4.0" +updated_date = "2024/01/29" [rule] author = ["Elastic"] description = """ -This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers -can use the DCSync technique to get credential information of individual accounts or the entire domain, thus -compromising the entire domain. +This rule identifies when a User Account starts the Active Directory Replication Process for the first time. +Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, +thus compromising the entire domain. """ from = "now-9m" index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] @@ -80,16 +82,7 @@ Audit Directory Service Access (Success,Failure) ``` """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Privilege Escalation", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -104,23 +97,26 @@ event.action:("Directory Service Access" or "object-operation-performed") and ev [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" -name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" -[[rule.threat.technique.subtechnique]] -id = "T1003.006" -name = "DCSync" -reference = "https://attack.mitre.org/techniques/T1003/006/" +name = "OS Credential Dumping" + [[rule.threat.technique.subtechnique]] + id = "T1003.006" + reference = "https://attack.mitre.org/techniques/T1003/006/" + name = "DCSync" [rule.threat.tactic] id = "TA0006" -name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +name = "Credential Access" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -140,8 +136,7 @@ reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["winlog.event_data.SubjectUserName"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-15d" - - diff --git a/rules/windows/credential_access_dcsync_replication_rights.toml b/rules/windows/credential_access_dcsync_replication_rights.toml index 8fbe4cfa043..d5123d71fdf 100644 --- a/rules/windows/credential_access_dcsync_replication_rights.toml +++ b/rules/windows/credential_access_dcsync_replication_rights.toml @@ -2,7 +2,9 @@ creation_date = "2022/02/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/01/29" [rule] author = ["Elastic"] @@ -88,7 +90,7 @@ tags = [ "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", + "Use Case: Active Directory Monitoring" ] timestamp_override = "event.ingested" type = "eql" @@ -138,8 +140,11 @@ reference = "https://attack.mitre.org/techniques/T1003/006/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" diff --git a/rules/windows/credential_access_disable_kerberos_preauth.toml b/rules/windows/credential_access_disable_kerberos_preauth.toml index c181c9b2483..0d845d4645b 100644 --- a/rules/windows/credential_access_disable_kerberos_preauth.toml +++ b/rules/windows/credential_access_disable_kerberos_preauth.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/24" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -68,17 +70,7 @@ Audit User Account Management (Success,Failure) ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Defense Evasion", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] timestamp_override = "event.ingested" type = "query" @@ -104,8 +96,11 @@ reference = "https://attack.mitre.org/techniques/T1558/004/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" @@ -116,8 +111,11 @@ reference = "https://attack.mitre.org/techniques/T1562/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" diff --git a/rules/windows/credential_access_dnsnode_creation.toml b/rules/windows/credential_access_dnsnode_creation.toml index 38220bc9131..2f42ee0b833 100644 --- a/rules/windows/credential_access_dnsnode_creation.toml +++ b/rules/windows/credential_access_dnsnode_creation.toml @@ -2,7 +2,9 @@ creation_date = "2024/03/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/26" [rule] author = ["Elastic"] @@ -21,7 +23,7 @@ license = "Elastic License v2" name = "Creation of a DNS-Named Record" references = [ "https://www.netspi.com/blog/technical/network-penetration-testing/adidns-revisited/", - "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wpad-spoofing", + "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wpad-spoofing" ] risk_score = 21 rule_id = "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc" @@ -54,7 +56,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", - "Use Case: Active Directory Monitoring", + "Use Case: Active Directory Monitoring" ] timestamp_override = "event.ingested" type = "eql" @@ -74,6 +76,7 @@ name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index b1ad6d1b7c6..6b619d79721 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/13" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies the creation or modification of Domain Backup private keys. Adversari (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.file-*", - "logs-windows.sysmon_operational-*", - "endgame-*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Creation or Modification of Domain Backup DPAPI private key" @@ -40,16 +36,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_dump_registry_hives.toml b/rules/windows/credential_access_dump_registry_hives.toml index 4af9d346d8e..93eeb99a1b4 100644 --- a/rules/windows/credential_access_dump_registry_hives.toml +++ b/rules/windows/credential_access_dump_registry_hives.toml @@ -2,19 +2,15 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] description = "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool." from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Credential Acquisition via Registry Hive Dumping" @@ -79,7 +75,7 @@ tags = [ "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_generic_localdumps.toml b/rules/windows/credential_access_generic_localdumps.toml index 8705924470f..016c83147fe 100644 --- a/rules/windows/credential_access_generic_localdumps.toml +++ b/rules/windows/credential_access_generic_localdumps.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/28" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -26,15 +28,7 @@ references = [ risk_score = 47 rule_id = "220be143-5c67-4fdb-b6ce-dd6826d024fd" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml index cfc6135483a..8bb38df6f9b 100644 --- a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies the Internet Information Services (IIS) command-line tool, AppCmd, be with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" max_signals = 33 @@ -34,14 +30,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index cf304647967..6dfa8a0d359 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ access via a webshell or alike can decrypt and dump any hardcoded connection str password using aspnet_regiis command. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" max_signals = 33 @@ -38,14 +34,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml index 9b74a09385e..bf21ea7518b 100644 --- a/rules/windows/credential_access_kerberoasting_unusual_process.toml +++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -110,14 +112,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_kirbi_file.toml b/rules/windows/credential_access_kirbi_file.toml index a1d09edb75b..60bbd78577c 100644 --- a/rules/windows/credential_access_kirbi_file.toml +++ b/rules/windows/credential_access_kirbi_file.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/23" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [rule] author = ["Elastic"] @@ -12,26 +14,14 @@ Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as P attacker to impersonate users using Kerberos tickets. """ from = "now-9m" -index = [ - "logs-endpoint.events.file-*", - "logs-windows.sysmon_operational-*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Kirbi File Creation" risk_score = 47 rule_id = "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" @@ -53,6 +43,7 @@ name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_ldap_attributes.toml b/rules/windows/credential_access_ldap_attributes.toml index 7e9ca44a12d..74860002414 100644 --- a/rules/windows/credential_access_ldap_attributes.toml +++ b/rules/windows/credential_access_ldap_attributes.toml @@ -2,7 +2,9 @@ creation_date = "2022/11/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -39,15 +41,7 @@ Audit Directory Service Access (Success,Failure) ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Privilege Escalation", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] timestamp_override = "event.ingested" type = "eql" @@ -95,12 +89,11 @@ id = "T1552.004" name = "Private Keys" reference = "https://attack.mitre.org/techniques/T1552/004/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml index 414ba86564e..823684db598 100644 --- a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml +++ b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml @@ -2,7 +2,9 @@ creation_date = "2022/06/29" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." +min_stack_version = "8.8.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -28,13 +30,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_lsass_loaded_susp_dll.toml b/rules/windows/credential_access_lsass_loaded_susp_dll.toml index dcb0c455ce6..3a59f2ce86d 100644 --- a/rules/windows/credential_access_lsass_loaded_susp_dll.toml +++ b/rules/windows/credential_access_lsass_loaded_susp_dll.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2022/12/28" -integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +integration = ["endpoint"] +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -16,7 +18,10 @@ index = ["logs-endpoint.events.library-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Module Loaded by LSASS" -references = ["https://blog.xpnsec.com/exploring-mimikatz-part-2/", "https://github.com/jas502n/mimikat_ssp"] +references = [ + "https://blog.xpnsec.com/exploring-mimikatz-part-2/", + "https://github.com/jas502n/mimikat_ssp" +] risk_score = 47 rule_id = "3a6001a0-0939-4bbe-86f4-47d8faeb7b97" setup = """## Setup @@ -28,13 +33,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -127,4 +126,3 @@ reference = "https://attack.mitre.org/techniques/T1003/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_lsass_memdump_file_created.toml b/rules/windows/credential_access_lsass_memdump_file_created.toml index a982b362c06..8fe7c70f118 100644 --- a/rules/windows/credential_access_lsass_memdump_file_created.toml +++ b/rules/windows/credential_access_lsass_memdump_file_created.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -113,7 +115,7 @@ tags = [ "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", - "Data Source: Sysmon", + "Data Source: Sysmon" ] timeline_id = "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c" timeline_title = "Comprehensive File Timeline" diff --git a/rules/windows/credential_access_lsass_memdump_handle_access.toml b/rules/windows/credential_access_lsass_memdump_handle_access.toml index ce971d46956..955bd499781 100644 --- a/rules/windows/credential_access_lsass_memdump_handle_access.toml +++ b/rules/windows/credential_access_lsass_memdump_handle_access.toml @@ -2,7 +2,9 @@ creation_date = "2022/02/16" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [transform] [[transform.osquery]] @@ -130,14 +132,9 @@ Hence for this rule to work effectively, users will need to add a custom ingest `event.ingested` to @timestamp. For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ + severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_lsass_openprocess_api.toml b/rules/windows/credential_access_lsass_openprocess_api.toml index 7a3135c6e28..97c80885a40 100644 --- a/rules/windows/credential_access_lsass_openprocess_api.toml +++ b/rules/windows/credential_access_lsass_openprocess_api.toml @@ -2,7 +2,9 @@ creation_date = "2023/03/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: Lsass access events added in Elastic Endpoint 8.7." +min_stack_version = "8.7.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -29,16 +31,18 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] -description = "Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.\n" +description = """ +Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory. +""" from = "now-9m" index = ["logs-endpoint.events.api-*"] language = "eql" license = "Elastic License v2" name = "LSASS Process Access via Windows API" -note = """## Triage and analysis +note = """ +## Triage and analysis ### Investigating LSASS Process Access via Windows API @@ -105,14 +109,7 @@ references = ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomic risk_score = 47 rule_id = "ff4599cb-409f-4910-a239-52e4e6f532ff" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Execution", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -180,8 +177,10 @@ reference = "https://attack.mitre.org/techniques/T1003/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1106" name = "Native API" @@ -192,4 +191,3 @@ reference = "https://attack.mitre.org/techniques/T1106/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index 51290153ab6..be347be509e 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -2,19 +2,15 @@ creation_date = "2020/08/31" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [rule] author = ["Elastic"] description = "Identifies the password log file from the default Mimikatz memssp module." from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.file-*", - "logs-windows.sysmon_operational-*", - "endgame-*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Mimikatz Memssp Log File Detected" @@ -80,7 +76,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: SentinelOne", + "Data Source: SentinelOne" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_mimikatz_powershell_module.toml b/rules/windows/credential_access_mimikatz_powershell_module.toml index 03a0f56c4dd..512134c1e76 100644 --- a/rules/windows/credential_access_mimikatz_powershell_module.toml +++ b/rules/windows/credential_access_mimikatz_powershell_module.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/07" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -89,14 +91,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index 4ae9a8e2014..0e64e8c5fcf 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -85,7 +87,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Sysmon", + "Data Source: Sysmon" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_moving_registry_hive_via_smb.toml b/rules/windows/credential_access_moving_registry_hive_via_smb.toml index 7c1240d4bea..0ab094362f5 100644 --- a/rules/windows/credential_access_moving_registry_hive_via_smb.toml +++ b/rules/windows/credential_access_moving_registry_hive_via_smb.toml @@ -2,7 +2,9 @@ creation_date = "2022/02/16" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -61,7 +63,7 @@ tags = [ "Tactic: Lateral Movement", "Tactic: Credential Access", "Resources: Investigation Guide", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml index 2a95513aae3..94bacc832fc 100644 --- a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml +++ b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml @@ -2,7 +2,9 @@ creation_date = "2021/03/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -105,16 +106,7 @@ references = [ risk_score = 47 rule_id = "54c3d186-0461-4dc3-9b33-2dc5c7473936" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_posh_invoke_ninjacopy.toml b/rules/windows/credential_access_posh_invoke_ninjacopy.toml index 244493da593..1b9c456659c 100644 --- a/rules/windows/credential_access_posh_invoke_ninjacopy.toml +++ b/rules/windows/credential_access_posh_invoke_ninjacopy.toml @@ -2,7 +2,9 @@ creation_date = "2023/01/23" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -48,19 +50,12 @@ Invoke-NinjaCopy is a PowerShell script capable of reading SYSTEM files that wer - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = [ - "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1", + "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1" ] risk_score = 47 rule_id = "b8386923-b02c-4b94-986a-d223d9b01f88" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -88,15 +83,16 @@ framework = "MITRE ATT&CK" id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" -[[rule.threat.technique.subtechnique]] -id = "T1003.002" -name = "Security Account Manager" -reference = "https://attack.mitre.org/techniques/T1003/002/" -[[rule.threat.technique.subtechnique]] -id = "T1003.003" -name = "NTDS" -reference = "https://attack.mitre.org/techniques/T1003/003/" + [[rule.threat.technique.subtechnique]] + id = "T1003.002" + name = "Security Account Manager" + reference = "https://attack.mitre.org/techniques/T1003/002/" + + [[rule.threat.technique.subtechnique]] + id = "T1003.003" + name = "NTDS" + reference = "https://attack.mitre.org/techniques/T1003/003/" @@ -104,23 +100,26 @@ reference = "https://attack.mitre.org/techniques/T1003/003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" + [[rule.threat.technique.subtechnique]] + id = "T1059.001" + name = "PowerShell" + reference = "https://attack.mitre.org/techniques/T1059/001/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -128,9 +127,7 @@ id = "T1006" name = "Direct Volume Access" reference = "https://attack.mitre.org/techniques/T1006/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/credential_access_posh_kerb_ticket_dump.toml b/rules/windows/credential_access_posh_kerb_ticket_dump.toml index 25c3693adec..f2b68cfab2f 100644 --- a/rules/windows/credential_access_posh_kerb_ticket_dump.toml +++ b/rules/windows/credential_access_posh_kerb_ticket_dump.toml @@ -2,7 +2,9 @@ creation_date = "2023/07/26" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -60,7 +62,9 @@ This rule indicates the use of scripts that contain code capable of dumping Kerb - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -references = ["https://github.com/MzHmO/PowershellKerberos/blob/main/dumper.ps1"] +references = [ + "https://github.com/MzHmO/PowershellKerberos/blob/main/dumper.ps1", +] risk_score = 47 rule_id = "fddff193-48a3-484d-8d35-90bb3d323a56" setup = """## Setup @@ -82,13 +86,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" @@ -121,6 +119,7 @@ name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_posh_minidump.toml b/rules/windows/credential_access_posh_minidump.toml index 801b74645c3..f25b1457076 100644 --- a/rules/windows/credential_access_posh_minidump.toml +++ b/rules/windows/credential_access_posh_minidump.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/05" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -78,14 +80,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_posh_relay_tools.toml b/rules/windows/credential_access_posh_relay_tools.toml index 6b8c1c203c0..f3bf6ee056c 100644 --- a/rules/windows/credential_access_posh_relay_tools.toml +++ b/rules/windows/credential_access_posh_relay_tools.toml @@ -2,7 +2,9 @@ creation_date = "2024/03/27" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/27" [rule] author = ["Elastic"] @@ -20,7 +22,7 @@ references = [ "https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-SMBExec.ps1", "https://github.com/dafthack/Check-LocalAdminHash/blob/master/Check-LocalAdminHash.ps1", "https://github.com/nettitude/PoshC2/blob/master/resources/modules/Invoke-Tater.ps1", - "https://github.com/Kevin-Robertson/Inveigh/blob/master/Inveigh.ps1", + "https://github.com/Kevin-Robertson/Inveigh/blob/master/Inveigh.ps1" ] risk_score = 47 rule_id = "951779c2-82ad-4a6c-82b8-296c1f691449" @@ -43,14 +45,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" @@ -75,10 +70,12 @@ name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -96,6 +93,7 @@ reference = "https://attack.mitre.org/techniques/T1059/001/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/credential_access_posh_request_ticket.toml b/rules/windows/credential_access_posh_request_ticket.toml index 1e24dacafd7..02d8a9a5896 100644 --- a/rules/windows/credential_access_posh_request_ticket.toml +++ b/rules/windows/credential_access_posh_request_ticket.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/24" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -74,14 +76,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_posh_veeam_sql.toml b/rules/windows/credential_access_posh_veeam_sql.toml index e7be3dd4ea0..742e90e81ca 100644 --- a/rules/windows/credential_access_posh_veeam_sql.toml +++ b/rules/windows/credential_access_posh_veeam_sql.toml @@ -2,7 +2,9 @@ creation_date = "2024/03/14" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/14" [rule] author = ["Elastic"] @@ -16,8 +18,8 @@ language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Veeam Credential Access Capabilities" references = [ - "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", - "https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/", + "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", + "https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/" ] risk_score = 47 rule_id = "5c602cba-ae00-4488-845d-24de2b6d8055" @@ -40,13 +42,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" @@ -68,13 +64,13 @@ framework = "MITRE ATT&CK" id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml index f62f2f7b30b..86ab80c45de 100644 --- a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml +++ b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml @@ -2,7 +2,9 @@ creation_date = "2021/09/27" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." +min_stack_version = "8.8.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -27,13 +29,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml index 7198111d2e0..88573df524b 100644 --- a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml +++ b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml @@ -2,7 +2,9 @@ creation_date = "2022/04/30" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies attempt to coerce a local NTLM authentication via HTTP using the Wind An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Potential Local NTLM Relay via HTTP" @@ -29,15 +25,7 @@ references = [ risk_score = 73 rule_id = "4682fd2c-cfae-47ed-a543-9bed37657aa6" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion","Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -65,6 +53,7 @@ reference = "https://attack.mitre.org/techniques/T1212/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -76,8 +65,6 @@ id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/credential_access_remote_sam_secretsdump.toml b/rules/windows/credential_access_remote_sam_secretsdump.toml index f3fde2b0828..7219cc88bea 100644 --- a/rules/windows/credential_access_remote_sam_secretsdump.toml +++ b/rules/windows/credential_access_remote_sam_secretsdump.toml @@ -2,7 +2,9 @@ creation_date = "2022/03/01" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -74,7 +76,7 @@ tags = [ "Tactic: Lateral Movement", "Tactic: Credential Access", "Resources: Investigation Guide", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_saved_creds_vault_winlog.toml b/rules/windows/credential_access_saved_creds_vault_winlog.toml index 0516afe2658..73620d2f31b 100644 --- a/rules/windows/credential_access_saved_creds_vault_winlog.toml +++ b/rules/windows/credential_access_saved_creds_vault_winlog.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_saved_creds_vaultcmd.toml b/rules/windows/credential_access_saved_creds_vaultcmd.toml index 51f4b0da807..ac77a824edf 100644 --- a/rules/windows/credential_access_saved_creds_vaultcmd.toml +++ b/rules/windows/credential_access_saved_creds_vaultcmd.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ applications, and networks. An adversary may abuse this to list or dump credenti saved usernames and passwords. This may also be performed in preparation of lateral movement. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Searching for Saved Credentials via VaultCmd" @@ -38,14 +34,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml index 14298cfb550..85a166a8569 100644 --- a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml +++ b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/27" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -83,7 +85,7 @@ tags = [ "Tactic: Persistence", "Data Source: Active Directory", "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", + "Use Case: Active Directory Monitoring" ] timestamp_override = "event.ingested" type = "query" @@ -96,24 +98,24 @@ event.action:"Authorization Policy Change" and event.code:4704 and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/credential_access_shadow_credentials.toml b/rules/windows/credential_access_shadow_credentials.toml index 80289225b8b..ae9a46865bd 100644 --- a/rules/windows/credential_access_shadow_credentials.toml +++ b/rules/windows/credential_access_shadow_credentials.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -85,15 +87,7 @@ Set-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType W ``` """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Active Directory", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_spn_attribute_modified.toml b/rules/windows/credential_access_spn_attribute_modified.toml index 08e8f50ed6e..0825930bdd0 100644 --- a/rules/windows/credential_access_spn_attribute_modified.toml +++ b/rules/windows/credential_access_spn_attribute_modified.toml @@ -2,7 +2,9 @@ creation_date = "2022/02/22" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -91,7 +93,7 @@ tags = [ "Tactic: Credential Access", "Data Source: Active Directory", "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", + "Use Case: Active Directory Monitoring" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml index 405ac2ab0a9..5329acd6eb0 100644 --- a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml +++ b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/17" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -113,14 +114,7 @@ You will need to enable logging of ImageLoads in your Sysmon configuration to in File Name. """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Defense Evasion", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Sysmon"] type = "eql" query = ''' @@ -151,6 +145,7 @@ reference = "https://attack.mitre.org/techniques/T1003/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/credential_access_suspicious_lsass_access_generic.toml b/rules/windows/credential_access_suspicious_lsass_access_generic.toml index c01731dfb94..97598b0946f 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_generic.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_generic.toml @@ -2,11 +2,15 @@ creation_date = "2023/01/22" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." +min_stack_version = "8.8.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] -description = "Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory.\n" +description = """ +Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory. +""" from = "now-9m" index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" @@ -24,13 +28,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -79,4 +77,3 @@ reference = "https://attack.mitre.org/techniques/T1003/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml index ad39fc43cbb..9aeda8961a0 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/07" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." +min_stack_version = "8.8.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -30,14 +32,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic:Execution", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic:Execution", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -74,8 +69,10 @@ reference = "https://attack.mitre.org/techniques/T1003/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1106" name = "Native API" diff --git a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml index 7b152155ce7..6d82c6c07cc 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/14" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." +min_stack_version = "8.8.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -28,13 +30,7 @@ This is meant to run only on datasources using Elastic Agent 7.14+ since version rule cardinality feature. """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "threshold" diff --git a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml index 0e25e99f8c7..6e9b8c90f7e 100644 --- a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml +++ b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml @@ -2,7 +2,9 @@ creation_date = "2022/02/16" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -82,16 +84,7 @@ Special Logon (Success) ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Credential Access", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] type = "eql" query = ''' @@ -122,7 +115,6 @@ name = "LSA Secrets" reference = "https://attack.mitre.org/techniques/T1003/004/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml index 3178c34a607..f53f4c36a00 100644 --- a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml +++ b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml @@ -2,7 +2,9 @@ creation_date = "2021/12/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic", "Austin Songer"] @@ -12,13 +14,7 @@ copy, including sensitive files such as ntds.dit, System Boot Key and browser of """ false_positives = ["Legitimate administrative activity related to shadow copies."] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Symbolic Link to Shadow Copy Created" @@ -102,7 +98,7 @@ tags = [ "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" @@ -136,7 +132,6 @@ name = "NTDS" reference = "https://attack.mitre.org/techniques/T1003/003/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_veeam_backup_dll_imageload.toml b/rules/windows/credential_access_veeam_backup_dll_imageload.toml index c22dbdbccee..e34bf9c6e40 100644 --- a/rules/windows/credential_access_veeam_backup_dll_imageload.toml +++ b/rules/windows/credential_access_veeam_backup_dll_imageload.toml @@ -2,7 +2,9 @@ creation_date = "2024/03/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -19,13 +21,7 @@ name = "Veeam Backup Library Loaded by Unusual Process" risk_score = 47 rule_id = "aaab30ec-b004-4191-95e1-4a14387ef6a6" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -46,13 +42,13 @@ framework = "MITRE ATT&CK" id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_veeam_commands.toml b/rules/windows/credential_access_veeam_commands.toml index e1f9cda0301..5ca51f71353 100644 --- a/rules/windows/credential_access_veeam_commands.toml +++ b/rules/windows/credential_access_veeam_commands.toml @@ -2,7 +2,9 @@ creation_date = "2024/03/14" integration = ["windows", "endpoint", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/14" [rule] author = ["Elastic"] @@ -11,29 +13,17 @@ Identifies commands that can access and decrypt Veeam credentials stored in MSSQ Credentials to target backups as part of destructive operations such as Ransomware attacks. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Potential Veeam Credential Access Command" -references = ["https://thedfirreport.com/2021/12/13/diavol-ransomware/"] +references = [ + "https://thedfirreport.com/2021/12/13/diavol-ransomware/" +] risk_score = 47 rule_id = "b661f86d-1c23-4ce7-a59e-2edbdba28247" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -53,13 +43,13 @@ framework = "MITRE ATT&CK" id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml index a91ceeef23d..52f0314e2e7 100644 --- a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml +++ b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml @@ -2,7 +2,9 @@ creation_date = "2021/11/27" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -32,13 +34,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_wireless_creds_dumping.toml b/rules/windows/credential_access_wireless_creds_dumping.toml index a119ff10872..f8e76dc7d3c 100644 --- a/rules/windows/credential_access_wireless_creds_dumping.toml +++ b/rules/windows/credential_access_wireless_creds_dumping.toml @@ -2,7 +2,9 @@ creation_date = "2022/11/01" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -34,13 +36,7 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu author = ["Elastic"] description = "Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh." from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Wireless Credential Dumping using Netsh Command" @@ -100,7 +96,7 @@ tags = [ "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index d11eb4a9279..131316e9398 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -29,18 +31,11 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection." from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Adding Hidden File Attribute via Attrib" @@ -100,16 +95,7 @@ This rule looks for the execution of the `attrib.exe` utility with a command lin risk_score = 21 rule_id = "4630d948-40d4-4cef-ac69-4002e29bc3db" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" @@ -124,16 +110,6 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1222" -name = "File and Directory Permissions Modification" -reference = "https://attack.mitre.org/techniques/T1222/" -[[rule.threat.technique.subtechnique]] -id = "T1222.001" -name = "Windows File and Directory Permissions Modification" -reference = "https://attack.mitre.org/techniques/T1222/001/" - - [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" @@ -143,6 +119,15 @@ id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" +[[rule.threat.technique]] +id = "T1222" +name = "File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/" + +[[rule.threat.technique.subtechnique]] +id = "T1222.001" +name = "Windows File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/001/" [rule.threat.tactic] diff --git a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml index 3ffb21410ca..8d05f7533cf 100644 --- a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml +++ b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml @@ -2,7 +2,9 @@ creation_date = "2023/01/17" integration = ["windows", "endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [transform] [[transform.osquery]] @@ -37,13 +39,7 @@ Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusu attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.file-*", - "logs-windows.sysmon_operational-*", - "endgame-*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Antimalware Scan Interface DLL" @@ -108,7 +104,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: SentinelOne", + "Data Source: SentinelOne" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_amsi_bypass_powershell.toml b/rules/windows/defense_evasion_amsi_bypass_powershell.toml index 09965632f34..426c4af7270 100644 --- a/rules/windows/defense_evasion_amsi_bypass_powershell.toml +++ b/rules/windows/defense_evasion_amsi_bypass_powershell.toml @@ -2,7 +2,9 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -97,14 +99,7 @@ references = ["https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell"] risk_score = 73 rule_id = "1f0a69c0-3392-4adf-b7d5-6012fd292da8" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/defense_evasion_amsienable_key_mod.toml b/rules/windows/defense_evasion_amsienable_key_mod.toml index c4c9d646380..179b65d04a0 100644 --- a/rules/windows/defense_evasion_amsienable_key_mod.toml +++ b/rules/windows/defense_evasion_amsienable_key_mod.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/01" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -88,7 +90,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Sysmon", + "Data Source: Sysmon" ] timestamp_override = "event.ingested" type = "eql" @@ -106,11 +108,6 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" @@ -120,6 +117,10 @@ id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" [rule.threat.tactic] diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index 02cf01896c1..655e82fbc22 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -2,7 +2,9 @@ creation_date = "2021/11/22" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Austin Songer"] @@ -11,13 +13,7 @@ Identifies when a user attempts to clear console history. An adversary may clear account to conceal the actions undertaken during an intrusion. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Clearing Windows Console History" @@ -76,7 +72,7 @@ tags = [ "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" @@ -107,6 +103,8 @@ reference = "https://attack.mitre.org/techniques/T1070/003/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index 4f102d07c43..57e7f048919 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies attempts to clear or disable Windows event log stores using Windows w attackers in an attempt to evade detection or destroy forensic evidence on a system. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Clearing Windows Event Logs" @@ -71,7 +67,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" @@ -108,7 +104,6 @@ name = "Disable Windows Event Logging" reference = "https://attack.mitre.org/techniques/T1562/002/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml index 00c645b62f7..d3107aaaca2 100644 --- a/rules/windows/defense_evasion_clearing_windows_security_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_security_logs.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/12" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/14" [rule] author = ["Elastic", "Anabella Cristaldi"] @@ -49,13 +51,7 @@ This rule looks for the occurrence of clear actions on the `security` event log. risk_score = 21 rule_id = "45ac4800-840f-414c-b221-53dd36a5aaf7" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml index 6ab65745a84..6115b3c49a0 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml @@ -2,41 +2,32 @@ creation_date = "2023/01/31" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] label = "Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, -issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = -authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") """ [[transform.osquery]] label = "Osquery - Retrieve All Unsigned Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, -issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = -authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" """ - [rule] author = ["Elastic"] description = """ -Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides -authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By -allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code. +Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides +authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. +By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Code Signing Policy Modification Through Built-in tools" @@ -98,7 +89,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" @@ -109,7 +100,6 @@ process where host.os.type == "windows" and event.type == "start" and process.args: ("TESTSIGNING", "nointegritychecks", "loadoptions", "DISABLE_INTEGRITY_CHECKS") ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -127,4 +117,3 @@ reference = "https://attack.mitre.org/techniques/T1553/006/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml index e78e90576e6..83818ee7c4c 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml @@ -2,32 +2,29 @@ creation_date = "2023/01/31" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] label = "Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, -issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = -authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") """ [[transform.osquery]] label = "Osquery - Retrieve All Unsigned Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, -issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = -authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" """ - [rule] author = ["Elastic"] description = """ Identifies attempts to disable the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the -execution of unsigned or self-signed code, threat actors can craft and execute malicious code. +execution of unsigned or self-signed code, threat actors can craft and execute malicious code. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"] @@ -93,7 +90,7 @@ tags = [ "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", - "Data Source: Sysmon", + "Data Source: Sysmon" ] timestamp_override = "event.ingested" type = "eql" @@ -111,14 +108,8 @@ registry where host.os.type == "windows" and event.type : ("creation", "change") ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - [[rule.threat.technique]] id = "T1553" name = "Subvert Trust Controls" @@ -128,10 +119,12 @@ id = "T1553.006" name = "Code Signing Policy Modification" reference = "https://attack.mitre.org/techniques/T1553/006/" - +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml index dab7b4aa182..e04efcaf08a 100644 --- a/rules/windows/defense_evasion_create_mod_root_certificate.toml +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -2,7 +2,9 @@ creation_date = "2021/02/01" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -85,7 +87,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Sysmon", + "Data Source: Sysmon" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_cve_2020_0601.toml b/rules/windows/defense_evasion_cve_2020_0601.toml index c4c34892c00..1a8d0b4c3d2 100644 --- a/rules/windows/defense_evasion_cve_2020_0601.toml +++ b/rules/windows/defense_evasion_cve_2020_0601.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/19" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -18,13 +20,7 @@ name = "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)" risk_score = 21 rule_id = "56557cde-d923-4b88-adee-c61b3f3b5dc3" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Use Case: Vulnerability", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Use Case: Vulnerability"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml index 7e37b32b77c..692f95c4541 100644 --- a/rules/windows/defense_evasion_defender_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_defender_disabled_via_registry.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -72,7 +74,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Sysmon", + "Data Source: Sysmon" ] timestamp_override = "event.ingested" type = "eql" @@ -109,11 +111,6 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" @@ -128,6 +125,10 @@ id = "T1562.006" name = "Indicator Blocking" reference = "https://attack.mitre.org/techniques/T1562/006/" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" [rule.threat.tactic] diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index b85e2970d19..5153f7fac07 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -2,7 +2,9 @@ creation_date = "2021/07/20" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies modifications to the Windows Defender configuration settings using Po directory or process level. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Windows Defender Exclusions Added via PowerShell" @@ -89,7 +85,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index d124e4493e4..d5f5f83718f 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is of files created during post-exploitation activities. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Delete Volume USN Journal with Fsutil" @@ -56,15 +52,7 @@ Consider using the Elastic Defend integration instead of USN Journal, as the Ela risk_score = 21 rule_id = "f675872f-6d85-40a3-b502-c0d2ef101e92" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_disable_nla.toml b/rules/windows/defense_evasion_disable_nla.toml index 0ce5ab8084f..3097f5234db 100644 --- a/rules/windows/defense_evasion_disable_nla.toml +++ b/rules/windows/defense_evasion_disable_nla.toml @@ -2,16 +2,17 @@ creation_date = "2023/08/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] description = """ -Identifies the attempt to disable Network-Level Authentication (NLA) via registry modification. Network Level -Authentication (NLA) is a feature on Windows that provides an extra layer of security for Remote Desktop (RDP) -connections, as it requires users to authenticate before allowing a full RDP session. Attackers can disable NLA to -enable persistence methods that require access to the Windows sign-in screen without authenticating, such as -Accessibility Features persistence methods, like Sticky Keys. +Identifies the attempt to disable Network-Level Authentication (NLA) via registry modification. Network Level Authentication (NLA) is a feature on Windows +that provides an extra layer of security for Remote Desktop (RDP) connections, as it requires users to authenticate +before allowing a full RDP session. Attackers can disable NLA to enable persistence methods that require access to the +Windows sign-in screen without authenticating, such as Accessibility Features persistence methods, like Sticky Keys. """ from = "now-9m" index = ["logs-endpoint.events.registry-*", "endgame-*"] @@ -24,14 +25,7 @@ references = [ risk_score = 21 rule_id = "db65f5ba-d1ef-4944-b9e8-7e51060c2b42" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml index 1a44c9d572b..1cd8b9166a3 100644 --- a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml +++ b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/31" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -69,7 +71,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Sysmon", + "Data Source: Sysmon" ] timestamp_override = "event.ingested" type = "eql" @@ -85,11 +87,6 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" @@ -99,6 +96,10 @@ id = "T1562.002" name = "Disable Windows Event Logging" reference = "https://attack.mitre.org/techniques/T1562/002/" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" [rule.threat.tactic] diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index c9988732958..9cf70208dbc 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies use of the netsh.exe to disable or weaken the local firewall. Attacke disable the firewall during troubleshooting or to enable network mobility. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Disable Windows Firewall Rules via Netsh" @@ -69,7 +65,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml index 9474e98a635..aaf6ed10787 100644 --- a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml +++ b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml @@ -2,20 +2,16 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] description = "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings." false_positives = ["Planned Windows Defender configuration changes."] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Disabling Windows Defender Security Settings via PowerShell" @@ -78,7 +74,7 @@ tags = [ "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" @@ -110,6 +106,7 @@ reference = "https://attack.mitre.org/techniques/T1562/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index a94a693fc6b..88f47c9212f 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -2,7 +2,9 @@ creation_date = "2021/05/06" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic", "Ivan Ninichuck", "Austin Songer"] @@ -11,13 +13,7 @@ Identifies attempts to disable EventLog via the logman Windows utility, PowerShe attackers in an attempt to evade detection on a system. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Disable Windows Event and Security Logs Using Built-in Tools" @@ -74,7 +70,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" @@ -110,6 +106,7 @@ reference = "https://attack.mitre.org/techniques/T1070/001/" id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.002" name = "Disable Windows Event Logging" diff --git a/rules/windows/defense_evasion_dns_over_https_enabled.toml b/rules/windows/defense_evasion_dns_over_https_enabled.toml index b86746d1b16..a209f05faca 100644 --- a/rules/windows/defense_evasion_dns_over_https_enabled.toml +++ b/rules/windows/defense_evasion_dns_over_https_enabled.toml @@ -2,7 +2,9 @@ creation_date = "2021/07/22" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Austin Songer"] @@ -31,15 +33,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -56,16 +50,16 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index f1c529bde28..d27ad7f9848 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -2,22 +2,18 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] description = """ -Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt to -compile code after delivery in order to bypass security mechanisms. +Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt +to compile code after delivery in order to bypass security mechanisms. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Suspicious .NET Code Compilation" @@ -32,15 +28,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -68,6 +56,8 @@ reference = "https://attack.mitre.org/techniques/T1027/004/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index ef508310ced..31981e2baf0 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies use of the network shell utility (netsh.exe) to enable inbound Remote the Windows Firewall. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Remote Desktop Enabled in Windows Firewall by Netsh" @@ -75,7 +71,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml index 55e86511a19..a55b407c54d 100644 --- a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml @@ -2,7 +2,9 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ tool to weaken the host firewall settings. """ false_positives = ["Host Windows Firewall planned system administration changes."] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Enable Host Network Discovery via Netsh" @@ -71,7 +67,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml index 4a9253a1d6d..e0a6b81cda9 100644 --- a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml +++ b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml @@ -2,7 +2,9 @@ creation_date = "2021/09/08" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies unusual instances of Control Panel with suspicious keywords or paths Adversaries may abuse control.exe to proxy execution of malicious code. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Control Panel Process with Unusual Arguments" @@ -33,15 +29,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index 08bbbf5abdf..ffffa6b44c0 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -37,13 +38,7 @@ Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load as a defense evasion technique to blend-in malicious activity with legitimate Windows software. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "ImageLoad via Windows Update Auto Update Client" @@ -110,15 +105,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index 0eae0465c65..3db2d939932 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -17,13 +19,7 @@ false_positives = [ """, ] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Microsoft Build Engine Started by an Office Application" @@ -97,7 +93,7 @@ tags = [ "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index 254454f013c..865691b8540 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -27,14 +29,13 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -45,26 +46,26 @@ host.os.type:windows and event.category:process and event.type:start and ( "wscript.exe" or "mshta.exe") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -73,12 +74,10 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" @@ -94,8 +93,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.name", "process.command_line"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index 5ff9a093d59..23ac0085342 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ Instrumentation) subsystem. This behavior is unusual and is sometimes used by ma """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Microsoft Build Engine Started by a System Process" @@ -33,15 +29,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index 4be38308433..ce9964174c8 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -112,7 +114,7 @@ tags = [ "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", - "Data Source: Sysmon", + "Data Source: Sysmon" ] timestamp_override = "event.ingested" type = "eql" @@ -135,7 +137,6 @@ id = "T1036.003" name = "Rename System Utilities" reference = "https://attack.mitre.org/techniques/T1036/003/" - [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index 2ad7460557b..2a3f2bad364 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -33,14 +35,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend" + ] + timestamp_override = "event.ingested" type = "new_terms" @@ -49,19 +51,19 @@ host.os.type:windows and event.category:process and event.type:start and process process.name:("csc.exe" or "iexplore.exe" or "powershell.exe") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" + [[rule.threat.technique.subtechnique]] id = "T1027.004" name = "Compile After Delivery" reference = "https://attack.mitre.org/techniques/T1027/004/" - [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" @@ -81,8 +83,7 @@ reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.name"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index 098ce048775..0cf09edbcd9 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -27,16 +29,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml index 0b2228e7675..974b024e38e 100644 --- a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -2,7 +2,9 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic", "Dennis Perto"] @@ -31,16 +33,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index e93afa811f8..57046058566 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -27,15 +29,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_from_unusual_directory.toml b/rules/windows/defense_evasion_from_unusual_directory.toml index 2c1f7f32972..4abc04cabd6 100644 --- a/rules/windows/defense_evasion_from_unusual_directory.toml +++ b/rules/windows/defense_evasion_from_unusual_directory.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -37,13 +38,7 @@ Identifies process execution from suspicious default Windows directories. This i malware in trusted paths. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Process Execution from an Unusual Directory" @@ -113,14 +108,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml index 205ab273442..59977ac9d3f 100644 --- a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml +++ b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [rule] author = ["Elastic"] @@ -11,28 +13,14 @@ Identifies registry write modifications to hide an encoded portable executable. defense evasion by avoiding the storing of malicious content directly on disk. """ from = "now-9m" -index = [ - "logs-endpoint.events.registry-*", - "endgame-*", - "logs-windows.sysmon_operational-*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Encoded Executable Stored in the Registry" risk_score = 47 rule_id = "93c1ce76-494c-4f01-8167-35edfb52f7b1" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index 5f00f7e7fad..b22fb7fb37b 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -2,7 +2,9 @@ creation_date = "2020/04/14" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies when Internet Information Services (IIS) HTTP Logging is disabled on access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" max_signals = 33 @@ -67,15 +63,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_injection_msbuild.toml b/rules/windows/defense_evasion_injection_msbuild.toml index 802025652d8..aa9e5675fa4 100755 --- a/rules/windows/defense_evasion_injection_msbuild.toml +++ b/rules/windows/defense_evasion_injection_msbuild.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -18,14 +20,7 @@ name = "Process Injection by the Microsoft Build Engine" risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Privilege Escalation", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "query" @@ -51,7 +46,6 @@ name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_installutil_beacon.toml b/rules/windows/defense_evasion_installutil_beacon.toml index eca5aea1970..87b368d79ba 100644 --- a/rules/windows/defense_evasion_installutil_beacon.toml +++ b/rules/windows/defense_evasion_installutil_beacon.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -11,26 +13,14 @@ Identifies InstallUtil.exe making outbound network connections. This may indicat often leveraged by adversaries to execute code and evade detection. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "winlogbeat-*", - "logs-windows.sysmon_operational-*", -] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "InstallUtil Process Making Network Connections" risk_score = 47 rule_id = "a13167f1-eec2-4015-9631-1fee60406dcf" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 16de53c6416..81a5bced8a7 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ A suspicious Endpoint Security parent process was detected. This may indicate a injection. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Suspicious Endpoint Security Parent Process" @@ -32,14 +28,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -69,6 +58,7 @@ process where host.os.type == "windows" and event.type == "start" and "/enable" ) ) + ''' @@ -78,13 +68,13 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.005" name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_masquerading_business_apps_installer.toml b/rules/windows/defense_evasion_masquerading_business_apps_installer.toml index 69125b3d1b2..fcd53d91b5f 100644 --- a/rules/windows/defense_evasion_masquerading_business_apps_installer.toml +++ b/rules/windows/defense_evasion_masquerading_business_apps_installer.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/01" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -22,15 +24,7 @@ references = [ risk_score = 21 rule_id = "feafdc51-c575-4ed2-89dd-8e20badc2d6c" severity = "low" -tags = [ - "Domain: Endpoint", - "Data Source: Elastic Defend", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Initial Access", - "Tactic: Execution", -] +tags = ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Initial Access", "Tactic: Execution"] timestamp_override = "event.ingested" type = "eql" @@ -171,6 +165,7 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -182,11 +177,11 @@ name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -199,6 +194,7 @@ reference = "https://attack.mitre.org/techniques/T1189/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_masquerading_communication_apps.toml b/rules/windows/defense_evasion_masquerading_communication_apps.toml index cfb5fd3b6ee..160315743f2 100644 --- a/rules/windows/defense_evasion_masquerading_communication_apps.toml +++ b/rules/windows/defense_evasion_masquerading_communication_apps.toml @@ -2,7 +2,9 @@ creation_date = "2023/05/05" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -18,13 +20,7 @@ name = "Potential Masquerading as Communication Apps" risk_score = 47 rule_id = "c9482bfa-a553-4226-8ea2-4959bd4f7923" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -98,6 +94,7 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -109,11 +106,12 @@ name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -121,7 +119,6 @@ id = "T1554" name = "Compromise Client Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index 5aab79fc4d6..d8cb62d5f9d 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/01" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -110,7 +112,7 @@ tags = [ "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", - "Data Source: Sysmon", + "Data Source: Sysmon" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index 3cd557a08a1..bcfb84a7bc8 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ registry key manipulation. Verify process details such as command line, network """ false_positives = ["Custom Windows error reporting debugger or applications restarted by WerFault after a crash."] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Suspicious WerFault Child Process" @@ -39,17 +35,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" @@ -77,6 +63,8 @@ reference = "https://attack.mitre.org/techniques/T1036/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -94,6 +82,9 @@ reference = "https://attack.mitre.org/techniques/T1546/012/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index 53359cc1b12..51d4f068c3e 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ usually host trusted third party programs. An adversary may leverage masqueradin detections allowlisting those folders. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Program Files Directory Masquerading" @@ -33,14 +29,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_masquerading_werfault.toml b/rules/windows/defense_evasion_masquerading_werfault.toml index c4832f2ec1e..10825bd5f14 100644 --- a/rules/windows/defense_evasion_masquerading_werfault.toml +++ b/rules/windows/defense_evasion_masquerading_werfault.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [transform] [[transform.osquery]] @@ -39,12 +41,7 @@ masquerading attempt to evade suspicious child process behavior detections. """ false_positives = ["Legit Application Crash with rare Werfault commandline value"] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Potential Windows Error Manager Masquerading" @@ -106,15 +103,7 @@ references = [ risk_score = 47 rule_id = "6ea41894-66c3-4df7-ad6b-2c5074eb3df8" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' @@ -132,13 +121,13 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.005" name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml index 013245ca23b..7a7fb3cdee1 100644 --- a/rules/windows/defense_evasion_microsoft_defender_tampering.toml +++ b/rules/windows/defense_evasion_microsoft_defender_tampering.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Austin Songer"] @@ -74,15 +76,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -121,16 +115,15 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index a7c4a5a81e8..23325449d83 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -38,12 +39,7 @@ validation. Adversaries may use these binaries to 'live off the land' and execut application allowlists and signature validation. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Network Connection via Signed Binary" @@ -104,15 +100,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "63e65ec3-43b1-45b0-8f2d-45b34291dc44" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml index 7575aea342c..cd33fc5a3b2 100644 --- a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml +++ b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/12" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -81,7 +83,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Sysmon", + "Data Source: Sysmon" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_msbuild_making_network_connections.toml b/rules/windows/defense_evasion_msbuild_making_network_connections.toml index ac7a2d07470..526bde67fab 100644 --- a/rules/windows/defense_evasion_msbuild_making_network_connections.toml +++ b/rules/windows/defense_evasion_msbuild_making_network_connections.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -37,12 +38,7 @@ Identifies MsBuild.exe making outbound network connections. This may indicate ad leveraged by adversaries to execute code and evade detection. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "MsBuild Making Network Connections" @@ -104,15 +100,7 @@ This rule looks for the `Msbuild.exe` utility execution, followed by a network c risk_score = 47 rule_id = "0e79980b-4250-4a50-a509-69294c14e84b" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_mshta_beacon.toml b/rules/windows/defense_evasion_mshta_beacon.toml index 16ce875c645..114d561f465 100644 --- a/rules/windows/defense_evasion_mshta_beacon.toml +++ b/rules/windows/defense_evasion_mshta_beacon.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -11,26 +13,14 @@ Identifies Mshta.exe making outbound network connections. This may indicate adve leveraged by adversaries to execute malicious scripts and evade detection. """ from = "now-20m" -index = [ - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "winlogbeat-*", - "logs-windows.sysmon_operational-*", -] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Mshta Making Network Connections" risk_score = 47 rule_id = "c2d90150-0133-451c-a783-533e736c12d7" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_msxsl_network.toml b/rules/windows/defense_evasion_msxsl_network.toml index 714b2841761..0835894f98d 100644 --- a/rules/windows/defense_evasion_msxsl_network.toml +++ b/rules/windows/defense_evasion_msxsl_network.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -11,12 +13,7 @@ Identifies msxsl.exe making a network connection. This may indicate adversarial by adversaries to execute malicious scripts and evade detection. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Network Connection via MsXsl" @@ -24,14 +21,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "b86afe07-0d98-4738-b15d-8d7465f95ff5" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index d04c84fd647..b7a6daca884 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [transform] [[transform.osquery]] @@ -37,12 +39,7 @@ Identifies network activity from unexpected system applications. This may indica applications are often leveraged by adversaries to execute code and evade detection. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "winlogbeat-*", - "logs-windows.sysmon_operational-*", -] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Unusual Network Activity from a Windows System Binary" @@ -103,15 +100,7 @@ This rule identifies network connections established by trusted developer utilit risk_score = 47 rule_id = "1fe3b299-fbb5-4657-a937-1d746f2c711a" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' @@ -177,16 +166,6 @@ sequence by process.entity_id with maxspan=5m [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" -[[rule.threat.technique.subtechnique]] -id = "T1036.005" -name = "Match Legitimate Name or Location" -reference = "https://attack.mitre.org/techniques/T1036/005/" - - [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" @@ -201,7 +180,15 @@ id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml index 84aecaea7c3..2314ec54c38 100644 --- a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml +++ b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml @@ -2,7 +2,9 @@ creation_date = "2021/07/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -19,14 +21,7 @@ references = ["https://blog.didierstevens.com/2017/03/20/"] risk_score = 73 rule_id = "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] type = "eql" query = ''' @@ -89,6 +84,8 @@ reference = "https://attack.mitre.org/techniques/T1134/004/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml index 181950d3561..7212b3125cd 100644 --- a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml +++ b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml @@ -2,7 +2,9 @@ creation_date = "2022/11/01" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ default) and is set to 1, then remote connections from all local members of Admi high-integrity tokens during negotiation. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.registry-*", - "logs-windows.sysmon_operational-*", - "endgame-*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Local Account TokenFilter Policy Disabled" @@ -39,7 +35,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: SentinelOne", + "Data Source: SentinelOne" ] timestamp_override = "event.ingested" type = "eql" @@ -70,6 +66,8 @@ reference = "https://attack.mitre.org/techniques/T1562/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_posh_encryption.toml b/rules/windows/defense_evasion_posh_encryption.toml index 985ce93b11d..6dde3fa66a4 100644 --- a/rules/windows/defense_evasion_posh_encryption.toml +++ b/rules/windows/defense_evasion_posh_encryption.toml @@ -2,7 +2,9 @@ creation_date = "2023/01/23" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -49,14 +51,7 @@ PowerShell offers encryption and decryption functionalities that attackers can a risk_score = 47 rule_id = "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/defense_evasion_posh_process_injection.toml b/rules/windows/defense_evasion_posh_process_injection.toml index bac16ac4805..9ab8e5502fc 100644 --- a/rules/windows/defense_evasion_posh_process_injection.toml +++ b/rules/windows/defense_evasion_posh_process_injection.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/14" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -81,15 +83,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" @@ -128,6 +122,7 @@ reference = "https://attack.mitre.org/techniques/T1055/002/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index abd9a87b464..edafb0b5afb 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Austin Songer"] @@ -80,7 +82,7 @@ tags = [ "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" @@ -111,6 +113,7 @@ reference = "https://attack.mitre.org/techniques/T1562/004/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml index 5ed21ba1c98..105d94c938b 100644 --- a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml +++ b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/04" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -94,15 +95,7 @@ This rule identifies an unsigned process termination event quickly followed by t risk_score = 47 rule_id = "09443c92-46b3-45a4-8f25-383b028b258d" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' @@ -136,12 +129,12 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" - [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" diff --git a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml index debc6c67d72..e7df54ffaaf 100644 --- a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml +++ b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml @@ -2,7 +2,9 @@ creation_date = "2022/05/31" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -30,14 +32,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_root_dir_ads_creation.toml b/rules/windows/defense_evasion_root_dir_ads_creation.toml index f3e782745ed..f412479a242 100644 --- a/rules/windows/defense_evasion_root_dir_ads_creation.toml +++ b/rules/windows/defense_evasion_root_dir_ads_creation.toml @@ -2,21 +2,18 @@ creation_date = "2024/03/14" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/08" [rule] author = ["Elastic"] description = """ -Identifies the creation of an Alternate Data Stream (ADS) at a volume root directory, which can indicate the attempt to -hide tools and malware, as ADSs created in this directory are not displayed by system utilities. +Identifies the creation of an Alternate Data Stream (ADS) at a volume root directory, which can indicate the +attempt to hide tools and malware, as ADSs created in this directory are not displayed by system utilities. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.file-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Alternate Data Stream Creation/Execution at Volume Root Directory" @@ -24,14 +21,7 @@ references = ["https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomwa risk_score = 47 rule_id = "ff6cf8b9-b76c-4cc1-ac1b-4935164d1029" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_rundll32_no_arguments.toml b/rules/windows/defense_evasion_rundll32_no_arguments.toml index 05f50273453..3905a429f1e 100644 --- a/rules/windows/defense_evasion_rundll32_no_arguments.toml +++ b/rules/windows/defense_evasion_rundll32_no_arguments.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -101,14 +102,7 @@ RunDLL32 is a legitimate Windows utility used to load and execute functions with risk_score = 73 rule_id = "f036953a-4615-4707-a1ca-dc53bf69dcd5" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_sccm_scnotification_dll.toml b/rules/windows/defense_evasion_sccm_scnotification_dll.toml index 8abfbc3726a..faa114dbc04 100644 --- a/rules/windows/defense_evasion_sccm_scnotification_dll.toml +++ b/rules/windows/defense_evasion_sccm_scnotification_dll.toml @@ -2,7 +2,9 @@ creation_date = "2024/04/17" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/17" [rule] author = ["Elastic"] @@ -17,18 +19,12 @@ license = "Elastic License v2" name = "Potential Windows Session Hijacking via CcmExec" references = [ "https://cloud.google.com/blog/topics/threat-intelligence/windows-session-hijacking-via-ccmexec", - "https://mayfly277.github.io/posts/SCCM-LAB-part0x3/#impersonate-users---revshell-connected-users", + "https://mayfly277.github.io/posts/SCCM-LAB-part0x3/#impersonate-users---revshell-connected-users" ] risk_score = 47 rule_id = "e7357fec-6e9c-41b9-b93d-6e4fc40c7d47" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml index 505aec53d6f..0c7d058f10c 100644 --- a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +++ b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -28,16 +30,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -67,19 +60,21 @@ reference = "https://attack.mitre.org/techniques/T1562/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.002" name = "At" reference = "https://attack.mitre.org/techniques/T1053/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index de71484089e..256dea76fc5 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -50,17 +52,7 @@ This rule identifies file name patterns generated by the use of SDelete utility risk_score = 21 rule_id = "5aee924b-6ceb-4633-980e-1bde8cdb40c5" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Impact", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Impact", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -86,6 +78,8 @@ reference = "https://attack.mitre.org/techniques/T1070/004/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_sip_provider_mod.toml b/rules/windows/defense_evasion_sip_provider_mod.toml index 95c8ab2462c..bb329324f80 100644 --- a/rules/windows/defense_evasion_sip_provider_mod.toml +++ b/rules/windows/defense_evasion_sip_provider_mod.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -20,15 +22,7 @@ references = ["https://github.com/mattifestation/PoCSubjectInterfacePackage"] risk_score = 47 rule_id = "f2c7b914-eda3-40c2-96ac-d23ef91776ca" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index cf10b147d41..bc4bbd38fe9 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/14" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -29,16 +31,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Initial Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -61,11 +54,6 @@ registry where host.os.type == "windows" and registry.path : ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" @@ -76,6 +64,10 @@ name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml index 6b2f2843b37..fc5d2252dc3 100644 --- a/rules/windows/defense_evasion_suspicious_certutil_commands.toml +++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic", "Austin Songer"] description = """ @@ -38,13 +39,7 @@ Certificate Services. CertUtil is often abused by attackers to live off the land data exfiltration. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Suspicious CertUtil Commands" @@ -107,15 +102,7 @@ references = [ risk_score = 47 rule_id = "fd70c98a-c410-42dc-a2e3-761c71848acf" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml index 835c75dc5c7..2408f6bf60e 100644 --- a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml +++ b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml @@ -2,7 +2,9 @@ creation_date = "2021/05/28" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -30,15 +32,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -84,6 +78,7 @@ framework = "MITRE ATT&CK" id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml index 3ed7d721f6a..20706f7bbdb 100644 --- a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -15,20 +17,11 @@ index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_ope language = "eql" license = "Elastic License v2" name = "Suspicious Managed Code Hosting Process" -references = [ - "http://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", -] +references = ["http://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html"] risk_score = 73 rule_id = "acf738b5-b5b2-4acc-bad9-1e18ee234f40" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml index d38e017d6b5..c10a9e070ad 100644 --- a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml +++ b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/11" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." +min_stack_version = "8.8.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -111,15 +113,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -159,8 +153,10 @@ reference = "https://attack.mitre.org/techniques/T1055/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1106" name = "Native API" diff --git a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml index d4c4fb10d89..b2a16453572 100644 --- a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml +++ b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/24" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." +min_stack_version = "8.8.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -46,14 +48,7 @@ Attackers may inject code into child processes' memory to hide their actual acti risk_score = 47 rule_id = "3ed032b2-45d8-4406-bc79-7ad1eabb2c72" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index 1011838ee92..d852a474260 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -18,14 +20,7 @@ name = "Suspicious Script Object Execution" risk_score = 47 rule_id = "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -62,13 +57,13 @@ framework = "MITRE ATT&CK" id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.010" name = "Regsvr32" reference = "https://attack.mitre.org/techniques/T1218/010/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_suspicious_short_program_name.toml b/rules/windows/defense_evasion_suspicious_short_program_name.toml index 75210439c1c..ecb73959414 100644 --- a/rules/windows/defense_evasion_suspicious_short_program_name.toml +++ b/rules/windows/defense_evasion_suspicious_short_program_name.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -29,13 +31,10 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ -Identifies the execution of a process with a single character process name, differing from the original file name. This -is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based -on the process name. +Identifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"] @@ -93,16 +92,7 @@ Identifies the execution of a process with a single character process name, diff risk_score = 47 rule_id = "17c7f6a5-5bc9-4e1f-92bf-13632d24384d" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index b10b9798946..789fd513212 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -11,27 +13,14 @@ Identifies WMIC allowlist bypass techniques by alerting on suspicious execution libraries it may be indicative of an allowlist bypass. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.library-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Suspicious WMIC XSL Script Execution" risk_score = 47 rule_id = "7f370d54-c0eb-4270-ac5a-9a6020585dc6" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' @@ -57,14 +46,15 @@ reference = "https://attack.mitre.org/techniques/T1220/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index b8baa796c7f..f49c65712fb 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [transform] [[transform.osquery]] @@ -37,14 +39,7 @@ A suspicious Zoom child process was detected, which may indicate an attempt to r such as command line, network connections, file writes and associated file signature details as well. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Zoom Child Process" @@ -102,17 +97,7 @@ This rule identifies a potential malicious process masquerading as `Zoom.exe` or risk_score = 47 rule_id = "97aba1ef-6034-4bd3-8c1a-1e0996b27afa" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" @@ -139,6 +124,7 @@ reference = "https://attack.mitre.org/techniques/T1055/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -151,4 +137,3 @@ reference = "https://attack.mitre.org/techniques/T1203/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index a3a278e0986..21c674aa7cb 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -111,7 +113,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Sysmon", + "Data Source: Sysmon" ] timestamp_override = "event.ingested" type = "eql" @@ -143,6 +145,7 @@ reference = "https://attack.mitre.org/techniques/T1211/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_timestomp_sysmon.toml b/rules/windows/defense_evasion_timestomp_sysmon.toml index 827fb4c7a89..002dc84526e 100644 --- a/rules/windows/defense_evasion_timestomp_sysmon.toml +++ b/rules/windows/defense_evasion_timestomp_sysmon.toml @@ -2,14 +2,16 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -Identifies modification of a file creation time. Adversaries may modify file time attributes to blend malicious content -with existing files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in -trusted directories. +Identifies modification of a file creation time. Adversaries may modify file time attributes to blend +malicious content with existing files. Timestomping is a technique that modifies the timestamps of +a file often to mimic files that are in trusted directories. """ from = "now-9m" index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"] @@ -24,7 +26,7 @@ tags = [ "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", - "Data Source: Sysmon", + "Data Source: Sysmon" ] timestamp_override = "event.ingested" type = "eql" @@ -66,9 +68,7 @@ name = "Timestomp" reference = "https://attack.mitre.org/techniques/T1070/006/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml b/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml index 052d4bb6f3d..f1a0df195b8 100644 --- a/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml +++ b/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml @@ -1,15 +1,17 @@ [metadata] creation_date = "2022/11/22" -integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +integration = ["endpoint"] +min_stack_comments = "New fields added: dll.Ext.relative_file_creation_time is populated in Elastic Endpoint 8.4 and above." +min_stack_version = "8.4.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] description = """ Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted -program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a -malicious DLL within the memory space of a signed processes. +program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading +a malicious DLL within the memory space of a signed processes. """ from = "now-9m" index = ["logs-endpoint.events.library-*"] @@ -27,13 +29,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -130,12 +126,12 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" diff --git a/rules/windows/defense_evasion_untrusted_driver_loaded.toml b/rules/windows/defense_evasion_untrusted_driver_loaded.toml index dcf13aab539..3e5574298ae 100644 --- a/rules/windows/defense_evasion_untrusted_driver_loaded.toml +++ b/rules/windows/defense_evasion_untrusted_driver_loaded.toml @@ -2,31 +2,27 @@ creation_date = "2023/01/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/15" [transform] [[transform.osquery]] label = "Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, -issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = -authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") """ [[transform.osquery]] label = "Osquery - Retrieve All Unsigned Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, -issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = -authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" """ - [rule] author = ["Elastic"] description = """ -Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of -unsigned or self-signed code. +Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. """ from = "now-9m" index = ["logs-endpoint.events.library-*"] @@ -93,20 +89,13 @@ This rule identifies an attempt to load an untrusted driver, which effectively m - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = [ - "https://github.com/hfiref0x/TDL", - "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN", + "https://github.com/hfiref0x/TDL", + "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN" ] risk_score = 73 rule_id = "d8ab1ec1-feeb-48b9-89e7-c12e189448aa" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -123,13 +112,12 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index 8379392aba0..5a30ad13457 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/21" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -108,15 +110,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_unusual_dir_ads.toml b/rules/windows/defense_evasion_unusual_dir_ads.toml index 5e0ec96e22a..2919e8d50aa 100644 --- a/rules/windows/defense_evasion_unusual_dir_ads.toml +++ b/rules/windows/defense_evasion_unusual_dir_ads.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -26,15 +28,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml index 18f0e76af9e..c5d82124da8 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml @@ -2,7 +2,9 @@ creation_date = "2021/05/28" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -11,12 +13,7 @@ Identifies unusual instances of dllhost.exe making outbound network connections. and Control activity. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Unusual Network Connection via DllHost" @@ -28,14 +25,7 @@ references = [ risk_score = 47 rule_id = "c7894234-7814-44c2-92a9-f7d851ea246a" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml index 90e8da27038..17ce9288d3e 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -11,12 +13,7 @@ Identifies unusual instances of rundll32.exe making outbound network connections and Control activity. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Unusual Network Connection via RunDLL32" @@ -59,16 +56,7 @@ references = [ risk_score = 47 rule_id = "52aaab7b-b51c-441a-89ce-4387b3aea886" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Command and Control", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' @@ -117,4 +105,3 @@ reference = "https://attack.mitre.org/techniques/T1071/001/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/windows/defense_evasion_unusual_process_network_connection.toml b/rules/windows/defense_evasion_unusual_process_network_connection.toml index 42fa32b52d9..dfa44ae72ec 100644 --- a/rules/windows/defense_evasion_unusual_process_network_connection.toml +++ b/rules/windows/defense_evasion_unusual_process_network_connection.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -11,12 +13,7 @@ Identifies network activity from unexpected system applications. This may indica applications are often leveraged by adversaries to execute code and evade detection. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Unusual Process Network Connection" @@ -50,15 +47,7 @@ This rule identifies network activity from unexpected system utilities and appli risk_score = 21 rule_id = "610949a1-312f-4e04-bb55-3a79b8c95267" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index 3a55105d462..f1d993e1d78 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -2,19 +2,15 @@ creation_date = "2020/08/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] description = "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection." from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Unusual Child Process from a System Virtual Process" @@ -29,14 +25,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index 4369e04cdf3..48df9e96121 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -37,13 +38,7 @@ The Filter Manager Control Program (fltMC.exe) binary may be abused by adversari defenses. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Potential Evasion via Filter Manager" @@ -102,15 +97,7 @@ This rule identifies the attempt to unload a minifilter using the `fltmc.exe` co risk_score = 47 rule_id = "06dceabf-adca-48af-ac79-ffdf4c3b1e9a" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_windows_filtering_platform.toml b/rules/windows/defense_evasion_windows_filtering_platform.toml index 4c31c6f205c..b342d8df3a5 100644 --- a/rules/windows/defense_evasion_windows_filtering_platform.toml +++ b/rules/windows/defense_evasion_windows_filtering_platform.toml @@ -2,13 +2,16 @@ creation_date = "2023/12/15" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] description = """ -Identifies multiple Windows Filtering Platform block events and where the process name is related to an endpoint -security software. Adversaries may add malicious WFP rules to prevent Endpoint security from sending telemetry. +Identifies multiple Windows Filtering Platform block events and where the process name is related to +an endpoint security software. Adversaries may add malicious WFP rules to prevent Endpoint security +from sending telemetry. """ from = "now-9m" index = ["winlogbeat-*", "logs-windows.network-*", "logs-system.security-*"] @@ -16,11 +19,11 @@ language = "eql" license = "Elastic License v2" name = "Potential Evasion via Windows Filtering Platform" references = [ - "https://github.com/dsnezhkov/shutter/tree/main", - "https://github.com/netero1010/EDRSilencer/tree/main", - "https://www.mdsec.co.uk/2023/09/nighthawk-0-2-6-three-wise-monkeys/", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5157", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5152", + "https://github.com/dsnezhkov/shutter/tree/main", + "https://github.com/netero1010/EDRSilencer/tree/main", + "https://www.mdsec.co.uk/2023/09/nighthawk-0-2-6-three-wise-monkeys/", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5157", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5152" ] risk_score = 47 rule_id = "92d3a04e-6487-4b62-892d-70e640a590dc" @@ -46,7 +49,7 @@ tags = [ "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] type = "eql" @@ -113,4 +116,3 @@ reference = "https://attack.mitre.org/techniques/T1562/004/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_workfolders_control_execution.toml b/rules/windows/defense_evasion_workfolders_control_execution.toml index a301336e895..d7151581b3f 100644 --- a/rules/windows/defense_evasion_workfolders_control_execution.toml +++ b/rules/windows/defense_evasion_workfolders_control_execution.toml @@ -2,7 +2,9 @@ creation_date = "2022/03/02" integration = ["windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/01/16" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/defense_evasion_wsl_bash_exec.toml b/rules/windows/defense_evasion_wsl_bash_exec.toml index 65ad3cc71f3..56e4efaeea7 100644 --- a/rules/windows/defense_evasion_wsl_bash_exec.toml +++ b/rules/windows/defense_evasion_wsl_bash_exec.toml @@ -2,42 +2,30 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] description = """ -Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to -avoid detection. +Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable +and use WSL for Linux to avoid detection. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Suspicious Execution via Windows Subsystem for Linux" references = [ "https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", - "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1", + "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1" ] risk_score = 21 rule_id = "3e0eeb75-16e8-4f2f-9826-62461ca128b7" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -69,26 +57,24 @@ id = "T1202" name = "Indirect Command Execution" reference = "https://attack.mitre.org/techniques/T1202/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - + [[rule.threat.technique.subtechnique]] + id = "T1059.004" + name = "Unix Shell" + reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_wsl_child_process.toml b/rules/windows/defense_evasion_wsl_child_process.toml index 05204c9c8a0..add8d5f5179 100644 --- a/rules/windows/defense_evasion_wsl_child_process.toml +++ b/rules/windows/defense_evasion_wsl_child_process.toml @@ -2,22 +2,18 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] description = """ -Detects attempts to execute a program on the host from the Windows Subsystem for Linux. Adversaries may enable and use -WSL for Linux to avoid detection. +Detects attempts to execute a program on the host from the Windows Subsystem for Linux. +Adversaries may enable and use WSL for Linux to avoid detection. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Execution via Windows Subsystem for Linux" @@ -25,14 +21,7 @@ references = ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"] risk_score = 47 rule_id = "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -63,4 +52,3 @@ reference = "https://attack.mitre.org/techniques/T1202/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml index 420fb3249fd..a1b8f65debe 100644 --- a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml +++ b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml @@ -2,22 +2,18 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] description = """ -Detects attempts to enable the Windows Subsystem for Linux using Microsoft Dism utility. Adversaries may enable and use -WSL for Linux to avoid detection. +Detects attempts to enable the Windows Subsystem for Linux using Microsoft Dism utility. Adversaries may enable +and use WSL for Linux to avoid detection. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Windows Subsystem for Linux Enabled via Dism Utility" @@ -61,14 +57,7 @@ references = ["https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux risk_score = 47 rule_id = "e2e0537d-7d8f-4910-a11d-559bcf61295a" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -86,9 +75,7 @@ id = "T1202" name = "Indirect Command Execution" reference = "https://attack.mitre.org/techniques/T1202/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_wsl_filesystem.toml b/rules/windows/defense_evasion_wsl_filesystem.toml index afcf4dfd1c6..013c926ff62 100644 --- a/rules/windows/defense_evasion_wsl_filesystem.toml +++ b/rules/windows/defense_evasion_wsl_filesystem.toml @@ -2,21 +2,18 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/04/08" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] description = """ -Detects files creation and modification on the host system from the the Windows Subsystem for Linux. Adversaries may -enable and use WSL for Linux to avoid detection. +Detects files creation and modification on the host system from the the Windows Subsystem for Linux. +Adversaries may enable and use WSL for Linux to avoid detection. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.file-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Host Files System Changes via Windows Subsystem for Linux" @@ -24,15 +21,7 @@ references = ["https://github.com/microsoft/WSL"] risk_score = 47 rule_id = "e88d1fe9-b2f4-48d4-bace-a026dc745d4b" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -58,4 +47,3 @@ reference = "https://attack.mitre.org/techniques/T1202/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_wsl_kalilinux.toml b/rules/windows/defense_evasion_wsl_kalilinux.toml index 7a9d1eb04b8..cc0e4849bf0 100644 --- a/rules/windows/defense_evasion_wsl_kalilinux.toml +++ b/rules/windows/defense_evasion_wsl_kalilinux.toml @@ -2,22 +2,18 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] description = """ -Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. Adversaries may enable and use WSL for -Linux to avoid detection. +Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. Adversaries may +enable and use WSL for Linux to avoid detection. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Attempt to Install Kali Linux via WSL" @@ -25,14 +21,7 @@ references = ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"] risk_score = 73 rule_id = "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -60,4 +49,3 @@ reference = "https://attack.mitre.org/techniques/T1202/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_wsl_registry_modification.toml b/rules/windows/defense_evasion_wsl_registry_modification.toml index 0908de4d327..fe267a4a6fe 100644 --- a/rules/windows/defense_evasion_wsl_registry_modification.toml +++ b/rules/windows/defense_evasion_wsl_registry_modification.toml @@ -2,13 +2,15 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] description = """ -Detects changes to the registry that indicates the install of a new Windows Subsystem for Linux distribution by name. -Adversaries may enable and use WSL for Linux to avoid detection. +Detects changes to the registry that indicates the install of a new Windows Subsystem for Linux +distribution by name. Adversaries may enable and use WSL for Linux to avoid detection. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"] @@ -56,15 +58,7 @@ references = ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"] risk_score = 47 rule_id = "a1699af0-8e1e-4ed0-8ec1-89783538a061" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timeline_id = "3e47ef71-ebfc-4520-975c-cb27fc090799" timeline_title = "Comprehensive Registry Timeline" timestamp_override = "event.ingested" @@ -95,4 +89,3 @@ reference = "https://attack.mitre.org/techniques/T1202/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/discovery_active_directory_webservice.toml b/rules/windows/discovery_active_directory_webservice.toml index e43e63aa66c..18fbaab7b8b 100644 --- a/rules/windows/discovery_active_directory_webservice.toml +++ b/rules/windows/discovery_active_directory_webservice.toml @@ -2,13 +2,15 @@ creation_date = "2024/01/31" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] description = """ -Identifies processes loading Active Directory related modules followed by a network connection to the ADWS dedicated TCP -port. Adversaries may abuse the ADWS Windows service that allows Active Directory to be queried via this web service. +Identifies processes loading Active Directory related modules followed by a network connection to the ADWS dedicated TCP port. +Adversaries may abuse the ADWS Windows service that allows Active Directory to be queried via this web service. """ from = "now-9m" index = ["logs-endpoint.events.library-*", "logs-endpoint.events.network-*"] @@ -19,13 +21,7 @@ references = ["https://github.com/FalconForceTeam/SOAPHound"] risk_score = 47 rule_id = "9c951837-7d13-4b0c-be7a-f346623c8795" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -45,17 +41,15 @@ sequence by process.entity_id with maxspan=3m network.direction == "egress" and network.transport == "tcp" and not cidrmatch(destination.ip, "127.0.0.0/8", "::1/128")] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index 0d0a328cdd3..ed54cb9a061 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ leveraged by threat actors to perform post-exploitation Active Directory reconna observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "AdFind Command Activity" @@ -76,15 +72,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -103,11 +91,6 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1016" -name = "System Network Configuration Discovery" -reference = "https://attack.mitre.org/techniques/T1016/" - [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" @@ -138,6 +121,10 @@ id = "T1482" name = "Domain Trust Discovery" reference = "https://attack.mitre.org/techniques/T1482/" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" [rule.threat.tactic] id = "TA0007" diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index 601a38f93b8..f43b5d0cadb 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies instances of lower privilege accounts enumerating Administrator accou tools. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Enumeration of Administrator Accounts" @@ -64,15 +60,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -95,13 +90,14 @@ process where host.os.type == "windows" and event.type == "start" and ) and not user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" @@ -112,11 +108,11 @@ id = "T1069.002" name = "Domain Groups" reference = "https://attack.mitre.org/techniques/T1069/002/" - [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" @@ -127,10 +123,7 @@ id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/discovery_command_system_account.toml b/rules/windows/discovery_command_system_account.toml index 24ebab8393c..373ff4fb17b 100644 --- a/rules/windows/discovery_command_system_account.toml +++ b/rules/windows/discovery_command_system_account.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -55,16 +57,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -93,6 +86,7 @@ reference = "https://attack.mitre.org/techniques/T1033/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml index 27c8db8112e..65c9545d489 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml @@ -2,7 +2,9 @@ creation_date = "2023/01/27" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -15,13 +17,7 @@ false_positives = [ "Domain administrators may use this command-line utility for legitimate information gathering purposes.", ] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Enumerating Domain Trusts via DSQUERY.EXE" @@ -63,15 +59,7 @@ references = [ risk_score = 21 rule_id = "06a7a03c-c735-47a6-a313-51c354aef6c3" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -84,16 +72,14 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1018" -name = "Remote System Discovery" -reference = "https://attack.mitre.org/techniques/T1018/" - [[rule.threat.technique]] id = "T1482" name = "Domain Trust Discovery" reference = "https://attack.mitre.org/techniques/T1482/" - +[[rule.threat.technique]] +id = "T1018" +name = "Remote System Discovery" +reference = "https://attack.mitre.org/techniques/T1018/" [rule.threat.tactic] id = "TA0007" diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index 2417a773ee9..34783cece38 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -2,7 +2,9 @@ creation_date = "2022/05/31" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -18,13 +20,7 @@ false_positives = [ """, ] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Enumerating Domain Trusts via NLTEST.EXE" @@ -66,15 +62,14 @@ references = [ risk_score = 21 rule_id = "84da2554-e12a-11ec-b896-f661ea17fbcd" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -89,22 +84,20 @@ not process.parent.name : "PDQInventoryScanner.exe" and not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") ''' - [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1018" -name = "Remote System Discovery" -reference = "https://attack.mitre.org/techniques/T1018/" [[rule.threat.technique]] id = "T1482" name = "Domain Trust Discovery" reference = "https://attack.mitre.org/techniques/T1482/" +[[rule.threat.technique]] +id = "T1018" +name = "Remote System Discovery" +reference = "https://attack.mitre.org/techniques/T1018/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/discovery_group_policy_object_discovery.toml b/rules/windows/discovery_group_policy_object_discovery.toml index e67adb37675..7baf49bd178 100644 --- a/rules/windows/discovery_group_policy_object_discovery.toml +++ b/rules/windows/discovery_group_policy_object_discovery.toml @@ -2,23 +2,20 @@ creation_date = "2023/01/18" integration = ["windows", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" + [rule] author = ["Elastic"] description = """ -Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy objects during the -reconnaissance phase after compromising a system to gain a better understanding of the active directory environment and -possible methods to escalate privileges or move laterally. +Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy +objects during the reconnaissance phase after compromising a system to gain a better understanding +of the active directory environment and possible methods to escalate privileges or move laterally. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Group Policy Discovery via Microsoft GPResult Utility" @@ -58,14 +55,7 @@ The detection rule 'Group Policy Discovery via Microsoft GPResult Utility' is de risk_score = 21 rule_id = "94a401ba-4fa2-455c-b7ae-b6e037afc0b7" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -74,7 +64,6 @@ process where host.os.type == "windows" and event.type == "start" and (process.name: "gpresult.exe" or ?process.pe.original_file_name == "gprslt.exe") and process.args: ("/z", "/v", "/r", "/x") ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -82,9 +71,7 @@ id = "T1615" name = "Group Policy Discovery" reference = "https://attack.mitre.org/techniques/T1615/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/discovery_high_number_ad_properties.toml b/rules/windows/discovery_high_number_ad_properties.toml index e8bd71550b4..85a3f52557d 100644 --- a/rules/windows/discovery_high_number_ad_properties.toml +++ b/rules/windows/discovery_high_number_ad_properties.toml @@ -2,7 +2,9 @@ creation_date = "2023/01/29" integration = ["windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] @@ -17,7 +19,8 @@ license = "Elastic License v2" name = "Suspicious Access to LDAP Attributes" risk_score = 73 rule_id = "68ad737b-f90a-4fe5-bda6-a68fa460044e" -setup = """The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). +setup = """ +The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: Computer Configuration > diff --git a/rules/windows/discovery_peripheral_device.toml b/rules/windows/discovery_peripheral_device.toml index 03a18f7de1e..4bd545398e6 100644 --- a/rules/windows/discovery_peripheral_device.toml +++ b/rules/windows/discovery_peripheral_device.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies use of the Windows file system utility (fsutil.exe) to gather informa and components connected to a computer system. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Peripheral Device Discovery" @@ -61,15 +57,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_posh_invoke_sharefinder.toml b/rules/windows/discovery_posh_invoke_sharefinder.toml index 717838974c3..3c2b0f7cfff 100644 --- a/rules/windows/discovery_posh_invoke_sharefinder.toml +++ b/rules/windows/discovery_posh_invoke_sharefinder.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/17" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -75,16 +77,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Collection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" @@ -139,14 +132,15 @@ reference = "https://attack.mitre.org/techniques/T1106/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1039" name = "Data from Network Shared Drive" reference = "https://attack.mitre.org/techniques/T1039/" - [rule.threat.tactic] id = "TA0009" name = "Collection" diff --git a/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml b/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml index 6c49a43316c..f6108af2a7c 100644 --- a/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml +++ b/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2023/09/22" maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/22" [rule] author = ["Elastic"] @@ -17,16 +19,14 @@ name = "Unusual Discovery Signal Alert with Unusual Process Command Line" risk_score = 21 rule_id = "29ef5686-9b93-433e-91b5-683911094698" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: Higher-Order Rule", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: Higher-Order Rule" + ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:( "d68e95ad-1c82-4074-a12a-125fe10ac8ba" or "7b8bfc26-81d2-435e-965c-d722ee397ef1" or @@ -36,7 +36,6 @@ host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:( ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" @@ -48,8 +47,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id", "process.command_line"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml b/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml index b39b57e1999..6da4d484d64 100644 --- a/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml +++ b/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2023/09/22" maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/11/13" [rule] author = ["Elastic"] @@ -17,21 +19,18 @@ name = "Unusual Discovery Signal Alert with Unusual Process Executable" risk_score = 21 rule_id = "72ed9140-fe9d-4a34-a026-75b50e484b17" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: Higher-Order Rule", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: Higher-Order Rule" + ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:"1d72d014-e2ab-4707-b056-9b96abe7b511" ''' - [[rule.threat]] framework = "MITRE ATT&CK" @@ -43,8 +42,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 0df4a75f2b6..5d6fe0c1f04 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -64,15 +66,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml index 0d47ba3a78e..8dd36feec9d 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/14" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ false_positives = [ "Trusted SolarWinds child processes. Verify process details such as network connections and file writes.", ] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Command Execution via SolarWinds Process" @@ -36,15 +32,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Initial Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -67,6 +55,7 @@ framework = "MITRE ATT&CK" id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -78,7 +67,6 @@ name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml index aa545969430..ac3ce9329b7 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -30,14 +32,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml index 44443946e3c..83546affc14 100644 --- a/rules/windows/execution_com_object_xwizard.toml +++ b/rules/windows/execution_com_object_xwizard.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ programming interface (API) that enables interaction between software objects or run a COM object created in registry to evade defensive counter measures. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Execution of COM object via Xwizard" @@ -37,14 +33,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index 29d7056f17a..0d8848c106c 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -43,12 +44,7 @@ false_positives = [ """, ] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Command Prompt Network Connection" @@ -110,15 +106,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index 61d4d05768c..ae32c9edd78 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/04/05" [transform] [[transform.osquery]] diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index ba9c7d475ab..07b82ed127b 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -2,19 +2,15 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [rule] author = ["Elastic"] description = "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process." from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.sysmon_operational-*", - "endgame-*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Unusual Parent Process for cmd.exe" @@ -29,16 +25,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_command_shell_via_rundll32.toml b/rules/windows/execution_command_shell_via_rundll32.toml index 283ae13e81c..37d892108b8 100644 --- a/rules/windows/execution_command_shell_via_rundll32.toml +++ b/rules/windows/execution_command_shell_via_rundll32.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -24,17 +26,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Credential Access", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -58,7 +50,6 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" @@ -82,6 +73,8 @@ reference = "https://attack.mitre.org/techniques/T1552/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml b/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml index 1fe398d770d..704e5d260af 100644 --- a/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml +++ b/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -18,14 +20,7 @@ name = "Delayed Execution via Ping" risk_score = 21 rule_id = "e00b8d49-632f-4dc6-94a5-76153a481915" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] type = "eql" query = ''' @@ -67,86 +62,88 @@ sequence by process.parent.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1059" name = "Command and Scripting Interpreter" +id = "T1059" reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" -[[rule.threat.technique.subtechnique]] -id = "T1059.005" -name = "Visual Basic" -reference = "https://attack.mitre.org/techniques/T1059/005/" + [[rule.threat.technique.subtechnique]] + name = "Visual Basic" + id = "T1059.005" + reference = "https://attack.mitre.org/techniques/T1059/005/" + [[rule.threat.technique.subtechnique]] + name = "PowerShell" + id = "T1059.001" + reference = "https://attack.mitre.org/techniques/T1059/001/" + [rule.threat.tactic] + name = "Execution" + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1216" -name = "System Script Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1216/" +id = "T1497" +name = "Virtualization/Sandbox Evasion" +reference = "https://attack.mitre.org/techniques/T1497/" + + [[rule.threat.technique.subtechnique]] + name = "Time Based Evasion" + id = "T1497.003" + reference = "https://attack.mitre.org/techniques/T1497/003/" [[rule.threat.technique]] -id = "T1218" name = "System Binary Proxy Execution" +id = "T1218" reference = "https://attack.mitre.org/techniques/T1218/" -[[rule.threat.technique.subtechnique]] -id = "T1218.003" -name = "CMSTP" -reference = "https://attack.mitre.org/techniques/T1218/003/" -[[rule.threat.technique.subtechnique]] -id = "T1218.004" -name = "InstallUtil" -reference = "https://attack.mitre.org/techniques/T1218/004/" + [[rule.threat.technique.subtechnique]] + name = "CMSTP" + id = "T1218.003" + reference = "https://attack.mitre.org/techniques/T1218/003/" -[[rule.threat.technique.subtechnique]] -id = "T1218.005" -name = "Mshta" -reference = "https://attack.mitre.org/techniques/T1218/005/" + [[rule.threat.technique.subtechnique]] + name = "InstallUtil" + id = "T1218.004" + reference = "https://attack.mitre.org/techniques/T1218/004/" -[[rule.threat.technique.subtechnique]] -id = "T1218.009" -name = "Regsvcs/Regasm" -reference = "https://attack.mitre.org/techniques/T1218/009/" + [[rule.threat.technique.subtechnique]] + name = "Mshta" + id = "T1218.005" + reference = "https://attack.mitre.org/techniques/T1218/005/" -[[rule.threat.technique.subtechnique]] -id = "T1218.010" -name = "Regsvr32" -reference = "https://attack.mitre.org/techniques/T1218/010/" + [[rule.threat.technique.subtechnique]] + name = "Regsvcs/Regasm" + id = "T1218.009" + reference = "https://attack.mitre.org/techniques/T1218/009/" -[[rule.threat.technique.subtechnique]] -id = "T1218.011" -name = "Rundll32" -reference = "https://attack.mitre.org/techniques/T1218/011/" + [[rule.threat.technique.subtechnique]] + name = "Regsvr32" + id = "T1218.010" + reference = "https://attack.mitre.org/techniques/T1218/010/" + [[rule.threat.technique.subtechnique]] + name = "Rundll32" + id = "T1218.011" + reference = "https://attack.mitre.org/techniques/T1218/011/" -[[rule.threat.technique]] -id = "T1220" -name = "XSL Script Processing" -reference = "https://attack.mitre.org/techniques/T1220/" - -[[rule.threat.technique]] -id = "T1497" -name = "Virtualization/Sandbox Evasion" -reference = "https://attack.mitre.org/techniques/T1497/" -[[rule.threat.technique.subtechnique]] -id = "T1497.003" -name = "Time Based Evasion" -reference = "https://attack.mitre.org/techniques/T1497/003/" + [[rule.threat.technique]] + name = "System Script Proxy Execution" + id = "T1216" + reference = "https://attack.mitre.org/techniques/T1216/" + [[rule.threat.technique]] + name = "XSL Script Processing" + id = "T1220" + reference = "https://attack.mitre.org/techniques/T1220/" [rule.threat.tactic] -id = "TA0005" name = "Defense Evasion" +id = "TA0005" reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_downloaded_shortcut_files.toml b/rules/windows/execution_downloaded_shortcut_files.toml index 4475a3d53a0..1f765f65ca0 100644 --- a/rules/windows/execution_downloaded_shortcut_files.toml +++ b/rules/windows/execution_downloaded_shortcut_files.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -18,13 +20,7 @@ name = "Downloaded Shortcut Files" risk_score = 21 rule_id = "39157d52-4035-44a8-9d1a-6f8c5f580a07" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_downloaded_url_file.toml b/rules/windows/execution_downloaded_url_file.toml index 14bb98b6e9f..a5a22b38ac1 100644 --- a/rules/windows/execution_downloaded_url_file.toml +++ b/rules/windows/execution_downloaded_url_file.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -18,14 +20,7 @@ name = "Downloaded URL Files" risk_score = 21 rule_id = "cd82e3d6-1346-4afd-8f22-38388bbf34cb" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index 59c46879a1f..9fbea06f8f3 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies native Windows host and network enumeration commands spawned by the W Provider Service (WMIPrvSE). """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Enumeration Command Spawned via WMIPrvSE" @@ -32,14 +28,13 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -78,41 +73,27 @@ process where host.os.type == "windows" and event.type == "start" and process.co not process.args : "tenable_mw_scan" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1016" -name = "System Network Configuration Discovery" -reference = "https://attack.mitre.org/techniques/T1016/" -[[rule.threat.technique.subtechnique]] -id = "T1016.001" -name = "Internet Connection Discovery" -reference = "https://attack.mitre.org/techniques/T1016/001/" - [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" -[[rule.threat.technique]] -id = "T1057" -name = "Process Discovery" -reference = "https://attack.mitre.org/techniques/T1057/" - [[rule.threat.technique]] id = "T1087" name = "Account Discovery" @@ -123,9 +104,22 @@ id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + +[[rule.threat.technique.subtechnique]] +id = "T1016.001" +name = "Internet Connection Discovery" +reference = "https://attack.mitre.org/techniques/T1016/001/" + +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index ad08c31dc11..00c4337057f 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -37,13 +39,7 @@ Identifies process execution from suspicious default Windows directories. This m malware in trusted paths. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Execution from Unusual Directory - Command Line" @@ -117,7 +113,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index ee8d103a56a..569d4f4e19d 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -38,12 +39,7 @@ malicious code in a CHM file and deliver it to a victim for execution. CHM conte program (hh.exe). """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Network Connection via Compiled HTML File" @@ -112,15 +108,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "b29ee2be-bf99-446c-ab1a-2dc0183394b8" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/execution_initial_access_via_msc_file.toml b/rules/windows/execution_initial_access_via_msc_file.toml index 8fe4c6a5b05..6ca1ac04c15 100644 --- a/rules/windows/execution_initial_access_via_msc_file.toml +++ b/rules/windows/execution_initial_access_via_msc_file.toml @@ -2,13 +2,15 @@ creation_date = "2024/05/12" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/12" [rule] author = ["Elastic"] description = """ -Identifies the execution of a child process from a Microsoft Common Console file. Adversaries may embed a malicious -command in an MSC file in order to trick victims into executing malicious commands. +Identifies the execution of a child process from a Microsoft Common Console file. Adversaries may embed a malicious command +in an MSC file in order to trick victims into executing malicious commands. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"] @@ -43,17 +45,7 @@ references = ["https://www.genians.co.kr/blog/threat_intelligence/facebook"] risk_score = 73 rule_id = "e760c72b-bb1f-44f0-9f0d-37d51744ee75" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Initial Access", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_mofcomp.toml b/rules/windows/execution_mofcomp.toml index ec3ebfe1bb9..d29168632ce 100644 --- a/rules/windows/execution_mofcomp.toml +++ b/rules/windows/execution_mofcomp.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -19,13 +21,7 @@ name = "Mofcomp Activity" risk_score = 21 rule_id = "210d4430-b371-470e-b879-80b7182aa75e" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -44,19 +40,19 @@ process where host.os.type == "windows" and event.type == "start" and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -74,4 +70,3 @@ reference = "https://attack.mitre.org/techniques/T1546/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index d441f9758a3..25359d1de52 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -66,15 +68,14 @@ This rule searches for executable files written by MS Office applications execut risk_score = 73 rule_id = "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] type = "eql" query = ''' @@ -94,7 +95,6 @@ sequence with maxspan=2h ] by host.id, process.executable ''' - [[rule.threat]] framework = "MITRE ATT&CK" @@ -102,12 +102,15 @@ framework = "MITRE ATT&CK" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" @@ -118,10 +121,7 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/windows/execution_pdf_written_file.toml b/rules/windows/execution_pdf_written_file.toml index 55edc986b8f..bb2bbb41f2e 100644 --- a/rules/windows/execution_pdf_written_file.toml +++ b/rules/windows/execution_pdf_written_file.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies a suspicious file that was written by a PDF reader application and su often launched via exploitation of PDF applications. """ from = "now-120m" -index = [ - "logs-endpoint.events.process-*", - "logs-endpoint.events.file-*", - "winlogbeat-*", - "logs-windows.sysmon_operational-*", - "endgame-*", -] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"] interval = "60m" language = "eql" license = "Elastic License v2" @@ -72,16 +68,7 @@ This rule searches for executable files written by PDF reader software and execu risk_score = 73 rule_id = "1defdd62-cd8d-426e-a246-81a37751bb2b" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/execution_posh_hacktool_authors.toml b/rules/windows/execution_posh_hacktool_authors.toml index 96685e222ce..dc920086f2e 100644 --- a/rules/windows/execution_posh_hacktool_authors.toml +++ b/rules/windows/execution_posh_hacktool_authors.toml @@ -2,7 +2,9 @@ creation_date = "2024/05/08" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/05/08" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] @@ -16,11 +18,6 @@ index = ["winlogbeat-*", "logs-windows.powershell*"] language = "kuery" license = "Elastic License v2" name = "Potential PowerShell HackTool Script by Author" -references = [ - "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", -] -risk_score = 73 -rule_id = "2553a9af-52a4-4a05-bb03-85b2a479a0a0" setup = """## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. @@ -39,14 +36,13 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: PowerShell Logs", +references = [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", ] +risk_score = 73 +rule_id = "2553a9af-52a4-4a05-bb03-85b2a479a0a0" +severity = "high" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml index 579739d5989..45f71e9083c 100644 --- a/rules/windows/execution_posh_portable_executable.toml +++ b/rules/windows/execution_posh_portable_executable.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -123,15 +125,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" @@ -160,6 +154,7 @@ reference = "https://attack.mitre.org/techniques/T1059/001/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index 4384952dbf1..b8850975dff 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -17,12 +19,7 @@ false_positives = [ """, ] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "PsExec Network Connection" @@ -61,16 +58,7 @@ This rule identifies PsExec execution by looking for the creation of `PsExec.exe risk_score = 21 rule_id = "55d551c6-333b-4665-ab7e-5d14a59715ce" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Lateral Movement", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' @@ -109,22 +97,22 @@ name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" - [[rule.threat.technique]] id = "T1570" name = "Lateral Tool Transfer" reference = "https://attack.mitre.org/techniques/T1570/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index dc36a88a291..da54d2e10f7 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -43,12 +44,7 @@ false_positives = [ """, ] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Network Connection via Registration Utility" @@ -109,16 +105,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "fb02b8d3-71ee-4af1-bacd-215d23f17efa" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' @@ -152,6 +139,7 @@ framework = "MITRE ATT&CK" id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.009" name = "Regsvcs/Regasm" diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index afa9ece3f6d..e7a2ccfbb3a 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -12,12 +14,7 @@ within a short time period. This may indicate lateral movement or remote discove """ false_positives = ["Legitimate scheduled tasks may be created during installation of new software."] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.library-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.library-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Outbound Scheduled Task Activity via PowerShell" @@ -28,13 +25,13 @@ risk_score = 47 rule_id = "5cd55388-a19c-47c7-8ec4-f41656c2fded" severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ] type = "eql" query = ''' @@ -44,32 +41,30 @@ sequence by host.id, process.entity_id with maxspan = 5s [network where host.os.type == "windows" and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and destination.port == 135 and not destination.address in ("127.0.0.1", "::1")] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index b5b97384fe5..b43dece2763 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/28" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -32,15 +34,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index b2aa9aee9b3..33c1f03098c 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies suspicious command execution (cmd) via Windows Management Instrumenta be indicative of adversary lateral movement. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Suspicious Cmd Execution via WMI" @@ -32,14 +28,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -57,17 +46,17 @@ id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml index 9a1dba523ce..e29aa19bf9c 100644 --- a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml +++ b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/17" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -30,15 +32,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index 253e8841bd2..d77be8a3be5 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/30" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies suspicious child processes of PDF reader applications. These child pr exploitation of PDF applications or social engineering. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Suspicious PDF Reader Child Process" @@ -80,16 +76,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Initial Access", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -122,6 +109,7 @@ reference = "https://attack.mitre.org/techniques/T1203/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -133,8 +121,6 @@ id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index 04bf6f51e73..223ec981bce 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/17" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/04/01" [rule] author = ["Elastic"] @@ -61,14 +63,13 @@ Attackers can use PowerShell without having to execute `PowerShell.exe` directly risk_score = 47 rule_id = "852c1f19-68e8-43a6-9dce-340771fe1be3" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -92,20 +93,19 @@ host.os.type:windows and event.category:library and ) and not process.executable.caseless : "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -114,8 +114,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "user.id"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index 8a48048d3bc..61e6eab2b8a 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -57,17 +59,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ] timestamp_override = "event.ingested" type = "eql" @@ -76,24 +77,24 @@ process where host.os.type == "windows" and event.type == "start" and process.pe.original_file_name : "psexesvc.exe" and not process.name : "PSEXESVC.exe" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1569" name = "System Services" reference = "https://attack.mitre.org/techniques/T1569/" + [[rule.threat.technique.subtechnique]] id = "T1569.002" name = "Service Execution" reference = "https://attack.mitre.org/techniques/T1569/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index 0d012b1de00..22b16f8f18a 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -45,13 +47,7 @@ false_positives = [ """, ] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Process Activity via Compiled HTML File" @@ -123,15 +119,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index 7398ebd3c6e..16e42c765ba 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -77,18 +79,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -116,6 +107,7 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -128,6 +120,7 @@ reference = "https://attack.mitre.org/techniques/T1036/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/exfiltration_smb_rare_destination.toml b/rules/windows/exfiltration_smb_rare_destination.toml index 4a6fd86e8a4..019b7b033a5 100644 --- a/rules/windows/exfiltration_smb_rare_destination.toml +++ b/rules/windows/exfiltration_smb_rare_destination.toml @@ -2,13 +2,15 @@ creation_date = "2023/12/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" + [rule] author = ["Elastic"] description = """ -This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials -via rogue UNC path injection. +This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials via rogue UNC path injection. """ from = "now-9m" index = ["logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"] @@ -19,15 +21,7 @@ references = ["https://www.securify.nl/en/blog/living-off-the-land-stealing-netn risk_score = 47 rule_id = "f580bf0a-2d23-43bb-b8e1-17548bb947ec" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Exfiltration", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "new_terms" @@ -70,6 +64,7 @@ event.category:network and host.os.type:windows and process.pid:4 and ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -83,11 +78,12 @@ id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + + + [rule.new_terms] field = "new_terms_fields" value = ["destination.ip"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" - - diff --git a/rules/windows/impact_backup_file_deletion.toml b/rules/windows/impact_backup_file_deletion.toml index 5d756dbbc95..ac8c3262b61 100644 --- a/rules/windows/impact_backup_file_deletion.toml +++ b/rules/windows/impact_backup_file_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/01" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -69,15 +71,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -115,16 +109,15 @@ file where host.os.type == "windows" and event.type == "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1485" -name = "Data Destruction" -reference = "https://attack.mitre.org/techniques/T1485/" - [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" [rule.threat.tactic] id = "TA0040" diff --git a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml index e588e0625d6..afcc562e974 100644 --- a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and o system recovery. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Deleting Backup Catalogs with Wbadmin" @@ -71,15 +67,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -92,16 +80,16 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1485" -name = "Data Destruction" -reference = "https://attack.mitre.org/techniques/T1485/" - [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + [rule.threat.tactic] id = "TA0040" diff --git a/rules/windows/impact_high_freq_file_renames_by_kernel.toml b/rules/windows/impact_high_freq_file_renames_by_kernel.toml index f03d9bf2aff..dc9b0e14398 100644 --- a/rules/windows/impact_high_freq_file_renames_by_kernel.toml +++ b/rules/windows/impact_high_freq_file_renames_by_kernel.toml @@ -2,7 +2,9 @@ creation_date = "2024/05/03" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/03" [rule] author = ["Elastic"] @@ -55,16 +57,9 @@ references = ["https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomwa risk_score = 73 rule_id = "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] -timestamp_override = "event.ingested" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "threshold" +timestamp_override = "event.ingested" query = ''' event.category:file and host.os.type:windows and process.pid:4 and event.action:creation and @@ -79,11 +74,11 @@ id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -95,8 +90,6 @@ id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/impact_modification_of_boot_config.toml b/rules/windows/impact_modification_of_boot_config.toml index a9398ce6b82..cd48ff5c495 100644 --- a/rules/windows/impact_modification_of_boot_config.toml +++ b/rules/windows/impact_modification_of_boot_config.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies use of bcdedit.exe to delete boot configuration data. This tactic is attacker as a destructive technique. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Modification of Boot Configuration" @@ -71,15 +67,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/impact_ransomware_file_rename_smb.toml b/rules/windows/impact_ransomware_file_rename_smb.toml index 40e79f39b18..6b9573fa29c 100644 --- a/rules/windows/impact_ransomware_file_rename_smb.toml +++ b/rules/windows/impact_ransomware_file_rename_smb.toml @@ -2,13 +2,15 @@ creation_date = "2024/05/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/02" [rule] author = ["Elastic"] description = """ -Identifies an incoming SMB connection followed by a suspicious file rename operation. This may indicate a remote -ransomware attack via the SMB protocol. +Identifies an incoming SMB connection followed by a suspicious file rename operation. This may indicate a remote ransomware +attack via the SMB protocol. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -55,14 +57,7 @@ references = ["https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomwa risk_score = 73 rule_id = "78e9b5d5-7c07-40a7-a591-3dbbf464c386" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -81,21 +76,22 @@ sequence by host.id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1485" -name = "Data Destruction" -reference = "https://attack.mitre.org/techniques/T1485/" - [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -108,9 +104,7 @@ name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/impact_ransomware_note_file_over_smb.toml b/rules/windows/impact_ransomware_note_file_over_smb.toml index 275961dcef7..2427e4a923d 100644 --- a/rules/windows/impact_ransomware_note_file_over_smb.toml +++ b/rules/windows/impact_ransomware_note_file_over_smb.toml @@ -2,7 +2,9 @@ creation_date = "2024/05/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/02" [rule] author = ["Elastic"] @@ -55,14 +57,7 @@ note = """## Triage and analysis risk_score = 73 rule_id = "02bab13d-fb14-4d7c-b6fe-4a28874d37c5" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -80,21 +75,22 @@ sequence by host.id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1485" -name = "Data Destruction" -reference = "https://attack.mitre.org/techniques/T1485/" - [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -112,4 +108,3 @@ reference = "https://attack.mitre.org/techniques/T1021/002/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/impact_stop_process_service_threshold.toml b/rules/windows/impact_stop_process_service_threshold.toml index f3b2a9e9f87..4c7e219f9ff 100644 --- a/rules/windows/impact_stop_process_service_threshold.toml +++ b/rules/windows/impact_stop_process_service_threshold.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ This rule identifies a high number (10) of process terminations (stop, delete, o short time period. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "kuery" license = "Elastic License v2" name = "High Number of Process and/or Service Terminations" @@ -56,17 +52,9 @@ references = ["https://www.elastic.co/security-labs/luna-ransomware-attack-patte risk_score = 47 rule_id = "035889c4-2686-4583-a7df-67f89c292f2c" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] -timestamp_override = "event.ingested" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] type = "threshold" +timestamp_override = "event.ingested" query = ''' event.category:process and host.os.type:windows and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and diff --git a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml index c55fe69b914..8cba1822784 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints ransomware or other destructive attacks. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Volume Shadow Copy Deleted or Resized via VssAdmin" @@ -89,15 +85,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -120,4 +108,3 @@ reference = "https://attack.mitre.org/techniques/T1490/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index 8ca781d1d5f..8fff537f8b6 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -2,7 +2,9 @@ creation_date = "2021/07/19" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic", "Austin Songer"] @@ -11,13 +13,7 @@ Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve occurs in tandem with ransomware or other destructive attacks. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Volume Shadow Copy Deletion via PowerShell" @@ -93,16 +89,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Impact", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -127,6 +114,7 @@ reference = "https://attack.mitre.org/techniques/T1490/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml index 8cffe4dd6fb..737be0b3d21 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly other destructive attacks. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Volume Shadow Copy Deletion via WMIC" @@ -89,16 +85,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Impact", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -121,14 +108,16 @@ reference = "https://attack.mitre.org/techniques/T1490/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml index 0c6d5e6f543..a3ebf3b312f 100644 --- a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml +++ b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml @@ -2,7 +2,9 @@ creation_date = "2022/07/03" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -26,13 +28,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/initial_access_execution_from_inetcache.toml b/rules/windows/initial_access_execution_from_inetcache.toml index 6d6d1b232e7..4c55b5c6d95 100644 --- a/rules/windows/initial_access_execution_from_inetcache.toml +++ b/rules/windows/initial_access_execution_from_inetcache.toml @@ -2,7 +2,9 @@ creation_date = "2024/02/14" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,31 +13,17 @@ Identifies the execution of a process with arguments pointing to the INetCache F content via WININET during initial access. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Suspicious Execution from INET Cache" references = [ - "https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html", +"https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html" ] risk_score = 73 rule_id = "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Command and Control", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -59,11 +47,12 @@ name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -76,4 +65,3 @@ reference = "https://attack.mitre.org/techniques/T1105/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/windows/initial_access_execution_from_removable_media.toml b/rules/windows/initial_access_execution_from_removable_media.toml index 495c84b76fd..fd95d0db4a5 100644 --- a/rules/windows/initial_access_execution_from_removable_media.toml +++ b/rules/windows/initial_access_execution_from_removable_media.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -19,13 +21,7 @@ name = "Execution from a Removable Media with Network Connection" risk_score = 21 rule_id = "1542fa53-955e-4330-8e4d-b2d812adeb5f" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"] type = "eql" query = ''' @@ -40,7 +36,6 @@ sequence by process.entity_id with maxspan=5m [network where host.os.type == "windows" and event.action == "connection_attempted"] ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -48,9 +43,7 @@ id = "T1091" name = "Replication Through Removable Media" reference = "https://attack.mitre.org/techniques/T1091/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/windows/initial_access_execution_remote_via_msiexec.toml b/rules/windows/initial_access_execution_remote_via_msiexec.toml index 054e39cfd39..e8e45cc7b15 100644 --- a/rules/windows/initial_access_execution_remote_via_msiexec.toml +++ b/rules/windows/initial_access_execution_remote_via_msiexec.toml @@ -2,13 +2,15 @@ creation_date = "2023/09/28" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] description = """ -Identifies the execution of the built-in Windows Installer, msiexec.exe, to install a remote package. Adversaries may -abuse msiexec.exe to launch local or network accessible MSI files. +Identifies the execution of the built-in Windows Installer, msiexec.exe, to install a remote package. Adversaries may abuse +msiexec.exe to launch local or network accessible MSI files. """ from = "now-9m" index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*"] @@ -18,14 +20,7 @@ name = "Potential Remote File Execution via MSIEXEC" risk_score = 21 rule_id = "3e441bdb-596c-44fd-8628-2cfdf4516ada" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] type = "eql" query = ''' @@ -62,7 +57,6 @@ sequence with maxspan=1m ] by process.parent.entity_id ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -74,12 +68,11 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -97,4 +90,3 @@ reference = "https://attack.mitre.org/techniques/T1218/007/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/initial_access_execution_via_office_addins.toml b/rules/windows/initial_access_execution_via_office_addins.toml index fd670734deb..7c44a71a943 100644 --- a/rules/windows/initial_access_execution_via_office_addins.toml +++ b/rules/windows/initial_access_execution_via_office_addins.toml @@ -2,13 +2,16 @@ creation_date = "2023/03/20" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] description = """ -Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with -an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In. +Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or +with an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing +MS Office Add-In. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"] @@ -16,22 +19,13 @@ language = "eql" license = "Elastic License v2" name = "Suspicious Execution via Microsoft Office Add-Ins" references = [ - "https://github.com/Octoberfest7/XLL_Phishing", - "https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/", +"https://github.com/Octoberfest7/XLL_Phishing", +"https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/" ] risk_score = 47 rule_id = "ae8a142c-6a1d-4918-bea7-0b617e99ecfa" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -96,6 +90,9 @@ reference = "https://attack.mitre.org/techniques/T1566/001/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -106,11 +103,8 @@ reference = "https://attack.mitre.org/techniques/T1137/" id = "T1137.006" name = "Add-ins" reference = "https://attack.mitre.org/techniques/T1137/006/" - - - + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml b/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml index 6d2f0b2e59d..52aa662a89a 100644 --- a/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml +++ b/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml @@ -2,7 +2,9 @@ creation_date = "2023/03/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" +min_stack_version = "8.4.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -15,23 +17,14 @@ index = ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon language = "kuery" license = "Elastic License v2" name = "First Time Seen Removable Device" -references = [ - "https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html", - "https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings", -] risk_score = 21 rule_id = "0859355c-0f08-4b43-8ff5-7d2a4789fc08" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Exfiltration", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", +references = [ +"https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html", +"https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings" ] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "new_terms" @@ -47,22 +40,23 @@ id = "T1091" name = "Replication Through Removable Media" reference = "https://attack.mitre.org/techniques/T1091/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1052" name = "Exfiltration Over Physical Medium" reference = "https://attack.mitre.org/techniques/T1052/" -[[rule.threat.technique.subtechnique]] -id = "T1052.001" -name = "Exfiltration over USB" -reference = "https://attack.mitre.org/techniques/T1052/001/" + [[rule.threat.technique.subtechnique]] + id = "T1052.001" + name = "Exfiltration over USB" + reference = "https://attack.mitre.org/techniques/T1052/001/" [rule.threat.tactic] @@ -70,11 +64,10 @@ id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + [rule.new_terms] field = "new_terms_fields" value = ["registry.path"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" - - diff --git a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml index 60d4797b805..d721eef4deb 100644 --- a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml +++ b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml @@ -2,7 +2,9 @@ creation_date = "2024/03/24" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -17,31 +19,17 @@ false_positives = [ """, ] from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Suspicious JetBrains TeamCity Child Process" references = [ - "https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html", + "https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html" ] risk_score = 47 rule_id = "730ed57d-ae0f-444f-af50-78708b57edd5" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -77,6 +65,8 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -87,16 +77,13 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index 54732f29f89..c1cf0508978 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -76,17 +78,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -118,6 +110,8 @@ reference = "https://attack.mitre.org/techniques/T1566/001/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -128,7 +122,6 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml index c9c97d1bc8e..578905ab678 100644 --- a/rules/windows/initial_access_scripts_process_started_via_wmi.toml +++ b/rules/windows/initial_access_scripts_process_started_via_wmi.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/27" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -11,29 +13,14 @@ Identifies use of the built-in Windows script interpreters (cscript.exe or wscri via Windows Management Instrumentation (WMI). This may be indicative of malicious activity. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.library-*", - "logs-windows.sysmon_operational-*", - "endgame-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Windows Script Interpreter Executing Process via WMI" risk_score = 47 rule_id = "b64b183e-1a76-422d-9179-7b389513e74d" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' @@ -86,13 +73,10 @@ reference = "https://attack.mitre.org/techniques/T1566/001/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1047" -name = "Windows Management Instrumentation" -reference = "https://attack.mitre.org/techniques/T1047/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -102,6 +86,10 @@ id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" [rule.threat.tactic] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_files.toml b/rules/windows/initial_access_suspicious_ms_exchange_files.toml index c82c46e2f7d..9e1d6e88d9d 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_files.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_files.toml @@ -2,7 +2,9 @@ creation_date = "2021/03/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic", "Austin Songer"] @@ -49,17 +51,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -93,6 +85,8 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_process.toml index 17f88e2e4ee..559342a0528 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_process.toml @@ -2,7 +2,9 @@ creation_date = "2021/03/04" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic", "Austin Songer"] @@ -17,13 +19,7 @@ false_positives = [ """, ] from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Microsoft Exchange Server UM Spawning Suspicious Processes" @@ -42,16 +38,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -83,6 +70,7 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml index ada3c44211b..2b7e956e311 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml @@ -2,7 +2,9 @@ creation_date = "2021/03/08" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -31,16 +33,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -64,6 +57,7 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -74,14 +68,12 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index 90ea17b54ca..3552617eb97 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ These child processes are often launched during exploitation of Office applicati macros. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Suspicious MS Office Child Process" @@ -81,17 +77,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -159,6 +145,7 @@ reference = "https://attack.mitre.org/techniques/T1059/003/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -167,6 +154,7 @@ name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index 34f4c925c0e..f3e9a21677c 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [rule] author = ["Elastic"] @@ -11,14 +13,7 @@ Identifies suspicious child processes of Microsoft Outlook. These child processe phishing activity. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Suspicious MS Outlook Child Process" @@ -80,18 +75,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" @@ -126,6 +110,7 @@ reference = "https://attack.mitre.org/techniques/T1566/001/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -148,6 +133,7 @@ reference = "https://attack.mitre.org/techniques/T1059/003/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -156,6 +142,7 @@ name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml index 8fb53b5a56d..1bf889fb925 100644 --- a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +++ b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -26,17 +28,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -79,6 +71,7 @@ reference = "https://attack.mitre.org/techniques/T1566/002/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -94,7 +87,6 @@ reference = "https://attack.mitre.org/techniques/T1059/001/" id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" @@ -106,6 +98,7 @@ reference = "https://attack.mitre.org/techniques/T1059/005/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -114,6 +107,7 @@ name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/initial_access_webshell_screenconnect_server.toml b/rules/windows/initial_access_webshell_screenconnect_server.toml index e4fe726f8af..507f47c2545 100644 --- a/rules/windows/initial_access_webshell_screenconnect_server.toml +++ b/rules/windows/initial_access_webshell_screenconnect_server.toml @@ -2,22 +2,18 @@ creation_date = "2024/03/26" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] description = """ -Identifies suspicious processes being spawned by the ScreenConnect server process (ScreenConnect.Service.exe). This -activity may indicate exploitation activity or access to an existing web shell backdoor. +Identifies suspicious processes being spawned by the ScreenConnect server process (ScreenConnect.Service.exe). This activity may +indicate exploitation activity or access to an existing web shell backdoor. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.sysmon_operational-*", - "logs-system.security*", - "endgame-*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "ScreenConnect Server Spawning Suspicious Processes" @@ -25,16 +21,7 @@ references = ["https://blackpointcyber.com/resources/blog/breaking-through-the-s risk_score = 73 rule_id = "3d00feab-e203-4acc-a463-c3e15b7e9a73" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -58,6 +45,7 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -68,14 +56,12 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/initial_access_xsl_script_execution_via_com.toml b/rules/windows/initial_access_xsl_script_execution_via_com.toml index 4b35a4ed939..e757c7ffb68 100644 --- a/rules/windows/initial_access_xsl_script_execution_via_com.toml +++ b/rules/windows/initial_access_xsl_script_execution_via_com.toml @@ -2,12 +2,14 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] description = """ -Identifies the execution of a hosted XSL script using the Microsoft.XMLDOM COM interface via Microsoft Office processes. +Identifies the execution of a hosted XSL script using the Microsoft.XMLDOM COM interface via Microsoft Office processes. This behavior may indicate adversarial activity to execute malicious JScript or VBScript on the system. """ from = "now-9m" @@ -18,14 +20,7 @@ name = "Remote XSL Script Execution via COM" risk_score = 21 rule_id = "48f657ee-de4f-477c-aa99-ed88ee7af97a" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] type = "eql" query = ''' @@ -43,7 +38,6 @@ sequence with maxspan=1m "?:\\Program Files (x86)\\*exe")] by process.parent.entity_id ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -61,6 +55,7 @@ reference = "https://attack.mitre.org/techniques/T1566/002/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -73,4 +68,3 @@ reference = "https://attack.mitre.org/techniques/T1220/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/lateral_movement_alternate_creds_pth.toml b/rules/windows/lateral_movement_alternate_creds_pth.toml index e2460af09bf..2e4d081e5a4 100644 --- a/rules/windows/lateral_movement_alternate_creds_pth.toml +++ b/rules/windows/lateral_movement_alternate_creds_pth.toml @@ -2,14 +2,16 @@ creation_date = "2023/03/29" integration = ["windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" +min_stack_version = "8.4.0" +updated_date = "2024/01/16" [rule] author = ["Elastic"] description = """ -Adversaries may pass the hash using stolen password hashes to move laterally within an environment, bypassing normal -system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's -cleartext password. +Adversaries may pass the hash using stolen password hashes to move laterally within an environment, +bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user +without having access to the user's cleartext password. """ from = "now-9m" index = ["winlogbeat-*", "logs-windows.*", "logs-system.security*"] @@ -50,11 +52,11 @@ id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [rule.new_terms] field = "new_terms_fields" value = ["user.id"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" - - diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index 191930a7cfd..1ac54fbac80 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -11,26 +13,14 @@ Identifies use of sc.exe to create, modify, or start services on remote hosts. T lateral movement but will be noisy if commonly done by admins. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "winlogbeat-*", - "logs-windows.sysmon_operational-*", -] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Service Command Lateral Movement" risk_score = 21 rule_id = "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_dcom_hta.toml b/rules/windows/lateral_movement_dcom_hta.toml index 428f9abd7ca..2fbca0f1142 100644 --- a/rules/windows/lateral_movement_dcom_hta.toml +++ b/rules/windows/lateral_movement_dcom_hta.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -12,12 +14,7 @@ launched via the HTA Application COM Object. This behavior may indicate an attac laterally while attempting to evade detection. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Incoming DCOM Lateral Movement via MSHTA" @@ -25,14 +22,7 @@ references = ["https://codewhitesec.blogspot.com/2018/07/lethalhta.html"] risk_score = 73 rule_id = "622ecb68-fa81-4601-90b5-f8cd661e4520" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_dcom_mmc20.toml b/rules/windows/lateral_movement_dcom_mmc20.toml index 472b5eaa456..96af58d4069 100644 --- a/rules/windows/lateral_movement_dcom_mmc20.toml +++ b/rules/windows/lateral_movement_dcom_mmc20.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/06" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -12,12 +14,7 @@ via the MMC20 Application COM Object. This behavior may indicate an attacker abu laterally. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Incoming DCOM Lateral Movement with MMC" @@ -25,15 +22,7 @@ references = ["https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20 risk_score = 73 rule_id = "51ce96fb-9e52-4dad-b0ba-99b54440fc9a" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' @@ -64,19 +53,20 @@ reference = "https://attack.mitre.org/techniques/T1021/003/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.014" name = "MMC" reference = "https://attack.mitre.org/techniques/T1218/014/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml index b2a95628a49..b6dca9f73db 100644 --- a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml +++ b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/06" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -12,12 +14,7 @@ the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may application to stealthily move laterally. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows" @@ -25,14 +22,7 @@ references = ["https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round- risk_score = 47 rule_id = "8f919d4b-a5af-47ca-a594-6be59cd924a4" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml index 43a994b5e50..e05a7b2c00f 100644 --- a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml +++ b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml @@ -2,7 +2,9 @@ creation_date = "2021/03/22" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -22,16 +24,7 @@ references = [ risk_score = 47 rule_id = "ddab1f5f-7089-44f5-9fda-de5b11322e77" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -61,6 +54,7 @@ reference = "https://attack.mitre.org/techniques/T1021/002/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -68,7 +62,6 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index 3cdaefdf926..1ff1b29f63c 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [transform] [[transform.osquery]] @@ -95,14 +97,7 @@ This rule looks for unexpected processes making network connections over port 44 risk_score = 47 rule_id = "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml index 0ef61678ad6..d2abebdb940 100644 --- a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml +++ b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml @@ -2,7 +2,9 @@ creation_date = "2021/04/12" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ indicative of an active RDP shadowing session. An adversary may abuse the RDP Sh other users active RDP sessions. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "logs-endpoint.events.registry-*", - "winlogbeat-*", - "logs-windows.sysmon_operational-*", - "endgame-*", -] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Remote Desktop Shadowing Activity" @@ -37,15 +33,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -75,13 +63,12 @@ framework = "MITRE ATT&CK" id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.001" name = "Remote Desktop Protocol" reference = "https://attack.mitre.org/techniques/T1021/001/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml index f9b06fa6f47..88d746d28f8 100644 --- a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml +++ b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/10" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -59,14 +61,7 @@ Adversaries can use network shares to host tooling to support the compromise of risk_score = 47 rule_id = "58bc134c-e8d2-4291-a552-b4b3e537c60b" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml index 7e06777f9f7..a49d4b7953e 100644 --- a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +++ b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/11" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint ts indicate a lateral movement attempt. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Execution via TSClient Mountpoint" @@ -33,14 +29,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -55,13 +44,13 @@ framework = "MITRE ATT&CK" id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.001" name = "Remote Desktop Protocol" reference = "https://attack.mitre.org/techniques/T1021/001/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index 78ee3336494..03cf02f73dc 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/03" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/04/08" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -89,21 +91,11 @@ Adversaries can use network shares to host tooling to support the compromise of - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -references = [ - "http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html", -] +references = ["http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html"] risk_score = 47 rule_id = "ab75c24b-2502-43a0-bf7c-e60e662c811e" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml index 2384ec06eee..1fc13abf882 100644 --- a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml +++ b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -17,26 +19,14 @@ false_positives = [ """, ] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Incoming Execution via WinRM Remote Shell" risk_score = 47 rule_id = "1cd01db9-be24-4bef-8e7c-e923f0ff78ab" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' @@ -60,7 +50,6 @@ name = "Windows Remote Management" reference = "https://attack.mitre.org/techniques/T1021/006/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index 296271162ef..b1ff8aaefaa 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -11,26 +13,14 @@ Identifies processes executed via Windows Management Instrumentation (WMI) on a adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "winlogbeat-*", - "logs-windows.sysmon_operational-*", -] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "WMI Incoming Lateral Movement" risk_score = 47 rule_id = "f3475224-b179-4f78-8877-c2bd64c26b88" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' @@ -61,12 +51,12 @@ sequence by host.id with maxspan = 2s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml index 72bacb2d830..e1bdd3832b3 100644 --- a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml +++ b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies the use of net.exe to mount a WebDav or hidden remote share. This may preparation for data exfiltration. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Mounting Hidden or WebDav Remote Shares" @@ -32,15 +28,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -90,6 +78,7 @@ reference = "https://attack.mitre.org/techniques/T1078/003/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -100,14 +89,11 @@ reference = "https://attack.mitre.org/techniques/T1087/" id = "T1087.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1087/001/" - [[rule.threat.technique.subtechnique]] id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/windows/lateral_movement_powershell_remoting_target.toml b/rules/windows/lateral_movement_powershell_remoting_target.toml index 51b8ffdcf0b..abdb422d0ea 100644 --- a/rules/windows/lateral_movement_powershell_remoting_target.toml +++ b/rules/windows/lateral_movement_powershell_remoting_target.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -17,12 +19,7 @@ false_positives = [ """, ] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Incoming Execution via PowerShell Remoting" @@ -32,15 +29,7 @@ references = [ risk_score = 47 rule_id = "2772264c-6fb9-4d9d-9014-b416eed21254" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' @@ -63,12 +52,11 @@ id = "T1021.006" name = "Windows Remote Management" reference = "https://attack.mitre.org/techniques/T1021/006/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -81,7 +69,6 @@ name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml index c7d277c0002..2e5acf0e372 100644 --- a/rules/windows/lateral_movement_rdp_enabled_registry.toml +++ b/rules/windows/lateral_movement_rdp_enabled_registry.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -62,17 +64,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -107,6 +99,9 @@ reference = "https://attack.mitre.org/techniques/T1021/001/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -114,7 +109,6 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/lateral_movement_rdp_sharprdp_target.toml b/rules/windows/lateral_movement_rdp_sharprdp_target.toml index 6d75397aa48..dd56f8c1e57 100644 --- a/rules/windows/lateral_movement_rdp_sharprdp_target.toml +++ b/rules/windows/lateral_movement_rdp_sharprdp_target.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/11" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -22,13 +24,7 @@ references = [ risk_score = 73 rule_id = "8c81e506-6e82-4884-9b9a-75d3d252f967" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index 6517803a3ce..2d06b035c95 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies a remote file copy attempt to a hidden network share. This may indica activity. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Remote File Copy to a Hidden Share" @@ -32,14 +28,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_remote_service_installed_winlog.toml b/rules/windows/lateral_movement_remote_service_installed_winlog.toml index a8156603769..7230fa97410 100644 --- a/rules/windows/lateral_movement_remote_service_installed_winlog.toml +++ b/rules/windows/lateral_movement_remote_service_installed_winlog.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -18,13 +20,7 @@ name = "Remote Windows Service Installed" risk_score = 47 rule_id = "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Persistence", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index da85d66e7cb..aedaa22b544 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/04/08" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -37,12 +39,7 @@ Identifies remote execution of Windows services over remote procedure call (RPC) movement, but will be noisy if commonly done by administrators. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "winlogbeat-*", - "logs-windows.sysmon_operational-*", -] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Remotely Started Services via RPC" @@ -106,15 +103,7 @@ references = [ risk_score = 47 rule_id = "aa9a274d-6b53-424d-ac5e-cb8ca4251650" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_remote_task_creation_winlog.toml b/rules/windows/lateral_movement_remote_task_creation_winlog.toml index 388703c7100..a820887721c 100644 --- a/rules/windows/lateral_movement_remote_task_creation_winlog.toml +++ b/rules/windows/lateral_movement_remote_task_creation_winlog.toml @@ -2,11 +2,15 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/01" [rule] author = ["Elastic"] -description = "Identifies scheduled task creation from a remote source. This could be indicative of adversary lateral movement.\n" +description = """ +Identifies scheduled task creation from a remote source. This could be indicative of adversary lateral movement. +""" from = "now-9m" index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"] language = "eql" @@ -45,8 +49,8 @@ risk_score = 47 rule_id = "9c865691-5599-447a-bac9-b3f2df5f9a9d" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"] -timestamp_override = "event.ingested" type = "eql" +timestamp_override = "event.ingested" query = ''' iam where event.action == "scheduled-task-created" and diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml index 875bfd3abe1..3234e97317a 100644 --- a/rules/windows/lateral_movement_scheduled_task_target.toml +++ b/rules/windows/lateral_movement_scheduled_task_target.toml @@ -2,18 +2,15 @@ creation_date = "2020/11/20" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] description = "Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement." from = "now-9m" -index = [ - "logs-endpoint.events.registry-*", - "logs-endpoint.events.network-*", - "winlogbeat-*", - "logs-windows.sysmon_operational-*", -] +index = ["logs-endpoint.events.registry-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Remote Scheduled Task Creation" @@ -48,15 +45,7 @@ note = """## Triage and analysis risk_score = 47 rule_id = "954ee7c8-5437-49ae-b2d6-2960883898e9" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml index b68fdf713de..4bcc98b9f3d 100644 --- a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml +++ b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -27,15 +29,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -71,13 +65,12 @@ framework = "MITRE ATT&CK" id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.001" name = "Remote Desktop Protocol" reference = "https://attack.mitre.org/techniques/T1021/001/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/lateral_movement_unusual_dns_service_children.toml b/rules/windows/lateral_movement_unusual_dns_service_children.toml index 31ee079275f..a58605b33f7 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_children.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_children.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -18,13 +20,7 @@ false_positives = [ """, ] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Unusual Child Process of dns.exe" @@ -81,16 +77,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml index dea6f0ce67c..0675a63a9db 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -38,16 +40,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index 650371712a9..2b52e22a8a7 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -27,15 +29,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -56,13 +50,13 @@ framework = "MITRE ATT&CK" id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.001" name = "Remote Desktop Protocol" reference = "https://attack.mitre.org/techniques/T1021/001/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/persistence_ad_adminsdholder.toml b/rules/windows/persistence_ad_adminsdholder.toml index 98eab1918ae..222a1d54ed4 100644 --- a/rules/windows/persistence_ad_adminsdholder.toml +++ b/rules/windows/persistence_ad_adminsdholder.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/31" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/09" [rule] author = ["Elastic"] @@ -25,14 +27,7 @@ references = [ risk_score = 73 rule_id = "6e9130a5-9be6-48e5-943a-9628bfc74b18" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] timestamp_override = "event.ingested" type = "query" @@ -48,18 +43,17 @@ framework = "MITRE ATT&CK" id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index 7dce05cfbcd..7c944c24750 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [transform] [[transform.osquery]] @@ -34,13 +36,7 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu author = ["Elastic"] description = "Detects writing executable files that will be automatically launched by Adobe on launch." from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.file-*", - "logs-windows.sysmon_operational-*", - "endgame-*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Adobe Hijack Persistence" @@ -105,17 +101,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" @@ -129,11 +115,6 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1554" -name = "Compromise Client Software Binary" -reference = "https://attack.mitre.org/techniques/T1554/" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" @@ -143,6 +124,11 @@ id = "T1574.010" name = "Services File Permissions Weakness" reference = "https://attack.mitre.org/techniques/T1574/010/" +[[rule.threat.technique]] +id = "T1554" +name = "Compromise Client Software Binary" +reference = "https://attack.mitre.org/techniques/T1554/" + [rule.threat.tactic] diff --git a/rules/windows/persistence_app_compat_shim.toml b/rules/windows/persistence_app_compat_shim.toml index d1bf7ee53e2..297c90897a0 100644 --- a/rules/windows/persistence_app_compat_shim.toml +++ b/rules/windows/persistence_app_compat_shim.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -18,14 +20,7 @@ name = "Installation of Custom Shim Databases" risk_score = 47 rule_id = "c5ce48a6-7f57-4ee8-9313-3d0024caee10" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index 83d94b2e989..0313a991054 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Detects attempts to maintain persistence by creating registry keys using AppCert process using the common API functions to create processes. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.registry-*", - "logs-windows.sysmon_operational-*", - "endgame-*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Registry Persistence via AppCert DLL" @@ -32,17 +28,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" @@ -74,6 +60,7 @@ reference = "https://attack.mitre.org/techniques/T1546/009/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml index 28fb63edc48..104d726eb32 100644 --- a/rules/windows/persistence_appinitdlls_registry.toml +++ b/rules/windows/persistence_appinitdlls_registry.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] diff --git a/rules/windows/persistence_browser_extension_install.toml b/rules/windows/persistence_browser_extension_install.toml index 5510e1a7d8b..32a8066c708 100644 --- a/rules/windows/persistence_browser_extension_install.toml +++ b/rules/windows/persistence_browser_extension_install.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/22" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -18,13 +20,7 @@ name = "Browser Extension Install" risk_score = 21 rule_id = "f97504ac-1053-498f-aeaa-c6d01e76b379" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -49,7 +45,6 @@ file where host.os.type == "windows" and event.action : "creation" and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -57,9 +52,7 @@ id = "T1176" name = "Browser Extensions" reference = "https://attack.mitre.org/techniques/T1176/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/persistence_dontexpirepasswd_account.toml b/rules/windows/persistence_dontexpirepasswd_account.toml index 47ca6bb6651..a17685c15bd 100644 --- a/rules/windows/persistence_dontexpirepasswd_account.toml +++ b/rules/windows/persistence_dontexpirepasswd_account.toml @@ -2,7 +2,9 @@ creation_date = "2022/02/22" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -69,7 +71,7 @@ tags = [ "Tactic: Persistence", "Data Source: Active Directory", "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", + "Use Case: Active Directory Monitoring" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index f8fc9d5dc76..fc11dc014d8 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -58,16 +60,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_evasion_registry_ifeo_injection.toml b/rules/windows/persistence_evasion_registry_ifeo_injection.toml index 5488b17dee4..d9072494d77 100644 --- a/rules/windows/persistence_evasion_registry_ifeo_injection.toml +++ b/rules/windows/persistence_evasion_registry_ifeo_injection.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/17" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -21,16 +23,7 @@ references = [ risk_score = 47 rule_id = "6839c821-011d-43bd-bd5b-acff00257226" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -68,6 +61,9 @@ reference = "https://attack.mitre.org/techniques/T1546/012/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -75,7 +71,6 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index 68063c7b4fa..466f4625284 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -2,7 +2,9 @@ creation_date = "2021/03/15" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -96,17 +98,7 @@ Techniques used within malware and by adversaries often leverage the Windows reg risk_score = 73 rule_id = "c8b150f0-0164-475b-a75e-74b47800a9ff" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -152,6 +144,9 @@ reference = "https://attack.mitre.org/techniques/T1547/001/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -159,7 +154,6 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_local_scheduled_job_creation.toml b/rules/windows/persistence_local_scheduled_job_creation.toml index aee75496dcf..2a6f2e67c97 100644 --- a/rules/windows/persistence_local_scheduled_job_creation.toml +++ b/rules/windows/persistence_local_scheduled_job_creation.toml @@ -2,7 +2,9 @@ creation_date = "2021/03/15" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ task scheduling functionality to facilitate initial or recurring execution of ma """ false_positives = ["Legitimate scheduled jobs may be created during installation of new software."] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.file-*", - "logs-windows.sysmon_operational-*", - "endgame-*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Persistence via Scheduled Job Creation" @@ -33,16 +29,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_local_scheduled_task_creation.toml b/rules/windows/persistence_local_scheduled_task_creation.toml index 26e1a4dbada..1700e005650 100644 --- a/rules/windows/persistence_local_scheduled_task_creation.toml +++ b/rules/windows/persistence_local_scheduled_task_creation.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -23,14 +25,7 @@ references = [ risk_score = 21 rule_id = "afcce5ad-65de-4ed2-8516-5e093d3ac99a" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/persistence_local_scheduled_task_scripting.toml b/rules/windows/persistence_local_scheduled_task_scripting.toml index a3f1b4f8eaa..d553e5e1f9f 100644 --- a/rules/windows/persistence_local_scheduled_task_scripting.toml +++ b/rules/windows/persistence_local_scheduled_task_scripting.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ an adversary to establish persistence. """ false_positives = ["Legitimate scheduled tasks may be created during installation of new software."] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.registry-*", - "logs-endpoint.events.library-*", - "logs-windows.sysmon_operational-*", - "endgame-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Scheduled Task Created by a Windows Script" @@ -28,16 +24,7 @@ Decode the base64 encoded Tasks Actions registry value to investigate the task's risk_score = 47 rule_id = "689b9d57-e4d5-4357-ad17-9c334609d79a" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' @@ -69,6 +56,7 @@ reference = "https://attack.mitre.org/techniques/T1053/005/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/persistence_ms_office_addins_file.toml b/rules/windows/persistence_ms_office_addins_file.toml index eccc979af8a..f40d7cb5219 100644 --- a/rules/windows/persistence_ms_office_addins_file.toml +++ b/rules/windows/persistence_ms_office_addins_file.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -24,15 +26,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -54,13 +48,12 @@ framework = "MITRE ATT&CK" id = "T1137" name = "Office Application Startup" reference = "https://attack.mitre.org/techniques/T1137/" + [[rule.threat.technique.subtechnique]] id = "T1137.006" name = "Add-ins" reference = "https://attack.mitre.org/techniques/T1137/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml index 8d5bf2ff561..89474f8e564 100644 --- a/rules/windows/persistence_ms_outlook_vba_template.toml +++ b/rules/windows/persistence_ms_outlook_vba_template.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -28,15 +30,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml index 3efb314e337..8d7e3af7cc7 100644 --- a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml +++ b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/27" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -38,14 +40,7 @@ Audit User Account Management (Success,Failure) ``` """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/persistence_msoffice_startup_registry.toml b/rules/windows/persistence_msoffice_startup_registry.toml index f081de1f735..79bc509048d 100644 --- a/rules/windows/persistence_msoffice_startup_registry.toml +++ b/rules/windows/persistence_msoffice_startup_registry.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/22" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -22,14 +24,7 @@ references = [ risk_score = 21 rule_id = "14dab405-5dd9-450c-8106-72951af2391f" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -38,7 +33,6 @@ registry where host.os.type == "windows" and event.action != "deletion" and registry.path : "*\\Software\\Microsoft\\Office Test\\Special\\Perf\\*" ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -49,13 +43,12 @@ reference = "https://attack.mitre.org/techniques/T1137/" id = "T1137.002" name = "Office Test" reference = "https://attack.mitre.org/techniques/T1137/002/" - - - + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -63,7 +56,6 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_netsh_helper_dll.toml b/rules/windows/persistence_netsh_helper_dll.toml index b7391f7f221..ef39af45178 100644 --- a/rules/windows/persistence_netsh_helper_dll.toml +++ b/rules/windows/persistence_netsh_helper_dll.toml @@ -2,14 +2,16 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] description = """ -Identifies the addition of a Netsh Helper DLL, netsh.exe supports the addition of these DLLs to extend its -functionality. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed, -which can be done by administrators or a scheduled task. +Identifies the addition of a Netsh Helper DLL, netsh.exe supports the addition of these DLLs to extend its functionality. +Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed, which can be done +by administrators or a scheduled task. """ from = "now-9m" index = ["logs-endpoint.events.registry-*", "endgame-*"] @@ -19,14 +21,7 @@ name = "Netsh Helper DLL" risk_score = 21 rule_id = "b0638186-4f12-48ac-83d2-47e686d08e82" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -51,11 +46,12 @@ name = "Netsh Helper DLL" reference = "https://attack.mitre.org/techniques/T1546/007/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -68,4 +64,3 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml index 37ab09c27b6..e7fbc4f3a4c 100644 --- a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ Adversaries may target user email to collect sensitive information. """ false_positives = ["Legitimate exchange system administration activity."] from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "New ActiveSyncAllowedDeviceID Added via PowerShell" @@ -37,15 +33,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -72,6 +60,7 @@ reference = "https://attack.mitre.org/techniques/T1098/002/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/persistence_powershell_profiles.toml b/rules/windows/persistence_powershell_profiles.toml index 668dc35eda6..04eaf04023e 100644 --- a/rules/windows/persistence_powershell_profiles.toml +++ b/rules/windows/persistence_powershell_profiles.toml @@ -2,7 +2,9 @@ creation_date = "2022/10/13" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -102,16 +103,7 @@ references = [ risk_score = 47 rule_id = "5cf6397e-eb91-4f31-8951-9f0eaa755a31" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -141,6 +133,7 @@ reference = "https://attack.mitre.org/techniques/T1546/013/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index 857ad758109..e6088b0d86e 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -108,16 +110,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index 18011a9884c..22539edbe9a 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -19,14 +21,7 @@ references = ["https://www.microsoftpressstore.com/articles/article.aspx?p=27620 risk_score = 47 rule_id = "54902e45-3467-49a4-8abc-529f2c8cfb80" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon"] timeline_id = "3e47ef71-ebfc-4520-975c-cb27fc090799" timeline_title = "Comprehensive Registry Timeline" timestamp_override = "event.ingested" @@ -98,16 +93,6 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" -[[rule.threat.technique.subtechnique]] -id = "T1546.002" -name = "Screensaver" -reference = "https://attack.mitre.org/techniques/T1546/002/" - - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" @@ -117,7 +102,14 @@ id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" - +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.002" +name = "Screensaver" +reference = "https://attack.mitre.org/techniques/T1546/002/" [rule.threat.tactic] id = "TA0003" diff --git a/rules/windows/persistence_remote_password_reset.toml b/rules/windows/persistence_remote_password_reset.toml index a15ea8909c6..2d616617e34 100644 --- a/rules/windows/persistence_remote_password_reset.toml +++ b/rules/windows/persistence_remote_password_reset.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/18" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/18" [rule] author = ["Elastic"] @@ -17,6 +19,7 @@ language = "eql" license = "Elastic License v2" name = "Account Password Reset Remotely" note = """ + ## Performance This rule may cause medium to high performance impact due to logic scoping all remote Windows logon activity. """ @@ -29,13 +32,7 @@ references = [ risk_score = 47 rule_id = "2820c9c2-bcd7-4d6e-9eba-faf3891ba450" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Impact", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Impact"] type = "eql" query = ''' @@ -71,14 +68,15 @@ reference = "https://attack.mitre.org/techniques/T1098/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1531" name = "Account Access Removal" reference = "https://attack.mitre.org/techniques/T1531/" - [rule.threat.tactic] id = "TA0040" name = "Impact" diff --git a/rules/windows/persistence_run_key_and_startup_broad.toml b/rules/windows/persistence_run_key_and_startup_broad.toml index b03de150363..7d7ea941dc7 100644 --- a/rules/windows/persistence_run_key_and_startup_broad.toml +++ b/rules/windows/persistence_run_key_and_startup_broad.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -101,15 +103,7 @@ Adversaries may achieve persistence by referencing a program with a registry run risk_score = 21 rule_id = "97fc44d3-8dae-4019-ae83-298c3015600f" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timeline_id = "3e47ef71-ebfc-4520-975c-cb27fc090799" timeline_title = "Comprehensive Registry Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml index e4e9538432b..8fc63c13930 100644 --- a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml +++ b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -18,15 +20,7 @@ name = "Execution of Persistent Suspicious Program" risk_score = 47 rule_id = "e7125cea-9fe1-42a5-9a05-b0792cf86f5a" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/persistence_scheduled_task_creation_winlog.toml b/rules/windows/persistence_scheduled_task_creation_winlog.toml index ed3a6f2fd42..18db7189b13 100644 --- a/rules/windows/persistence_scheduled_task_creation_winlog.toml +++ b/rules/windows/persistence_scheduled_task_creation_winlog.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/01/05" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_scheduled_task_updated.toml b/rules/windows/persistence_scheduled_task_updated.toml index dd23a6bc267..a2b566ef3b4 100644 --- a/rules/windows/persistence_scheduled_task_updated.toml +++ b/rules/windows/persistence_scheduled_task_updated.toml @@ -2,7 +2,10 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" + [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml index d5d88fd76cf..396217ba5c8 100644 --- a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml +++ b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml @@ -2,7 +2,9 @@ creation_date = "2022/02/24" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -92,7 +94,7 @@ tags = [ "Tactic: Persistence", "Data Source: Active Directory", "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", + "Use Case: Active Directory Monitoring" ] timestamp_override = "event.ingested" type = "eql" @@ -108,22 +110,22 @@ any where event.action == "Directory Service Changes" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/persistence_service_dll_unsigned.toml b/rules/windows/persistence_service_dll_unsigned.toml index 4c9bda1fc63..d348c770f07 100644 --- a/rules/windows/persistence_service_dll_unsigned.toml +++ b/rules/windows/persistence_service_dll_unsigned.toml @@ -2,7 +2,9 @@ creation_date = "2023/01/17" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: dll.Ext.relative_file_creation_time is populated in Elastic Endpoint 8.4 and above." +min_stack_version = "8.4.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -18,15 +20,7 @@ name = "Unsigned DLL Loaded by Svchost" risk_score = 47 rule_id = "78ef0c95-9dc2-40ac-a8da-5deb6293a14e" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -142,23 +136,24 @@ reference = "https://attack.mitre.org/techniques/T1543/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/persistence_service_windows_service_winlog.toml b/rules/windows/persistence_service_windows_service_winlog.toml index 813526bb165..7bd5af1c5bf 100644 --- a/rules/windows/persistence_service_windows_service_winlog.toml +++ b/rules/windows/persistence_service_windows_service_winlog.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/08" [transform] [[transform.osquery]] @@ -28,20 +30,15 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu [[transform.osquery]] label = "Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, -issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = -authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") """ [[transform.osquery]] label = "Osquery - Retrieve All Unsigned Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, -issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = -authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" """ - [rule] author = ["Elastic"] description = """ @@ -97,13 +94,7 @@ This rule looks for suspicious services being created with suspicious traits com risk_score = 47 rule_id = "da87eee1-129c-4661-a7aa-57d0b9645fad" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index c58066caed3..9fae059ac87 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -19,16 +21,7 @@ name = "Unusual Persistence via Services Registry" risk_score = 21 rule_id = "403ef0d3-8259-40c9-a5b6-d48354712e49" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -74,6 +67,9 @@ reference = "https://attack.mitre.org/techniques/T1543/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -81,7 +77,6 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index da4b4658921..1cbcef5d6cf 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -109,16 +111,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml index 7e42c967460..e3c7edc80eb 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/04/08" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -100,15 +102,7 @@ This rule looks for unsigned processes writing to the Startup folder locations. risk_score = 47 rule_id = "2fba96c0-ade5-4bce-b92f-a5df2509da3f" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' @@ -146,19 +140,19 @@ reference = "https://attack.mitre.org/techniques/T1547/001/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index fe6a4bcdd3e..a773d1af6b6 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -108,16 +110,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index 29a569e13cc..8b63c653559 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/08" [rule] author = ["Elastic"] @@ -70,17 +72,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Tactic: Privilege Escalation","Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -156,6 +148,7 @@ reference = "https://attack.mitre.org/techniques/T1546/015/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -173,6 +166,9 @@ reference = "https://attack.mitre.org/techniques/T1546/015/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -180,7 +176,6 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index c03e8ea7186..ee16c9b7969 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/17" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -123,16 +124,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -150,30 +142,31 @@ framework = "MITRE ATT&CK" id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml index d74b17c8c9b..7a9d64617bb 100644 --- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -24,14 +26,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -94,6 +89,7 @@ reference = "https://attack.mitre.org/techniques/T1053/005/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -106,7 +102,6 @@ name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/persistence_suspicious_service_created_registry.toml b/rules/windows/persistence_suspicious_service_created_registry.toml index 2f2ffddac1a..5af4cd96a3d 100644 --- a/rules/windows/persistence_suspicious_service_created_registry.toml +++ b/rules/windows/persistence_suspicious_service_created_registry.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -18,16 +20,7 @@ name = "Suspicious ImagePath Service Creation" risk_score = 73 rule_id = "36a8e048-d888-4f61-a8b9-0f9e2e40f317" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -58,6 +51,9 @@ reference = "https://attack.mitre.org/techniques/T1543/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -65,7 +61,6 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_sysmon_wmi_event_subscription.toml b/rules/windows/persistence_sysmon_wmi_event_subscription.toml index 617d438f1ed..f575f2ec6a9 100644 --- a/rules/windows/persistence_sysmon_wmi_event_subscription.toml +++ b/rules/windows/persistence_sysmon_wmi_event_subscription.toml @@ -2,7 +2,9 @@ creation_date = "2023/02/02" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Related integrations field type changes in 8.8.0" +min_stack_version = "8.8.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -16,19 +18,13 @@ language = "eql" license = "Elastic License v2" name = "Suspicious WMI Event Subscription Created" references = [ - "https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", - "https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96", + "https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", + "https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96", ] risk_score = 47 rule_id = "e72f87d0-a70e-4f8d-8443-a6407bc34643" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -37,19 +33,18 @@ any where event.dataset == "windows.sysmon_operational" and event.code == "21" a winlog.event_data.Operation : "Created" and winlog.event_data.Consumer : ("*subscription:CommandLineEventConsumer*", "*subscription:ActiveScriptEventConsumer*") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" -[[rule.threat.technique.subtechnique]] -id = "T1546.003" -name = "Windows Management Instrumentation Event Subscription" -reference = "https://attack.mitre.org/techniques/T1546/003/" - + [[rule.threat.technique.subtechnique]] + id = "T1546.003" + name = "Windows Management Instrumentation Event Subscription" + reference = "https://attack.mitre.org/techniques/T1546/003/" [rule.threat.tactic] id = "TA0003" diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index 0d6cd6a0136..cfc9e231131 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [transform] [[transform.osquery]] @@ -25,7 +27,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -33,14 +34,7 @@ Windows services typically run as SYSTEM and can be used as a privilege escalati testers may run a shell as a service to gain SYSTEM permissions. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "System Shells via Services" @@ -87,17 +81,7 @@ This rule looks for system shells being spawned by `services.exe`, which is comp risk_score = 47 rule_id = "0022d47d-39c7-4f69-a232-4fe9dc7a3acd" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" @@ -128,6 +112,7 @@ reference = "https://attack.mitre.org/techniques/T1543/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -138,7 +123,6 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" diff --git a/rules/windows/persistence_temp_scheduled_task.toml b/rules/windows/persistence_temp_scheduled_task.toml index f594f5be074..233359c3c3d 100644 --- a/rules/windows/persistence_temp_scheduled_task.toml +++ b/rules/windows/persistence_temp_scheduled_task.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/13" [rule] author = ["Elastic"] @@ -20,13 +22,7 @@ references = ["https://docs.microsoft.com/en-us/windows/security/threat-protecti risk_score = 47 rule_id = "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution"] type = "eql" query = ''' @@ -35,7 +31,6 @@ sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m [iam where event.action == "scheduled-task-deleted" and not user.name : "*$"] ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -53,19 +48,20 @@ reference = "https://attack.mitre.org/techniques/T1053/005/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/persistence_time_provider_mod.toml b/rules/windows/persistence_time_provider_mod.toml index 6349b995f6c..96b066dded8 100644 --- a/rules/windows/persistence_time_provider_mod.toml +++ b/rules/windows/persistence_time_provider_mod.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/19" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -97,16 +98,7 @@ references = ["https://pentestlab.blog/2019/10/22/persistence-time-providers/"] risk_score = 47 rule_id = "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -142,6 +134,7 @@ reference = "https://attack.mitre.org/techniques/T1547/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index 5d34c49c078..a9bf18fa9a8 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [rule] author = ["Elastic", "Skoetting"] @@ -59,15 +61,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index 1f23de1adb6..bd955a90fef 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies attempts to create new users. This is sometimes done by attackers to on a system or domain. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "User Account Creation" @@ -65,15 +61,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index fdebc251f6b..de2cfc044a4 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/01" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ changes over time. This Windows functionality has been abused by attackers to st code execution in legitimate Windows processes. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Potential Application Shimming via Sdbinst" @@ -33,14 +29,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_via_bits_job_notify_command.toml b/rules/windows/persistence_via_bits_job_notify_command.toml index 4dd8ee1d98e..b0b62e8192b 100644 --- a/rules/windows/persistence_via_bits_job_notify_command.toml +++ b/rules/windows/persistence_via_bits_job_notify_command.toml @@ -2,7 +2,9 @@ creation_date = "2021/12/04" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ that runs after a job finishes transferring data or after a job enters a specifi system. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.sysmon_operational-*", - "endgame-*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Persistence via BITS Job Notify Cmdline" @@ -39,16 +35,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_via_hidden_run_key_valuename.toml b/rules/windows/persistence_via_hidden_run_key_valuename.toml index 93cbe924c0a..db0134e02c7 100644 --- a/rules/windows/persistence_via_hidden_run_key_valuename.toml +++ b/rules/windows/persistence_via_hidden_run_key_valuename.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -30,17 +32,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -79,8 +71,10 @@ reference = "https://attack.mitre.org/techniques/T1547/001/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1106" name = "Native API" @@ -91,6 +85,8 @@ reference = "https://attack.mitre.org/techniques/T1106/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -98,7 +94,6 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml index 9f8ee232a03..9a700a80be5 100644 --- a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml +++ b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -26,16 +28,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -68,6 +61,9 @@ reference = "https://attack.mitre.org/techniques/T1547/005/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -75,7 +71,6 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index a981690a029..58ffb83f793 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,17 +13,13 @@ Detects the successful hijack of Microsoft Compatibility Appraiser scheduled tas integrity level of system. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Persistence via TelemetryController Scheduled Task Hijack" -references = ["https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence"] +references = [ + "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence", +] risk_score = 73 rule_id = "68921d85-d0dc-48b3-865f-43291ca2c4f2" setup = """## Setup @@ -33,15 +31,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -74,13 +64,14 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" @@ -90,13 +81,13 @@ id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index 51551db3bc2..58ef5c3fe52 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -105,17 +107,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Use Case: Vulnerability", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -157,6 +149,7 @@ reference = "https://attack.mitre.org/techniques/T1543/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml index 02d9eb6461e..0e9060c0e2d 100644 --- a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +++ b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ bindings that execute code when a defined event occurs. Adversaries may use the event and execute arbitrary code when that event occurs, providing persistence on a system. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Persistence via WMI Event Subscription" @@ -34,15 +30,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -71,14 +59,15 @@ reference = "https://attack.mitre.org/techniques/T1546/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml index 8d26a4ebe80..625e1c3c611 100644 --- a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml +++ b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml @@ -2,7 +2,9 @@ creation_date = "2021/03/15" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -100,14 +101,7 @@ references = [ risk_score = 73 rule_id = "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml index 41d3b26110b..9e7f7d5da89 100644 --- a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Execution via MSSQL xp_cmdshell Stored Procedure" @@ -66,15 +62,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -93,37 +81,38 @@ process where host.os.type == "windows" and event.type == "start" and process.pa ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" + [[rule.threat.technique.subtechnique]] id = "T1505.001" name = "SQL Stored Procedures" reference = "https://attack.mitre.org/techniques/T1505/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index 3fa3d164424..2c40fa27331 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -2,7 +2,9 @@ creation_date = "2021/08/24" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [rule] author = ["Elastic"] @@ -14,14 +16,7 @@ false_positives = [ """, ] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Web Shell Detection: Script Process Child of Common Web Processes" @@ -84,18 +79,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Initial Access", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" @@ -145,13 +129,9 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1047" -name = "Windows Management Instrumentation" -reference = "https://attack.mitre.org/techniques/T1047/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -160,18 +140,22 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + + [rule.threat.tactic] id = "TA0002" diff --git a/rules/windows/persistence_werfault_reflectdebugger.toml b/rules/windows/persistence_werfault_reflectdebugger.toml index fa3636187dc..2ca1d429677 100644 --- a/rules/windows/persistence_werfault_reflectdebugger.toml +++ b/rules/windows/persistence_werfault_reflectdebugger.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -19,14 +21,7 @@ references = ["https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.h risk_score = 21 rule_id = "205b52c4-9c28-4af4-8979-935f3278d61a" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -46,11 +41,12 @@ id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -63,4 +59,3 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/privilege_escalation_create_process_as_different_user.toml b/rules/windows/privilege_escalation_create_process_as_different_user.toml index ecd4afd2994..9f6d7a2e664 100644 --- a/rules/windows/privilege_escalation_create_process_as_different_user.toml +++ b/rules/windows/privilege_escalation_create_process_as_different_user.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml b/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml index ffd8fd02012..d3675bbc2b1 100644 --- a/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml +++ b/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: process.Ext.effective_parent.executable, process.Ext.effective_parent.name, process.Ext.relative_file_creation_time, process.Ext.relative_file_name_modify_time" +min_stack_version = "8.4.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -15,17 +17,13 @@ index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Process Created with a Duplicated Token" -references = ["https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw"] +references = [ + "https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw", +] risk_score = 47 rule_id = "1b0b4818-5655-409b-9c73-341cac4bb73f" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -66,6 +64,7 @@ framework = "MITRE ATT&CK" id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" + [[rule.threat.technique.subtechnique]] id = "T1134.001" name = "Token Impersonation/Theft" @@ -82,4 +81,3 @@ reference = "https://attack.mitre.org/techniques/T1134/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/privilege_escalation_credroaming_ldap.toml b/rules/windows/privilege_escalation_credroaming_ldap.toml index 8c3dc14a8e7..154f98b3d26 100644 --- a/rules/windows/privilege_escalation_credroaming_ldap.toml +++ b/rules/windows/privilege_escalation_credroaming_ldap.toml @@ -2,7 +2,9 @@ creation_date = "2022/11/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -41,14 +43,7 @@ Audit Directory Service Changes (Success,Failure) ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Data Source: Active Directory", - "Tactic: Privilege Escalation", - "Use Case: Active Directory Monitoring", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Data Source: Active Directory", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index 2dd83bb73f4..007400959f9 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -80,16 +82,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -127,11 +120,6 @@ name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" @@ -141,7 +129,6 @@ id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" @@ -151,6 +138,11 @@ id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] @@ -158,3 +150,4 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/privilege_escalation_driver_newterm_imphash.toml b/rules/windows/privilege_escalation_driver_newterm_imphash.toml index 4b8812b03c7..8bcae7a6ea6 100644 --- a/rules/windows/privilege_escalation_driver_newterm_imphash.toml +++ b/rules/windows/privilege_escalation_driver_newterm_imphash.toml @@ -1,32 +1,30 @@ [metadata] creation_date = "2022/12/19" -integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" +min_stack_version = "8.6.0" +integration = ["endpoint"] +updated_date = "2024/03/28" [transform] [[transform.osquery]] label = "Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, -issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = -authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") """ [[transform.osquery]] label = "Osquery - Retrieve All Unsigned Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, -issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = -authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" """ - [rule] author = ["Elastic"] description = """ -Identifies the load of a driver with an original file name and signature values that were observed for the first time -during the last 30 days. This rule type can help baseline drivers installation within your environment. +Identifies the load of a driver with an original file name and signature values that were observed +for the first time during the last 30 days. This rule type can help baseline drivers installation +within your environment. """ from = "now-9m" index = ["logs-endpoint.events.library-*"] @@ -99,15 +97,7 @@ references = ["https://www.elastic.co/kr/security-labs/stopping-vulnerable-drive risk_score = 47 rule_id = "df0fd41e-5590-4965-ad5e-cd079ec22fa9" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "new_terms" @@ -115,7 +105,6 @@ query = ''' event.category:"driver" and host.os.type:windows and event.action:"load" ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -128,6 +117,8 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -140,7 +131,6 @@ name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -152,5 +142,3 @@ value = ["dll.pe.original_file_name", "dll.code_signature.subject_name"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-30d" - - diff --git a/rules/windows/privilege_escalation_expired_driver_loaded.toml b/rules/windows/privilege_escalation_expired_driver_loaded.toml index 5026c5b0606..a94586c1294 100644 --- a/rules/windows/privilege_escalation_expired_driver_loaded.toml +++ b/rules/windows/privilege_escalation_expired_driver_loaded.toml @@ -2,7 +2,9 @@ creation_date = "2023/06/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -16,19 +18,12 @@ language = "eql" license = "Elastic License v2" name = "Expired or Revoked Driver Loaded" references = [ - "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN", + "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN" ] risk_score = 47 rule_id = "d12bac54-ab2a-4159-933f-d7bcefa7b61d" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -37,7 +32,6 @@ driver where host.os.type == "windows" and process.pid == 4 and dll.code_signature.status : ("errorExpired", "errorRevoked") ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -50,19 +44,20 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/privilege_escalation_exploit_cve_202238028.toml b/rules/windows/privilege_escalation_exploit_cve_202238028.toml index d73ec6d3beb..a25aab23346 100644 --- a/rules/windows/privilege_escalation_exploit_cve_202238028.toml +++ b/rules/windows/privilege_escalation_exploit_cve_202238028.toml @@ -2,32 +2,27 @@ creation_date = "2024/04/23" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/23" [rule] author = ["Elastic"] -description = "Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.\n" +description = """ +Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution. +""" from = "now-9m" index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential privilege escalation via CVE-2022-38028" references = [ - "https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/", + "https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/" ] risk_score = 73 rule_id = "dffbd37c-d4c5-46f8-9181-5afdd9172b4c" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -37,7 +32,6 @@ file where host.os.type == "windows" and "?:\\*\\Windows\\WinSxS\\amd64_microsoft-windows-printing-printtopdf_*\\MPDW-constraints.js") ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -50,6 +44,7 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -57,7 +52,6 @@ id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml index 5208f641c4d..11fcae30c93 100644 --- a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml +++ b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/13" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -27,16 +29,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -65,6 +58,7 @@ reference = "https://attack.mitre.org/techniques/T1484/001/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/privilege_escalation_group_policy_iniscript.toml b/rules/windows/privilege_escalation_group_policy_iniscript.toml index 51ebb21e505..e7e5d9fdd1c 100644 --- a/rules/windows/privilege_escalation_group_policy_iniscript.toml +++ b/rules/windows/privilege_escalation_group_policy_iniscript.toml @@ -2,7 +2,9 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -90,7 +92,7 @@ tags = [ "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", + "Use Case: Active Directory Monitoring" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml index cd65fe208bb..ba092d3ffb6 100644 --- a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml +++ b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml @@ -2,7 +2,9 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -72,7 +74,7 @@ tags = [ "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", + "Use Case: Active Directory Monitoring" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml index 53ad7a334fe..f40348e6cc4 100644 --- a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml +++ b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml @@ -2,7 +2,9 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -93,7 +95,7 @@ tags = [ "Tactic: Lateral Movement", "Data Source: Active Directory", "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", + "Use Case: Active Directory Monitoring" ] timestamp_override = "event.ingested" type = "query" @@ -134,8 +136,10 @@ reference = "https://attack.mitre.org/techniques/T1484/001/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1570" name = "Lateral Tool Transfer" @@ -146,4 +150,3 @@ reference = "https://attack.mitre.org/techniques/T1570/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/privilege_escalation_installertakeover.toml b/rules/windows/privilege_escalation_installertakeover.toml index d1f06892c29..aed4bd9d302 100644 --- a/rules/windows/privilege_escalation_installertakeover.toml +++ b/rules/windows/privilege_escalation_installertakeover.toml @@ -2,7 +2,9 @@ creation_date = "2021/11/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -108,15 +110,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml index 83e22935c51..07bf29f3339 100644 --- a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml +++ b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml @@ -2,7 +2,9 @@ creation_date = "2022/04/27" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,15 +27,7 @@ references = [ risk_score = 73 rule_id = "e4e31051-ee01-4307-a6ee-b21b186958f4" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Credential Access", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] type = "eql" query = ''' diff --git a/rules/windows/privilege_escalation_lsa_auth_package.toml b/rules/windows/privilege_escalation_lsa_auth_package.toml index 2815d03202f..9464e43efcc 100644 --- a/rules/windows/privilege_escalation_lsa_auth_package.toml +++ b/rules/windows/privilege_escalation_lsa_auth_package.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -19,14 +21,7 @@ name = "Potential LSA Authentication Package Abuse" risk_score = 47 rule_id = "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_make_token_local.toml b/rules/windows/privilege_escalation_make_token_local.toml index 4127468dfe2..9ee903cf98b 100644 --- a/rules/windows/privilege_escalation_make_token_local.toml +++ b/rules/windows/privilege_escalation_make_token_local.toml @@ -2,13 +2,15 @@ creation_date = "2023/12/04" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/01/15" [rule] author = ["Elastic"] description = """ -Identifies interactive logon attempt with alternate credentials and by an unusual process. Adversaries may create a new -token to escalate privileges and bypass access controls. +Identifies interactive logon attempt with alternate credentials and by an unusual process. Adversaries may +create a new token to escalate privileges and bypass access controls. """ from = "now-9m" index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] @@ -72,4 +74,3 @@ reference = "https://attack.mitre.org/techniques/T1134/003/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index 1edba51e546..ff81077a507 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -37,13 +39,7 @@ Identifies a privilege escalation attempt via named pipe impersonation. An adver utilizing a framework such Metasploit's meterpreter getsystem command. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Privilege Escalation via Named Pipe Impersonation" @@ -120,7 +116,7 @@ tags = [ "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml b/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml index 5787866e3a9..d8b013c2e42 100644 --- a/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml +++ b/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml @@ -2,23 +2,25 @@ creation_date = "2023/11/15" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" +min_stack_version = "8.4.0" +updated_date = "2024/01/15" [rule] author = ["Elastic"] description = """ -Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access -token forging capability that are often abused to bypass access control restrictions. +Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access token +forging capability that are often abused to bypass access control restrictions. """ from = "now-9m" index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "First Time Seen NewCredentials Logon Process" -references = ["https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation"] risk_score = 47 rule_id = "e468f3f6-7c4c-45bb-846a-053738b3fe5d" severity = "medium" +references = ["https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation"] tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "new_terms" @@ -40,17 +42,15 @@ name = "Token Impersonation/Theft" reference = "https://attack.mitre.org/techniques/T1134/001/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" - - diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index ed74562df8d..8759499b76f 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -2,7 +2,9 @@ creation_date = "2020/01/07" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -85,7 +87,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Sysmon", + "Data Source: Sysmon" ] timestamp_override = "event.ingested" type = "eql" @@ -150,19 +152,19 @@ reference = "https://attack.mitre.org/techniques/T1574/001/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml index 4c4ac047e3d..02021929a99 100644 --- a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml +++ b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -20,14 +22,7 @@ references = ["https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-gro risk_score = 47 rule_id = "8f3e91c7-d791-4704-80a1-42c160d7aa27" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -54,7 +49,6 @@ reference = "https://attack.mitre.org/techniques/T1547/" id = "T1547.010" name = "Port Monitors" reference = "https://attack.mitre.org/techniques/T1547/010/" - [[rule.threat.technique.subtechnique]] id = "T1547.012" name = "Print Processors" @@ -76,7 +70,6 @@ reference = "https://attack.mitre.org/techniques/T1547/" id = "T1547.010" name = "Port Monitors" reference = "https://attack.mitre.org/techniques/T1547/010/" - [[rule.threat.technique.subtechnique]] id = "T1547.012" name = "Print Processors" diff --git a/rules/windows/privilege_escalation_posh_token_impersonation.toml b/rules/windows/privilege_escalation_posh_token_impersonation.toml index 104f6ed9483..8542b868669 100644 --- a/rules/windows/privilege_escalation_posh_token_impersonation.toml +++ b/rules/windows/privilege_escalation_posh_token_impersonation.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/17" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -128,13 +129,7 @@ references = [ risk_score = 47 rule_id = "11dd9713-0ec6-4110-9707-32daae1ee68c" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml index 03ba85956c0..c0752b55e99 100644 --- a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml +++ b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -24,16 +26,7 @@ references = [ risk_score = 73 rule_id = "bd7eefee-f671-494e-98df-f01daf9e5f17" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index 2b31df40e37..80d175281dd 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -31,16 +33,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml index 8fee45cb790..da760c6a03f 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2021/07/06" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -33,16 +35,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml index f6e2619c9b4..04705ffe7b1 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -106,16 +108,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml index 07e9726f371..369de22ae7a 100644 --- a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml +++ b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -19,15 +21,7 @@ references = ["https://www.tiraniddo.dev/2017/05/exploiting-environment-variable risk_score = 73 rule_id = "d563aaba-2e72-462b-8658-3e5ea22db3a6" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml index ed2a9f31ab9..818894d1785 100644 --- a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml +++ b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml @@ -2,7 +2,9 @@ creation_date = "2021/12/12" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -34,16 +36,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Use Case: Vulnerability", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Use Case: Vulnerability"] timestamp_override = "event.ingested" type = "eql" @@ -56,6 +49,7 @@ iam where event.action == "renamed-user-account" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" diff --git a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml index fb37b69bae6..a7540a238b5 100644 --- a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml +++ b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -25,7 +27,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -79,17 +80,7 @@ The `sc.exe` command line utility is used to manage and control Windows services risk_score = 21 rule_id = "e8571d5f-bea1-46c2-9f56-998de2d3ed95" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -117,19 +108,13 @@ id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1047" -name = "Windows Management Instrumentation" -reference = "https://attack.mitre.org/techniques/T1047/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -138,29 +123,35 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.010" name = "Regsvr32" @@ -172,7 +163,6 @@ name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml index 20cd7649292..df47b515e14 100644 --- a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml +++ b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml @@ -2,7 +2,9 @@ creation_date = "2022/05/11" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/21" [rule] author = ["Elastic"] @@ -24,15 +26,7 @@ references = [ risk_score = 73 rule_id = "6bed021a-0afb-461c-acbe-ffdb9574d3f3" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Use Case: Vulnerability", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Use Case: Vulnerability"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml index 52b35de4dd2..842ee232096 100644 --- a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml +++ b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml @@ -2,7 +2,9 @@ creation_date = "2022/10/20" integration = ["windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/01/16" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml index bc934e48b4c..2b333cea9b8 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/28" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -27,17 +29,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -66,6 +58,7 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -83,6 +76,7 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index 252307c82e7..cf28f5d3cde 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -27,17 +29,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -68,6 +60,7 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -85,6 +78,7 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -102,4 +96,3 @@ reference = "https://attack.mitre.org/techniques/T1559/001/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml index dc53b678812..094f11fdeb7 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -26,17 +28,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -65,6 +57,7 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -82,6 +75,7 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index 9989095fd51..6e72533b81b 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled stealthily execute code with elevated permissions. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "UAC Bypass via DiskCleanup Scheduled Task Hijack" @@ -32,16 +28,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -71,6 +58,7 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -88,6 +76,7 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml index 2f8b172089e..f7d97510c29 100644 --- a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +++ b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/27" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -30,16 +32,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -69,6 +62,7 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -79,8 +73,6 @@ reference = "https://attack.mitre.org/techniques/T1548/" id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" @@ -97,3 +89,4 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index d0c4a672662..c6d243d3465 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/17" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -37,13 +39,7 @@ Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass elevated permissions. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Bypass UAC via Event Viewer" @@ -112,16 +108,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -153,6 +140,7 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index 7d67405a5f5..e664bf293e9 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/26" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -37,13 +39,7 @@ Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Attackers may bypass UAC to stealthily execute code with elevated permissions. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "UAC Bypass Attempt via Windows Directory Masquerading" @@ -112,16 +108,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -148,18 +135,9 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" -[[rule.threat.technique.subtechnique]] -id = "T1036.005" -name = "Match Legitimate Name or Location" -reference = "https://attack.mitre.org/techniques/T1036/005/" - - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" @@ -169,6 +147,15 @@ id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" [rule.threat.tactic] diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index 54e126d89dc..5d47b701d61 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/14" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -106,17 +108,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -146,18 +138,9 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" -[[rule.threat.technique.subtechnique]] -id = "T1218.014" -name = "MMC" -reference = "https://attack.mitre.org/techniques/T1218/014/" - - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" @@ -166,6 +149,15 @@ reference = "https://attack.mitre.org/techniques/T1548/" id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.014" +name = "MMC" +reference = "https://attack.mitre.org/techniques/T1218/014/" diff --git a/rules/windows/privilege_escalation_unquoted_service_path.toml b/rules/windows/privilege_escalation_unquoted_service_path.toml index c84307aa9f4..1b27f6a8932 100644 --- a/rules/windows/privilege_escalation_unquoted_service_path.toml +++ b/rules/windows/privilege_escalation_unquoted_service_path.toml @@ -2,7 +2,9 @@ creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -19,13 +21,7 @@ name = "Potential Exploitation of an Unquoted Service Path Vulnerability" risk_score = 21 rule_id = "12de29d4-bbb0-4eef-b687-857e8a163870" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -40,6 +36,7 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" @@ -50,9 +47,7 @@ name = "Path Interception by Unquoted Path" reference = "https://attack.mitre.org/techniques/T1574/009/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index 4c3ec0857cc..2a2df54861a 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -37,13 +39,7 @@ Identifies Windows programs run from unexpected parent processes. This could ind activity on a system. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Unusual Parent-Child Relationship" @@ -112,15 +108,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml index f9fa449d1ae..1cc52ef44dd 100644 --- a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml +++ b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml @@ -2,7 +2,9 @@ creation_date = "2021/07/06" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -33,14 +35,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml index 8aae57f66a0..62cfc4928d8 100644 --- a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -27,16 +29,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -99,7 +92,6 @@ name = "Process Hollowing" reference = "https://attack.mitre.org/techniques/T1055/012/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/privilege_escalation_via_ppid_spoofing.toml b/rules/windows/privilege_escalation_via_ppid_spoofing.toml index 57c9603c900..c5c94e637c9 100644 --- a/rules/windows/privilege_escalation_via_ppid_spoofing.toml +++ b/rules/windows/privilege_escalation_via_ppid_spoofing.toml @@ -2,7 +2,9 @@ creation_date = "2022/10/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -24,13 +26,7 @@ references = [ risk_score = 73 rule_id = "26b01043-4f04-4d2f-882a-5a1d2e95751b" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml index 52704a92758..3cdd594f349 100644 --- a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml +++ b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/13" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -34,13 +36,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_via_token_theft.toml b/rules/windows/privilege_escalation_via_token_theft.toml index 4e4c0049a82..62f573c9774 100644 --- a/rules/windows/privilege_escalation_via_token_theft.toml +++ b/rules/windows/privilege_escalation_via_token_theft.toml @@ -2,7 +2,9 @@ creation_date = "2022/10/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup, process.Ext.effective_parent.executable" +min_stack_version = "8.4.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -22,13 +24,7 @@ references = [ risk_score = 73 rule_id = "02a23ee7-c8f8-4701-b99d-e9038ce313cb" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml index 034fdc25533..cd608a639b5 100644 --- a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml +++ b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml @@ -2,7 +2,9 @@ creation_date = "2022/02/07" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/14" [rule] author = ["Elastic"] diff --git a/rules_building_block/collection_archive_data_zip_imageload.toml b/rules_building_block/collection_archive_data_zip_imageload.toml index 445af055e36..a8f4f0650a1 100644 --- a/rules_building_block/collection_archive_data_zip_imageload.toml +++ b/rules_building_block/collection_archive_data_zip_imageload.toml @@ -2,34 +2,29 @@ creation_date = "2023/07/06" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies the image load of a compression DLL. Adversaries will often compress and encrypt data in preparation for exfiltration. """ from = "now-119m" -index = ["logs-endpoint.events.library-*"] interval = "60m" +index = ["logs-endpoint.events.library-*"] language = "eql" license = "Elastic License v2" name = "Compression DLL Loaded by Unusual Process" risk_score = 21 rule_id = "d197478e-39f0-4347-a22f-ba654718b148" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" +building_block_type = "default" query = ''' library where host.os.type == "windows" and event.action == "load" and @@ -53,7 +48,6 @@ library where host.os.type == "windows" and event.action == "load" and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -61,9 +55,7 @@ id = "T1560" name = "Archive Collected Data" reference = "https://attack.mitre.org/techniques/T1560/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - diff --git a/rules_building_block/collection_common_compressed_archived_file.toml b/rules_building_block/collection_common_compressed_archived_file.toml index 8cbf9f55494..7799e686368 100644 --- a/rules_building_block/collection_common_compressed_archived_file.toml +++ b/rules_building_block/collection_common_compressed_archived_file.toml @@ -3,7 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = "endpoint" maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -32,7 +34,6 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' file where host.os.type == "windows" and event.type in ("creation", "change") and process.executable != null and not user.id : ("S-1-5-18", "S-1-5-17") and file.Ext.header_bytes : ( @@ -114,58 +115,59 @@ file where host.os.type == "windows" and event.type in ("creation", "change") an [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1074" -name = "Data Staged" -reference = "https://attack.mitre.org/techniques/T1074/" -[[rule.threat.technique.subtechnique]] -id = "T1074.001" -name = "Local Data Staging" -reference = "https://attack.mitre.org/techniques/T1074/001/" - - -[[rule.threat.technique]] -id = "T1560" -name = "Archive Collected Data" -reference = "https://attack.mitre.org/techniques/T1560/" -[[rule.threat.technique.subtechnique]] -id = "T1560.001" -name = "Archive via Utility" -reference = "https://attack.mitre.org/techniques/T1560/001/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1132" -name = "Data Encoding" -reference = "https://attack.mitre.org/techniques/T1132/" -[[rule.threat.technique.subtechnique]] -id = "T1132.001" -name = "Standard Encoding" -reference = "https://attack.mitre.org/techniques/T1132/001/" + [[rule.threat.technique]] + id = "T1560" + name = "Archive Collected Data" + reference = "https://attack.mitre.org/techniques/T1560/" + + [[rule.threat.technique.subtechnique]] + id = "T1560.001" + name = "Archive via Utility" + reference = "https://attack.mitre.org/techniques/T1560/001/" + [[rule.threat.technique]] + id = "T1074" + name = "Data Staged" + reference = "https://attack.mitre.org/techniques/T1074/" + + [[rule.threat.technique.subtechnique]] + id = "T1074.001" + name = "Local Data Staging" + reference = "https://attack.mitre.org/techniques/T1074/001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + + [[rule.threat.technique]] + id = "T1132" + name = "Data Encoding" + reference = "https://attack.mitre.org/techniques/T1132/" + + [[rule.threat.technique.subtechnique]] + id = "T1132.001" + name = "Standard Encoding" + reference = "https://attack.mitre.org/techniques/T1132/001/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1027" -name = "Obfuscated Files or Information" -reference = "https://attack.mitre.org/techniques/T1027/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat.technique]] + id = "T1027" + name = "Obfuscated Files or Information" + reference = "https://attack.mitre.org/techniques/T1027/" diff --git a/rules_building_block/collection_files_staged_in_recycle_bin_root.toml b/rules_building_block/collection_files_staged_in_recycle_bin_root.toml index 9b62ea0f761..bfebdb55c07 100644 --- a/rules_building_block/collection_files_staged_in_recycle_bin_root.toml +++ b/rules_building_block/collection_files_staged_in_recycle_bin_root.toml @@ -2,33 +2,28 @@ creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies files written to the root of the Recycle Bin folder instead of subdirectories. Adversaries may place files in the root of the Recycle Bin in preparation for exfiltration or to evade defenses. """ from = "now-119m" -index = ["logs-endpoint.events.file-*"] interval = "60m" +index = ["logs-endpoint.events.file-*"] language = "eql" license = "Elastic License v2" name = "File Staged in Root Folder of Recycle Bin" risk_score = 21 rule_id = "57bccf1d-daf5-4e1a-9049-ff79b5254704" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -38,22 +33,20 @@ file where host.os.type == "windows" and event.type == "creation" and not file.name : "desktop.ini" ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1074" name = "Data Staged" reference = "https://attack.mitre.org/techniques/T1074/" -[[rule.threat.technique.subtechnique]] -id = "T1074.001" -name = "Local Data Staging" -reference = "https://attack.mitre.org/techniques/T1074/001/" + [[rule.threat.technique.subtechnique]] + id = "T1074.001" + name = "Local Data Staging" + reference = "https://attack.mitre.org/techniques/T1074/001/" [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - diff --git a/rules_building_block/collection_linux_suspicious_clipboard_activity.toml b/rules_building_block/collection_linux_suspicious_clipboard_activity.toml index 7705f9a89bb..d48ae36952c 100644 --- a/rules_building_block/collection_linux_suspicious_clipboard_activity.toml +++ b/rules_building_block/collection_linux_suspicious_clipboard_activity.toml @@ -2,19 +2,20 @@ creation_date = "2023/07/27" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] -building_block_type = "default" description = """ This rule monitors for the usage of the most common clipboard utilities on unix systems by an uncommon process group leader. Adversaries may collect data stored in the clipboard from users copying information within or between applications. """ from = "now-119m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] interval = "60m" +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "kuery" license = "Elastic License v2" name = "Potential Suspicious Clipboard Activity Detected" @@ -22,33 +23,32 @@ risk_score = 21 rule_id = "884e87cc-c67b-4c90-a4ed-e1e24a940c82" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Collection", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] -timestamp_override = "event.ingested" + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Collection", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] type = "new_terms" - +timestamp_override = "event.ingested" +building_block_type = "default" query = ''' event.category:process and host.os.type:"linux" and event.type:"start" and event.action:("exec" or "exec_event" or "executed" or "process_started") and process.name:("xclip" or "xsel" or "wl-clipboard" or "clipman" or "copyq") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1115" name = "Clipboard Data" reference = "https://attack.mitre.org/techniques/T1115/" - [rule.threat.tactic] id = "TA0009" name = "Collection" @@ -57,8 +57,7 @@ reference = "https://attack.mitre.org/tactics/TA0009/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.group_leader.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" - - diff --git a/rules_building_block/collection_outlook_email_archive.toml b/rules_building_block/collection_outlook_email_archive.toml index 3362ff8a2f4..6b5b04cb050 100644 --- a/rules_building_block/collection_outlook_email_archive.toml +++ b/rules_building_block/collection_outlook_email_archive.toml @@ -2,34 +2,29 @@ creation_date = "2023/08/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ -Identifies commands containing references to Outlook data files extensions, which can potentially indicate the search, -access, or modification of these files. +Identifies commands containing references to Outlook data files extensions, which can potentially indicate the search, access, or +modification of these files. """ from = "now-119m" -index = ["logs-endpoint.events.process-*"] interval = "60m" +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Accessing Outlook Data Files" risk_score = 21 rule_id = "2e311539-cd88-4a85-a301-04f38795007c" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" +building_block_type = "default" query = ''' process where host.os.type == "windows" and event.type == "start" and process.args : ("*.ost", "*.pst") and @@ -40,22 +35,19 @@ process where host.os.type == "windows" and event.type == "start" and process.ar ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" + [[rule.threat.technique.subtechnique]] id = "T1114.001" name = "Local Email Collection" reference = "https://attack.mitre.org/techniques/T1114/001/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - diff --git a/rules_building_block/command_and_control_bitsadmin_activity.toml b/rules_building_block/command_and_control_bitsadmin_activity.toml index 5090c481cdb..cfc5929a85d 100644 --- a/rules_building_block/command_and_control_bitsadmin_activity.toml +++ b/rules_building_block/command_and_control_bitsadmin_activity.toml @@ -2,34 +2,29 @@ creation_date = "2023/08/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism. Adversaries may abuse BITS to persist, download, execute, and even clean up after running malicious code. """ from = "now-119m" -index = ["logs-endpoint.events.process-*"] interval = "60m" +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Bitsadmin Activity" risk_score = 21 rule_id = "8eec4df1-4b4b-4502-b6c3-c788714604c9" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" +building_block_type = "default" query = ''' process where host.os.type == "windows" and event.type == "start" and @@ -45,7 +40,6 @@ process where host.os.type == "windows" and event.type == "start" and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -58,6 +52,7 @@ reference = "https://attack.mitre.org/techniques/T1105/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -70,6 +65,7 @@ reference = "https://attack.mitre.org/techniques/T1197/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -82,4 +78,3 @@ reference = "https://attack.mitre.org/techniques/T1197/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules_building_block/command_and_control_certutil_network_connection.toml b/rules_building_block/command_and_control_certutil_network_connection.toml index c2e4b44ff6c..15bce7b6651 100644 --- a/rules_building_block/command_and_control_certutil_network_connection.toml +++ b/rules_building_block/command_and_control_certutil_network_connection.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" bypass_bbr_timing = true [transform] diff --git a/rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml b/rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml index 3a1341bca20..1caa23c1134 100644 --- a/rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml +++ b/rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -29,19 +31,18 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" - [rule] author = ["Elastic"] building_block_type = "default" description = """ This rule monitors for X11 forwarding via SSH. X11 forwarding is a feature that allows users to run graphical applications on a remote server and display the application's graphical user interface on their local machine. Attackers -can abuse X11 forwarding for tunneling their GUI-based tools, pivot through compromised systems, and create covert +can abuse X11 forwarding for tunneling their GUI-based tools, pivot through compromised systems, and create covert communication channels, enabling lateral movement and facilitating remote control of systems within a network. """ from = "now-119m" -index = ["logs-endpoint.events.*", "endgame-*"] interval = "60m" +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Linux SSH X11 Forwarding" @@ -109,34 +110,31 @@ risk_score = 21 rule_id = "29f0cf93-d17c-4b12-b4f3-a433800539fa" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Rule Type: BBR", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name in ("ssh", "sshd") and process.args in ("-X", "-Y") and process.args_count >= 3 and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules_building_block/command_and_control_non_standard_http_port.toml b/rules_building_block/command_and_control_non_standard_http_port.toml index 44d1e9f9f71..db386d382ef 100644 --- a/rules_building_block/command_and_control_non_standard_http_port.toml +++ b/rules_building_block/command_and_control_non_standard_http_port.toml @@ -2,7 +2,9 @@ creation_date = "2023/07/10" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/22" [transform] [[transform.osquery]] @@ -29,18 +31,18 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" - [rule] author = ["Elastic"] building_block_type = "default" description = """ -Identifies potentially malicious processes communicating via a port paring typically not associated with HTTP/HTTPS. For -example, HTTP over port 8443 or port 440 as opposed to the traditional port 80 , 443. Adversaries may make changes to -the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data. +Identifies potentially malicious processes communicating via a port paring typically not associated with HTTP/HTTPS. +For example, HTTP over port 8443 or port 440 as opposed to the traditional port 80 , 443. +Adversaries may make changes to the standard port a protocol uses to bypass filtering or +muddle analysis/parsing of network data. """ from = "now-119m" -index = ["logs-endpoint.events.*", "endgame-*"] interval = "60m" +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Non-Standard Port HTTP/HTTPS connection" @@ -106,46 +108,46 @@ risk_score = 21 rule_id = "62b68eb2-1e47-4da7-85b6-8f478db5b272" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' network where process.name : ("http", "https") and destination.port not in (80, 443) and event.action in ( "connection_attempted", "ipv4_connection_attempt_event", "connection_accepted", "ipv4_connection_accept_event" ) and destination.ip != "127.0.0.1" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1571" +name = "Non-Standard Port" +reference = "https://attack.mitre.org/techniques/T1571/" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique.subtechnique]] id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" - -[[rule.threat.technique]] -id = "T1571" -name = "Non-Standard Port" -reference = "https://attack.mitre.org/techniques/T1571/" - [[rule.threat.technique]] id = "T1573" name = "Encrypted Channel" reference = "https://attack.mitre.org/techniques/T1573/" + [[rule.threat.technique.subtechnique]] id = "T1573.001" name = "Symmetric Cryptography" @@ -156,10 +158,7 @@ id = "T1573.002" name = "Asymmetric Cryptography" reference = "https://attack.mitre.org/techniques/T1573/002/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules_building_block/credential_access_mdmp_file_creation.toml b/rules_building_block/credential_access_mdmp_file_creation.toml index 938d4cba5ab..c9da48cd015 100644 --- a/rules_building_block/credential_access_mdmp_file_creation.toml +++ b/rules_building_block/credential_access_mdmp_file_creation.toml @@ -1,13 +1,14 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/09/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies the creation or modification of a medium size memory dump file which can indicate an attempt to access credentials from a process memory. @@ -20,15 +21,9 @@ name = "Potential Credential Access via Memory Dump File Creation" risk_score = 21 rule_id = "e707a7be-cc52-41ac-8ab3-d34b38c20005" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -95,4 +90,3 @@ reference = "https://attack.mitre.org/techniques/T1003/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules_building_block/credential_access_mdmp_file_unusual_extension.toml b/rules_building_block/credential_access_mdmp_file_unusual_extension.toml index 666c28d4f06..2a9735df4c9 100644 --- a/rules_building_block/credential_access_mdmp_file_unusual_extension.toml +++ b/rules_building_block/credential_access_mdmp_file_unusual_extension.toml @@ -1,13 +1,14 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/09/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies the creation of a memory dump file with an unusual extension, which can indicate an attempt to disguise a memory dump as another file type to bypass security defenses. @@ -20,16 +21,9 @@ name = "Memory Dump File with Unusual Extension" risk_score = 21 rule_id = "c0b9dc99-c696-4779-b086-0d37dc2b3778" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -67,6 +61,8 @@ reference = "https://attack.mitre.org/techniques/T1003/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -79,9 +75,7 @@ name = "Masquerade File Type" reference = "https://attack.mitre.org/techniques/T1036/008/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/credential_access_win_private_key_access.toml b/rules_building_block/credential_access_win_private_key_access.toml index 9ae2286caca..42b71291c36 100644 --- a/rules_building_block/credential_access_win_private_key_access.toml +++ b/rules_building_block/credential_access_win_private_key_access.toml @@ -2,31 +2,28 @@ creation_date = "2023/08/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" -description = "Attackers may try to access private keys, e.g. ssh, in order to gain further authenticated access to the environment.\n" +description = """ +Attackers may try to access private keys, e.g. ssh, in order to gain further authenticated access to the environment. +""" from = "now-119m" -index = ["logs-endpoint.events.process-*"] interval = "60m" +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Attempted Private Key Access" risk_score = 21 rule_id = "c55badd3-3e61-4292-836f-56209dc8a601" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" +building_block_type = "default" query = ''' process where host.os.type == "windows" and event.type == "start" and @@ -50,7 +47,6 @@ process where host.os.type == "windows" and event.type == "start" and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -68,4 +64,3 @@ reference = "https://attack.mitre.org/techniques/T1552/004/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml index 8e6fdd61629..399b4d52f16 100644 --- a/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml +++ b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml @@ -2,32 +2,28 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" -description = "Attackers may abuse cmd.exe commands to reassemble binary fragments into a malicious payload.\n" +description = """ +Attackers may abuse cmd.exe commands to reassemble binary fragments into a malicious payload. +""" from = "now-119m" -index = ["logs-endpoint.events.process-*"] interval = "60m" +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Binary Content Copy via Cmd.exe" risk_score = 21 rule_id = "53dedd83-1be7-430f-8026-363256395c8b" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" +building_block_type = "default" query = ''' process where host.os.type == "windows" and event.type == "start" and @@ -36,32 +32,33 @@ process where host.os.type == "windows" and event.type == "start" and (process.args : "copy" and process.args : "/b")) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules_building_block/defense_evasion_cmstp_execution.toml b/rules_building_block/defense_evasion_cmstp_execution.toml index 75a9ca7c70b..a3bc97b3604 100644 --- a/rules_building_block/defense_evasion_cmstp_execution.toml +++ b/rules_building_block/defense_evasion_cmstp_execution.toml @@ -2,35 +2,32 @@ creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program to install Connection Manager service profiles, which accept installation information file (INF) files. Adversaries may abuse CMSTP to proxy the execution of malicious code by supplying INF files that contain malicious commands. """ from = "now-119m" -index = ["logs-endpoint.events.process-*"] interval = "60m" +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Potential Defense Evasion via CMSTP.exe" -references = ["https://attack.mitre.org/techniques/T1218/003/"] +references = [ + "https://attack.mitre.org/techniques/T1218/003/", +] risk_score = 21 rule_id = "bd3d058d-5405-4cee-b890-337f09366ba2" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -56,4 +53,3 @@ reference = "https://attack.mitre.org/techniques/T1218/003/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml b/rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml index e59ad5a89c1..77c7aae2fce 100644 --- a/rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml +++ b/rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml @@ -1,13 +1,14 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies the creation of an archive file with an unusual extension. Attackers may attempt to evade detection by masquerading files using the file extension values used by image, audio, or document file types. @@ -20,15 +21,9 @@ name = "Archive File with Unusual Extension" risk_score = 21 rule_id = "cffbaf47-9391-4e09-a83c-1f27d7474826" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -54,7 +49,6 @@ file where host.os.type == "windows" and event.action != "deletion" and not (process.executable : "?:\\Windows\\System32\\inetsrv\\w3wp.exe" and file.path : "?:\\inetpub\\temp\\IIS Temporary Compressed Files\\*") ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -67,9 +61,7 @@ name = "Masquerade File Type" reference = "https://attack.mitre.org/techniques/T1036/008/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml b/rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml index 0e9ddb9fa5b..303f5a25a8e 100644 --- a/rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml +++ b/rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml @@ -1,13 +1,14 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/08/04" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies suspicious child processes of communications apps, which can indicate a potential masquerading as the communication app or the exploitation of a vulnerability on the application causing it to execute code. @@ -20,16 +21,9 @@ name = "Suspicious Communication App Child Process" risk_score = 21 rule_id = "adbfa3ee-777e-4747-b6b0-7bd645f30880" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -261,6 +255,7 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -271,17 +266,16 @@ id = "T1036.005" name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -289,7 +283,6 @@ id = "T1554" name = "Compromise Client Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules_building_block/defense_evasion_creation_of_hidden_files_directories.toml b/rules_building_block/defense_evasion_creation_of_hidden_files_directories.toml index 8bad6f8fed7..0e918df3667 100644 --- a/rules_building_block/defense_evasion_creation_of_hidden_files_directories.toml +++ b/rules_building_block/defense_evasion_creation_of_hidden_files_directories.toml @@ -2,18 +2,20 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/22" [rule] author = ["Elastic"] building_block_type = "default" description = """ -Identify activity related where adversaries can add the 'hidden' flag to files to hide them from the user in an attempt -to evade detection. +Identify activity related where adversaries can add the 'hidden' flag to files to hide +them from the user in an attempt to evade detection. """ from = "now-119m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] interval = "60m" +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Hidden Files and Directories via Hidden Flag" @@ -21,39 +23,36 @@ risk_score = 21 rule_id = "5124e65f-df97-4471-8dcb-8e3953b3ea97" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' file where event.type == "creation" and process.name == "chflags" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" + [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_dll_hijack.toml b/rules_building_block/defense_evasion_dll_hijack.toml index 68d23e22874..35f81a544a6 100644 --- a/rules_building_block/defense_evasion_dll_hijack.toml +++ b/rules_building_block/defense_evasion_dll_hijack.toml @@ -2,34 +2,29 @@ creation_date = "2023/07/12" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: dll.Ext.relative_file_creation_time is populated in Elastic Endpoint 8.4 and above." +min_stack_version = "8.4.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies digitally signed (trusted) processes loading unsigned DLLs. Attackers may plant their payloads into the application folder and invoke the legitimate application to execute the payload, masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. """ from = "now-119m" -index = ["logs-endpoint.events.library-*"] interval = "60m" +index = ["logs-endpoint.events.library-*"] language = "eql" license = "Elastic License v2" name = "Unsigned DLL Loaded by a Trusted Process" risk_score = 21 rule_id = "c20cd758-07b1-46a1-b03f-fa66158258b8" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -87,6 +82,7 @@ framework = "MITRE ATT&CK" id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL Search Order Hijacking" @@ -99,8 +95,8 @@ reference = "https://attack.mitre.org/techniques/T1574/002/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml b/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml index 79332fc5371..11d2c403320 100644 --- a/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml +++ b/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml @@ -2,32 +2,27 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/25" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies the execution of DotNet ClickOnce installer via Dfsvc.exe trampoline. Adversaries may take advantage of ClickOnce to proxy execution of malicious payloads via trusted Microsoft processes. """ from = "now-119m" -index = ["logs-endpoint.events.*"] interval = "60m" +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Execution via Microsoft DotNet ClickOnce Host" risk_score = 21 rule_id = "5297b7f1-bccd-4611-93fa-ea342a01ff84" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] +building_block_type = "default" type = "eql" query = ''' @@ -40,6 +35,7 @@ sequence by user.id with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" @@ -49,15 +45,13 @@ reference = "https://attack.mitre.org/techniques/T1127/" id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" -[[rule.threat.technique.subtechnique]] -id = "T1218.011" -name = "Rundll32" -reference = "https://attack.mitre.org/techniques/T1218/011/" - + [[rule.threat.technique.subtechnique]] + id = "T1218.011" + name = "Rundll32" + reference = "https://attack.mitre.org/techniques/T1218/011/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_download_susp_extension.toml b/rules_building_block/defense_evasion_download_susp_extension.toml index 0e65e8b4c34..1a64a5acfab 100644 --- a/rules_building_block/defense_evasion_download_susp_extension.toml +++ b/rules_building_block/defense_evasion_download_susp_extension.toml @@ -2,38 +2,32 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ -Identifies unusual files downloaded from outside the local network that have the potential to be abused for code -execution. +Identifies unusual files downloaded from outside the local network that have the potential to be abused for code execution. """ +references = [ + "https://x.com/Laughing_Mantis/status/1518766501385318406", + "https://wikileaks.org/ciav7p1/cms/page_13763375.html" +] from = "now-119m" -index = ["logs-endpoint.events.file-*"] interval = "60m" +index = ["logs-endpoint.events.file-*"] language = "eql" license = "Elastic License v2" name = "File with Suspicious Extension Downloaded" -references = [ - "https://x.com/Laughing_Mantis/status/1518766501385318406", - "https://wikileaks.org/ciav7p1/cms/page_13763375.html", -] risk_score = 21 rule_id = "8d366588-cbd6-43ba-95b4-0971c3f906e5" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" +building_block_type = "default" query = ''' file where host.os.type == "windows" and event.type == "creation" and @@ -61,16 +55,17 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique]] + name = "System Binary Proxy Execution" + id = "T1218" + reference = "https://attack.mitre.org/techniques/T1218/" + + [rule.threat.tactic] + name = "Defense Evasion" + id = "TA0005" + reference = "https://attack.mitre.org/tactics/TA0005/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml b/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml index 2eecbdb9c35..2233ab0f34b 100644 --- a/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml +++ b/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml @@ -2,39 +2,33 @@ creation_date = "2023/09/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies the execution of a command via Microsoft Visual Studio Pre or Post build events. Adversaries may backdoor a trusted visual studio project to execute a malicious command during the project build process. """ +references = [ + "https://docs.microsoft.com/en-us/visualstudio/ide/reference/pre-build-event-post-build-event-command-line-dialog-box?view=vs-2022", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html", + "https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Execution/execution_evasion_visual_studio_prebuild_event.evtx" +] from = "now-119m" -index = ["logs-endpoint.events.process-*"] interval = "60m" +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Execution via MS VisualStudio Pre/Post Build Events" -references = [ - "https://docs.microsoft.com/en-us/visualstudio/ide/reference/pre-build-event-post-build-event-command-line-dialog-box?view=vs-2022", - "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html", - "https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/", - "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Execution/execution_evasion_visual_studio_prebuild_event.evtx", -] risk_score = 21 rule_id = "fec7ccb7-6ed9-4f98-93ab-d6b366b063a0" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Rule Type: BBR", "Data Source: Elastic Defend"] +building_block_type = "default" type = "eql" query = ''' @@ -100,4 +94,3 @@ framework = "MITRE ATT&CK" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/defense_evasion_file_permission_modification.toml b/rules_building_block/defense_evasion_file_permission_modification.toml index f58bdff58c1..11a0e1a7646 100644 --- a/rules_building_block/defense_evasion_file_permission_modification.toml +++ b/rules_building_block/defense_evasion_file_permission_modification.toml @@ -2,33 +2,28 @@ creation_date = "2023/07/12" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies the change of permissions/ownership of files/folders through built-in Windows utilities. Threat actors may require permission modification of files/folders to change, modify or delete them. """ from = "now-119m" -index = ["logs-endpoint.events.process-*"] interval = "60m" +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "File and Directory Permissions Modification" risk_score = 21 rule_id = "bc9e4f5a-e263-4213-a2ac-1edf9b417ada" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -51,15 +46,14 @@ framework = "MITRE ATT&CK" id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" + [[rule.threat.technique.subtechnique]] id = "T1222.001" name = "Windows File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/001/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_generic_deletion.toml b/rules_building_block/defense_evasion_generic_deletion.toml index 845c9e5546e..548a7d4d0f2 100644 --- a/rules_building_block/defense_evasion_generic_deletion.toml +++ b/rules_building_block/defense_evasion_generic_deletion.toml @@ -2,33 +2,28 @@ creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ This rule identifies the execution of commands that can be used to delete files and directories. Adversaries may delete files and directories on a host system, such as logs, browser history, or malware. """ from = "now-119m" -index = ["logs-endpoint.events.process-*"] interval = "60m" +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "File or Directory Deletion Command" risk_score = 21 rule_id = "5919988c-29e1-4908-83aa-1f087a838f63" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -52,6 +47,7 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" @@ -61,10 +57,7 @@ id = "T1070.004" name = "File Deletion" reference = "https://attack.mitre.org/techniques/T1070/004/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml b/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml index 1b0edce3efc..360c17149f0 100644 --- a/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml +++ b/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml @@ -2,37 +2,27 @@ creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" -description = "Identifies indirect command execution via Program Compatibility Assistant (pcalua.exe) or forfiles.exe.\n" +description = """ +Identifies indirect command execution via Program Compatibility Assistant (pcalua.exe) or forfiles.exe. +""" from = "now-119m" -index = [ - "logs-endpoint.events.process-*", - "logs-system.security*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", -] interval = "60m" +index = ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Indirect Command Execution via Forfiles/Pcalua" risk_score = 21 rule_id = "98843d35-645e-4e66-9d6a-5049acd96ce1" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Rule Type: BBR", - "Data Source: Elastic Endgame", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -53,4 +43,3 @@ reference = "https://attack.mitre.org/techniques/T1202/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_injection_from_msoffice.toml b/rules_building_block/defense_evasion_injection_from_msoffice.toml index 6d1c96172e8..92008c11f4b 100644 --- a/rules_building_block/defense_evasion_injection_from_msoffice.toml +++ b/rules_building_block/defense_evasion_injection_from_msoffice.toml @@ -2,36 +2,29 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel) with unusual process arguments and path. This behavior is often observed during exploitation of Office applications or from documents with malicious macros. """ from = "now-119m" -index = ["logs-endpoint.events.process-*"] interval = "60m" +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Potential Process Injection from Malicious Document" risk_score = 21 rule_id = "1c5a04ae-d034-41bf-b0d8-96439b5cc774" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Privilege Escalation", - "Tactic: Initial Access", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Tactic: Initial Access", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -49,7 +42,6 @@ process where host.os.type == "windows" and event.action == "start" and "?:\\Windows\\System32\\notepad.exe") ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -57,11 +49,12 @@ id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -69,11 +62,12 @@ id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -85,10 +79,7 @@ id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules_building_block/defense_evasion_installutil_command_activity.toml b/rules_building_block/defense_evasion_installutil_command_activity.toml index 18335f50a09..cca9b3bca2a 100644 --- a/rules_building_block/defense_evasion_installutil_command_activity.toml +++ b/rules_building_block/defense_evasion_installutil_command_activity.toml @@ -2,41 +2,29 @@ creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. Adversaries may use InstallUtil to proxy the execution of code through a trusted Windows utility. """ from = "now-119m" -index = [ - "logs-endpoint.events.process-*", - "logs-system.security*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", -] interval = "60m" +index = ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "InstallUtil Activity" risk_score = 21 rule_id = "90babaa8-5216-4568-992d-d4a01a105d98" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Rule Type: BBR", - "Data Source: Elastic Endgame", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -62,4 +50,3 @@ reference = "https://attack.mitre.org/techniques/T1218/004/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_invalid_codesign_imageload.toml b/rules_building_block/defense_evasion_invalid_codesign_imageload.toml index 2017bffb2fb..1ab179118ab 100644 --- a/rules_building_block/defense_evasion_invalid_codesign_imageload.toml +++ b/rules_building_block/defense_evasion_invalid_codesign_imageload.toml @@ -2,33 +2,28 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies binaries that are loaded and with an invalid code signature. This may indicate an attempt to masquerade as a signed binary. """ from = "now-119m" -index = ["logs-endpoint.events.library-*"] interval = "60m" +index = ["logs-endpoint.events.library-*"] language = "eql" license = "Elastic License v2" name = "Image Loaded with Invalid Signature" risk_score = 21 rule_id = "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -41,22 +36,20 @@ library where host.os.type == "windows" and event.action == "load" and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_masquerading_browsers.toml b/rules_building_block/defense_evasion_masquerading_browsers.toml index 05eab7af329..3f033afb308 100644 --- a/rules_building_block/defense_evasion_masquerading_browsers.toml +++ b/rules_building_block/defense_evasion_masquerading_browsers.toml @@ -1,13 +1,14 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/08/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies suspicious instances of browser processes, such as unsigned or signed with unusual certificates, that can indicate an attempt to conceal malicious activity, bypass security features such as allowlists, or trick users into @@ -21,16 +22,9 @@ name = "Potential Masquerading as Browser Process" risk_score = 21 rule_id = "5b9eb30f-87d6-45f4-9289-2bf2024f0376" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -165,6 +159,7 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -176,11 +171,11 @@ name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -188,7 +183,6 @@ id = "T1554" name = "Compromise Client Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml b/rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml index 7df37c1057b..0e92d42bad7 100644 --- a/rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml +++ b/rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml @@ -2,33 +2,28 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies the creation or modification of an executable file with an unexpected file extension. Attackers may attempt to evade detection by masquerading files using the file extension values used by image, audio, or document file types. """ from = "now-119m" -index = ["logs-endpoint.events.file-*"] interval = "60m" +index = ["logs-endpoint.events.file-*"] language = "eql" license = "Elastic License v2" name = "Executable File with Unusual Extension" risk_score = 21 rule_id = "ecd4857b-5bac-455e-a7c9-a88b66e56a9e" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -64,9 +59,7 @@ name = "Masquerade File Type" reference = "https://attack.mitre.org/techniques/T1036/008/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_masquerading_vlc_dll.toml b/rules_building_block/defense_evasion_masquerading_vlc_dll.toml index a27d7831770..719e094cd04 100644 --- a/rules_building_block/defense_evasion_masquerading_vlc_dll.toml +++ b/rules_building_block/defense_evasion_masquerading_vlc_dll.toml @@ -1,13 +1,14 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/08/09" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies instances of VLC-related DLLs which are not signed by the original developer. Attackers may name their payload as legitimate applications to blend into the environment, or embedding its malicious code within legitimate @@ -21,16 +22,9 @@ name = "Potential Masquerading as VLC DLL" risk_score = 21 rule_id = "4494c14f-5ff8-4ed2-8e99-bf816a1642fc" severity = "low" -tags = [ - "Domain: Endpoint", - "Data Source: Elastic Defend", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -49,6 +43,7 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -60,11 +55,12 @@ name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -72,7 +68,6 @@ id = "T1554" name = "Compromise Client Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules_building_block/defense_evasion_masquerading_windows_dll.toml b/rules_building_block/defense_evasion_masquerading_windows_dll.toml index 41bd9f17d9d..3cd09f3fdf8 100644 --- a/rules_building_block/defense_evasion_masquerading_windows_dll.toml +++ b/rules_building_block/defense_evasion_masquerading_windows_dll.toml @@ -1,13 +1,14 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/08/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: dll.Ext.relative_file_creation_time is populated in Elastic Endpoint 8.4 and above." +min_stack_version = "8.4.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies suspicious instances of default system32 DLLs either unsigned or signed with non-MS certificates. This can potentially indicate the attempt to masquerade as system DLLs, perform DLL Search Order Hijacking or backdoor and resign @@ -21,16 +22,9 @@ name = "Potential Masquerading as System32 DLL" risk_score = 21 rule_id = "fb01d790-9f74-4e76-97dd-b4b0f7bf6435" severity = "low" -tags = [ - "Domain: Endpoint", - "Data Source: Elastic Defend", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -112,6 +106,7 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -122,11 +117,11 @@ id = "T1036.005" name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL Search Order Hijacking" @@ -138,11 +133,12 @@ name = "DLL Side-Loading" reference = "https://attack.mitre.org/techniques/T1574/002/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -150,7 +146,6 @@ id = "T1554" name = "Compromise Client Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml b/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml index bed9eb79637..803b5fea69f 100644 --- a/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml +++ b/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml @@ -1,13 +1,14 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/08/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies suspicious instances of default system32 executables, either unsigned or signed with non-MS certificates. This could indicate the attempt to masquerade as system executables or backdoored and resigned legitimate executables. @@ -20,16 +21,9 @@ name = "Potential Masquerading as System32 Executable" risk_score = 21 rule_id = "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47" severity = "low" -tags = [ - "Domain: Endpoint", - "Data Source: Elastic Defend", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -86,6 +80,7 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -96,12 +91,12 @@ id = "T1036.005" name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -109,7 +104,6 @@ id = "T1554" name = "Compromise Client Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml b/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml index a29c08022bc..87018026368 100644 --- a/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml +++ b/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml @@ -2,41 +2,31 @@ creation_date = "2023/09/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ -Identifies the execution of the Microsoft Diagnostic Wizard to open a diagcab file from a suspicious path and with an -unusual parent process. This may indicate an attempt to execute malicious Troubleshooting Pack Cabinet files. +Identifies the execution of the Microsoft Diagnostic Wizard to open a diagcab file from a suspicious path and with an unusual +parent process. This may indicate an attempt to execute malicious Troubleshooting Pack Cabinet files. """ -from = "now-119m" -index = [ - "logs-endpoint.events.process-*", - "logs-system.security*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", +references = [ + "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd" ] +from = "now-119m" interval = "60m" +index = ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Troubleshooting Pack Cabinet Execution" -references = ["https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd"] risk_score = 21 rule_id = "808291d3-e918-4a3a-86cd-73052a0c9bdc" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -58,14 +48,13 @@ process where host.os.type == "windows" and event.action == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat.technique]] + name = "System Binary Proxy Execution" + id = "T1218" + reference = "https://attack.mitre.org/techniques/T1218/" + [rule.threat.tactic] + name = "Defense Evasion" + id = "TA0005" + reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml b/rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml index 1a910a7c360..8ee273efc40 100644 --- a/rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml +++ b/rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml @@ -2,33 +2,30 @@ creation_date = "2023/09/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/26" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies the execution of an installer from an archive or with suspicious properties. Adversaries may abuse msiexec.exe to launch local or network accessible MSI files in an attempt to bypass application whitelisting. """ +references = [ + "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/" +] from = "now-119m" -index = ["logs-endpoint.events.*"] interval = "60m" +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Windows Installer with Suspicious Properties" -references = ["https://lolbas-project.github.io/lolbas/Binaries/Msiexec/"] risk_score = 21 rule_id = "55f07d1b-25bc-4a0f-aa0c-05323c1319d0" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] +building_block_type = "default" type = "eql" query = ''' @@ -66,4 +63,3 @@ reference = "https://attack.mitre.org/techniques/T1218/007/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_processes_with_trailing_spaces.toml b/rules_building_block/defense_evasion_processes_with_trailing_spaces.toml index c5e63bbb893..e0133519df6 100644 --- a/rules_building_block/defense_evasion_processes_with_trailing_spaces.toml +++ b/rules_building_block/defense_evasion_processes_with_trailing_spaces.toml @@ -2,18 +2,20 @@ creation_date = "2023/08/24" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] building_block_type = "default" description = """ -Identify instances where adversaries include trailing space characters to mimic regular files, disguising their activity -to evade default file handling mechanisms. +Identify instances where adversaries include trailing space characters to mimic regular files, disguising their +activity to evade default file handling mechanisms. """ from = "now-119m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] interval = "60m" +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Processes with Trailing Spaces" @@ -21,40 +23,37 @@ risk_score = 21 rule_id = "0c093569-dff9-42b6-87b1-0242d9f7d9b4" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name : "* " ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.006" name = "Space after Filename" reference = "https://attack.mitre.org/techniques/T1036/006/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_service_disabled_registry.toml b/rules_building_block/defense_evasion_service_disabled_registry.toml index c1f1d49dab7..f822fdc3a3a 100644 --- a/rules_building_block/defense_evasion_service_disabled_registry.toml +++ b/rules_building_block/defense_evasion_service_disabled_registry.toml @@ -2,18 +2,19 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies attempts to modify services start settings using processes other than services.exe. Attackers may attempt to modify security and monitoring services to avoid detection or delay response. """ from = "now-119m" -index = ["logs-endpoint.events.registry-*", "endgame-*"] interval = "60m" +index = ["logs-endpoint.events.registry-*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Service Disabled via Registry Modification" @@ -27,9 +28,10 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Rule Type: BBR", + "Rule Type: BBR" ] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -58,6 +60,7 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -70,4 +73,3 @@ reference = "https://attack.mitre.org/techniques/T1489/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules_building_block/defense_evasion_service_path_registry.toml b/rules_building_block/defense_evasion_service_path_registry.toml index 7dbda2f6f28..3dbc25b09d7 100644 --- a/rules_building_block/defense_evasion_service_path_registry.toml +++ b/rules_building_block/defense_evasion_service_path_registry.toml @@ -2,18 +2,19 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies attempts to modify a service path by an unusual process. Attackers may attempt to modify existing services for persistence or privilege escalation. """ from = "now-119m" -index = ["logs-endpoint.events.registry-*", "endgame-*"] interval = "60m" +index = ["logs-endpoint.events.registry-*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Service Path Modification" @@ -27,9 +28,10 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Rule Type: BBR", + "Rule Type: BBR" ] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -60,25 +62,29 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1543.003" -name = "Windows Service" -reference = "https://attack.mitre.org/techniques/T1543/003/" + [[rule.threat.technique.subtechnique]] + id = "T1543.003" + name = "Windows Service" + reference = "https://attack.mitre.org/techniques/T1543/003/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -94,4 +100,3 @@ reference = "https://attack.mitre.org/techniques/T1543/003/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules_building_block/defense_evasion_services_exe_path.toml b/rules_building_block/defense_evasion_services_exe_path.toml index 2cb09abc8f5..c26ac369c4f 100644 --- a/rules_building_block/defense_evasion_services_exe_path.toml +++ b/rules_building_block/defense_evasion_services_exe_path.toml @@ -2,18 +2,19 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies attempts to modify a service path setting using sc.exe. Attackers may attempt to modify existing services for persistence or privilege escalation. """ from = "now-119m" -index = ["logs-endpoint.events.process-*", "endgame-*"] interval = "60m" +index = ["logs-endpoint.events.process-*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Service Path Modification via sc.exe" @@ -27,9 +28,10 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Rule Type: BBR", + "Rule Type: BBR" ] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -50,25 +52,29 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1543.003" -name = "Windows Service" -reference = "https://attack.mitre.org/techniques/T1543/003/" + [[rule.threat.technique.subtechnique]] + id = "T1543.003" + name = "Windows Service" + reference = "https://attack.mitre.org/techniques/T1543/003/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -84,4 +90,3 @@ reference = "https://attack.mitre.org/techniques/T1543/003/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml b/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml index c5f71c75d33..6625b9806cd 100644 --- a/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml +++ b/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml @@ -2,38 +2,32 @@ creation_date = "2023/09/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies suspicious execution of the built-in Windows Installer, msiexec.exe, to install a package from usual paths or parent process. Adversaries may abuse msiexec.exe to launch malicious local MSI files. """ +references = [ + "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", + "https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/" +] from = "now-119m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*"] interval = "60m" +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Execution via MSIEXEC" -references = [ - "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", - "https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/", -] risk_score = 21 rule_id = "708c9d92-22a3-4fe0-b6b9-1f861c55502d" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -85,4 +79,3 @@ reference = "https://attack.mitre.org/techniques/T1218/007/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_unsigned_bits_client.toml b/rules_building_block/defense_evasion_unsigned_bits_client.toml index 84012c3b2d4..36adfe503fe 100644 --- a/rules_building_block/defense_evasion_unsigned_bits_client.toml +++ b/rules_building_block/defense_evasion_unsigned_bits_client.toml @@ -2,37 +2,32 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies an unsigned Windows Background Intelligent Transfer Service (BITS) client process. Attackers may abuse BITS functionality to download or upload data using the BITS service. """ +references = [ + "https://web.archive.org/web/20230531215706/https://blog.menasec.net/2021/05/hunting-for-suspicious-usage-of.html", + "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2" +] from = "now-119m" -index = ["logs-endpoint.events.library-*"] interval = "60m" +index = ["logs-endpoint.events.library-*"] language = "eql" license = "Elastic License v2" name = "Unsigned BITS Service Client Process" -references = [ - "https://web.archive.org/web/20230531215706/https://blog.menasec.net/2021/05/hunting-for-suspicious-usage-of.html", - "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2", -] risk_score = 21 rule_id = "9a3884d0-282d-45ea-86ce-b9c81100f026" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -44,24 +39,23 @@ not process.code_signature.status : ("errorExpired", "errorCode_endpoint*") [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1197" +name = "BITS Jobs" +reference = "https://attack.mitre.org/techniques/T1197/" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" -[[rule.threat.technique]] -id = "T1197" -name = "BITS Jobs" -reference = "https://attack.mitre.org/techniques/T1197/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_unusual_process_extension.toml b/rules_building_block/defense_evasion_unusual_process_extension.toml index 62072e9e4ed..695bf5aea5f 100644 --- a/rules_building_block/defense_evasion_unusual_process_extension.toml +++ b/rules_building_block/defense_evasion_unusual_process_extension.toml @@ -2,31 +2,28 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" -description = "Identifies processes running with unusual extensions that are not typically valid for Windows executables.\n" +description = """ +Identifies processes running with unusual extensions that are not typically valid for Windows executables. +""" from = "now-119m" -index = ["logs-endpoint.events.process-*"] interval = "60m" +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Unusual Process Extension" risk_score = 21 rule_id = "800e01be-a7a4-46d0-8de9-69f3c9582b44" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" +building_block_type = "default" query = ''' process where host.os.type == "windows" and event.type == "start" and @@ -60,22 +57,19 @@ process where host.os.type == "windows" and event.type == "start" and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.008" name = "Masquerade File Type" reference = "https://attack.mitre.org/techniques/T1036/008/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_unusual_process_path_wbem.toml b/rules_building_block/defense_evasion_unusual_process_path_wbem.toml index b65efa3547c..2337423bd21 100644 --- a/rules_building_block/defense_evasion_unusual_process_path_wbem.toml +++ b/rules_building_block/defense_evasion_unusual_process_path_wbem.toml @@ -2,38 +2,28 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" -description = "Identifies unusual processes running from the WBEM path, uncommon outside WMI-related Windows processes.\n" +description = """ +Identifies unusual processes running from the WBEM path, uncommon outside WMI-related Windows processes. +""" from = "now-119m" -index = [ - "logs-endpoint.events.process-*", - "logs-system.security*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", -] interval = "60m" +index = ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Unusual Process Execution on WBEM Path" risk_score = 21 rule_id = "1f460f12-a3cf-4105-9ebb-f788cc63f365" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Rule Type: BBR", - "Data Source: Elastic Endgame", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" +building_block_type = "default" query = ''' process where host.os.type == "windows" and event.type == "start" and @@ -51,7 +41,6 @@ process where host.os.type == "windows" and event.type == "start" and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -59,9 +48,7 @@ id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_write_dac_access.toml b/rules_building_block/defense_evasion_write_dac_access.toml index 09e5dd121c7..ddd47f1ea76 100644 --- a/rules_building_block/defense_evasion_write_dac_access.toml +++ b/rules_building_block/defense_evasion_write_dac_access.toml @@ -2,11 +2,12 @@ creation_date = "2023/08/15" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies the access on an object with WRITEDAC permissions. With the WRITEDAC permission, the user can perform a Write Discretionary Access Control List (WriteDACL) operation, which is used to modify the access control rules associated @@ -15,16 +16,11 @@ compromised accounts additional rights, ultimately compromising the target objec lateral movement, and persistence. """ from = "now-119m" -index = ["winlogbeat-*", "logs-system.security*", "logs-windows.*"] interval = "60m" +index = ["winlogbeat-*", "logs-system.security*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "WRITEDAC Access on Active Directory Object" -references = [ - "https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors.pdf", -] -risk_score = 21 -rule_id = "f5861570-e39a-4b8a-9259-abd39f84cb97" setup = """## Setup The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure). @@ -41,38 +37,35 @@ DS Access > Audit Directory Service Access (Success,Failure) ``` """ -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Active Directory", - "Use Case: Active Directory Monitoring", - "Rule Type: BBR", +references = [ + "https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors.pdf" ] +risk_score = 21 +rule_id = "f5861570-e39a-4b8a-9259-abd39f84cb97" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "query" +building_block_type = "default" query = ''' host.os.type: "windows" and event.action : ("Directory Service Access" or "object-operation-performed") and event.code : "4662" and winlog.event_data.AccessMask:"0x40000" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1222" -name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" +name = "File and Directory Permissions Modification" + [[rule.threat.technique.subtechnique]] id = "T1222.001" name = "Windows File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml b/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml index ff88b1d331f..305f6b593bf 100644 --- a/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml +++ b/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml @@ -1,15 +1,17 @@ [metadata] -bypass_bbr_timing = true creation_date = "2022/11/01" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] building_block_type = "default" description = """ -Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows +Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows Command Shell. """ from = "now-9m" @@ -55,16 +57,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "eql" @@ -74,9 +75,9 @@ process where host.os.type == "windows" and event.type == "start" and not process.parent.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\PROGRA~1\\*") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" @@ -87,26 +88,25 @@ id = "T1083" name = "File and Directory Discovery" reference = "https://attack.mitre.org/techniques/T1083/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/discovery_generic_account_groups.toml b/rules_building_block/discovery_generic_account_groups.toml index eb8dadcd502..2b0ab58fa5a 100644 --- a/rules_building_block/discovery_generic_account_groups.toml +++ b/rules_building_block/discovery_generic_account_groups.toml @@ -1,9 +1,11 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] @@ -20,14 +22,13 @@ name = "Windows Account or Group Discovery" risk_score = 21 rule_id = "089db1af-740d-4d84-9a5b-babd6de143b0" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -61,13 +62,14 @@ process where host.os.type == "windows" and event.type == "start" and and not process.parent.name : "LTSVC.exe" and not user.id : "S-1-5-18" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" @@ -78,11 +80,16 @@ id = "T1069.002" name = "Domain Groups" reference = "https://attack.mitre.org/techniques/T1069/002/" +[[rule.threat.technique]] +id = "T1201" +name = "Password Policy Discovery" +reference = "https://attack.mitre.org/techniques/T1201/" [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" @@ -93,15 +100,7 @@ id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" - -[[rule.threat.technique]] -id = "T1201" -name = "Password Policy Discovery" -reference = "https://attack.mitre.org/techniques/T1201/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_generic_process_discovery.toml b/rules_building_block/discovery_generic_process_discovery.toml index bafbf1c8680..d56783275ec 100644 --- a/rules_building_block/discovery_generic_process_discovery.toml +++ b/rules_building_block/discovery_generic_process_discovery.toml @@ -1,9 +1,11 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] @@ -13,28 +15,21 @@ This rule identifies the execution of commands that can be used to enumerate run enumerate processes to identify installed applications and security solutions. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "logs-system.security*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", -] +index = ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Process Discovery Using Built-in Tools" risk_score = 21 rule_id = "4982ac3e-d0ee-4818-b95d-d9522d689259" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" @@ -49,17 +44,15 @@ process where host.os.type == "windows" and event.type == "start" and ) and not user.id : "S-1-5-18" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_generic_registry_query.toml b/rules_building_block/discovery_generic_registry_query.toml index cfe2edba2ae..d645ef76a6e 100644 --- a/rules_building_block/discovery_generic_registry_query.toml +++ b/rules_building_block/discovery_generic_registry_query.toml @@ -1,9 +1,11 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] @@ -21,14 +23,13 @@ name = "Query Registry using Built-in Tools" risk_score = 21 rule_id = "ded09d02-0137-4ccc-8005-c45e617e8d4c" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -53,15 +54,14 @@ host.os.type:windows and event.category:process and event.type:start and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1012" name = "Query Registry" reference = "https://attack.mitre.org/techniques/T1012/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -70,8 +70,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" - - diff --git a/rules_building_block/discovery_hosts_file_access.toml b/rules_building_block/discovery_hosts_file_access.toml index 8a3177bf266..74bee070950 100644 --- a/rules_building_block/discovery_hosts_file_access.toml +++ b/rules_building_block/discovery_hosts_file_access.toml @@ -2,7 +2,9 @@ creation_date = "2023/07/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -12,8 +14,8 @@ Identifies the use of built-in tools to read the contents of \\etc\\hosts on a l to discover remote machines in an environment that may be used for Lateral Movement from the current system. """ from = "now-119m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] interval = "60m" +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "System Hosts File Access" @@ -21,35 +23,32 @@ risk_score = 21 rule_id = "f75f65cf-ed04-48df-a7ff-b02a8bfe636e" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name in ("vi", "nano", "cat", "more", "less") and process.args == "/etc/hosts" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_internet_capabilities.toml b/rules_building_block/discovery_internet_capabilities.toml index 2ae9e761e72..e518e8a81f3 100644 --- a/rules_building_block/discovery_internet_capabilities.toml +++ b/rules_building_block/discovery_internet_capabilities.toml @@ -1,9 +1,11 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/07/12" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/01/11" +bypass_bbr_timing = true [rule] author = ["Elastic"] @@ -21,14 +23,13 @@ name = "Discovery of Internet Capabilities via Built-in Tools" risk_score = 21 rule_id = "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -38,20 +39,19 @@ process.name.caseless:("ping.exe" or "tracert.exe" or "pathping.exe") and not process.args:("127.0.0.1" or "0.0.0.0" or "localhost" or "::1") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique.subtechnique]] id = "T1016.001" name = "Internet Connection Discovery" reference = "https://attack.mitre.org/techniques/T1016/001/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -60,8 +60,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id", "process.command_line"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml b/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml index 00a0f082ba3..d351ec77fd9 100644 --- a/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml +++ b/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml @@ -2,16 +2,17 @@ creation_date = "2020/04/12" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/02/22" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate -information about a kernel module using the /proc/modules filesystem. This filesystem is used by utilities such as lsmod -and kmod to list the available kernel modules. +information about a kernel module using the /proc/modules filesystem. This filesystem is used by utilities such as +lsmod and kmod to list the available kernel modules. """ false_positives = [ """ @@ -20,8 +21,8 @@ false_positives = [ """, ] from = "now-119m" -index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] interval = "60m" +index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "kuery" license = "Elastic License v2" name = "Enumeration of Kernel Modules via Proc" @@ -46,29 +47,28 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen """ severity = "low" tags = [ - "Data Source: Auditd Manager", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", -] + "Data Source: Auditd Manager", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "new_terms" - +building_block_type = "default" query = ''' host.os.type:linux and event.category:file and event.action:"opened-file" and file.path:"/proc/modules" and not process.name:(grep or python* or chef-client) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -77,8 +77,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" - - diff --git a/rules_building_block/discovery_linux_modprobe_enumeration.toml b/rules_building_block/discovery_linux_modprobe_enumeration.toml index 05b04fa4b07..e5867834327 100644 --- a/rules_building_block/discovery_linux_modprobe_enumeration.toml +++ b/rules_building_block/discovery_linux_modprobe_enumeration.toml @@ -2,20 +2,21 @@ creation_date = "2023/06/08" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/02/22" [rule] author = ["Elastic"] -building_block_type = "default" description = """ -Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or +Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized -kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the +kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the system. """ from = "now-119m" -index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] interval = "60m" +index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "kuery" license = "Elastic License v2" name = "Suspicious Modprobe File Event" @@ -45,15 +46,15 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen """ severity = "low" tags = [ - "Data Source: Auditd Manager", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", -] + "Data Source: Auditd Manager", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "new_terms" - +building_block_type = "default" query = ''' host.os.type:linux and event.category:file and event.action:"opened-file" and file.path : ("/etc/modprobe.conf" or "/etc/modprobe.d" or /etc/modprobe.d/*) and not process.name:( @@ -62,15 +63,14 @@ file.path : ("/etc/modprobe.conf" or "/etc/modprobe.d" or /etc/modprobe.d/*) and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -79,8 +79,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules_building_block/discovery_linux_sysctl_enumeration.toml b/rules_building_block/discovery_linux_sysctl_enumeration.toml index f01834a9931..e02b8d69775 100644 --- a/rules_building_block/discovery_linux_sysctl_enumeration.toml +++ b/rules_building_block/discovery_linux_sysctl_enumeration.toml @@ -2,19 +2,20 @@ creation_date = "2023/06/08" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/02/22" [rule] author = ["Elastic"] -building_block_type = "default" description = """ -Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc/sysctl.d/*.conf) to identify potential -unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl +Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc/sysctl.d/*.conf) to identify potential +unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl configuration files to modify kernel parameters, potentially compromising system stability, performance, or security. """ from = "now-119m" -index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] interval = "60m" +index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "kuery" license = "Elastic License v2" name = "Suspicious Sysctl File Event" @@ -45,15 +46,15 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen """ severity = "low" tags = [ - "Data Source: Auditd Manager", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", -] + "Data Source: Auditd Manager", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "new_terms" - +building_block_type = "default" query = ''' host.os.type:linux and event.category:file and event.action:("opened-file" or "read-file" or "wrote-to-file") and file.path : ("/etc/sysctl.conf" or "/etc/sysctl.d" or /etc/sysctl.d/*) and not process.name:( @@ -61,15 +62,14 @@ file.path : ("/etc/sysctl.conf" or "/etc/sysctl.d" or /etc/sysctl.d/*) and not p ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -78,8 +78,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules_building_block/discovery_linux_system_information_discovery.toml b/rules_building_block/discovery_linux_system_information_discovery.toml index 431c60f4301..af04ae90db5 100644 --- a/rules_building_block/discovery_linux_system_information_discovery.toml +++ b/rules_building_block/discovery_linux_system_information_discovery.toml @@ -2,15 +2,17 @@ creation_date = "2023/07/10" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] building_block_type = "default" description = "Enrich process events with uname and other command lines that imply Linux system information discovery." from = "now-119m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] interval = "60m" +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Linux System Information Discovery" @@ -18,18 +20,17 @@ risk_score = 21 rule_id = "b81bd314-db5b-4d97-82e8-88e3e5fc9de5" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( process.name: "uname" or ( @@ -38,17 +39,15 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_linux_system_owner_user_discovery.toml b/rules_building_block/discovery_linux_system_owner_user_discovery.toml index 2e2c8d3def8..461660560f7 100644 --- a/rules_building_block/discovery_linux_system_owner_user_discovery.toml +++ b/rules_building_block/discovery_linux_system_owner_user_discovery.toml @@ -2,7 +2,9 @@ creation_date = "2023/07/10" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -12,8 +14,8 @@ Identifies the use of built-in tools which adversaries may use to enumerate the system. """ from = "now-119m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] interval = "60m" +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "System Owner/User Discovery Linux" @@ -21,26 +23,25 @@ risk_score = 21 rule_id = "bf8c007c-7dee-4842-8e9a-ee534c09d205" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name : ("whoami", "w", "who", "users", "id") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1033" name = "System Owner/User Discovery" @@ -51,9 +52,7 @@ id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_net_share_discovery_winlog.toml b/rules_building_block/discovery_net_share_discovery_winlog.toml index dff948bf5ad..1a9085fe98c 100644 --- a/rules_building_block/discovery_net_share_discovery_winlog.toml +++ b/rules_building_block/discovery_net_share_discovery_winlog.toml @@ -2,33 +2,28 @@ creation_date = "2023/07/14" integration = ["windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Adversaries may look for folders and drives shared on remote systems to identify sources of information to gather as a precursor for collection and identify potential systems of interest for Lateral Movement. """ from = "now-119m" -index = ["winlogbeat-*", "logs-windows.*", "logs-system.security*"] interval = "60m" +index = ["winlogbeat-*", "logs-windows.*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Potential Network Share Discovery" risk_score = 21 rule_id = "b2318c71-5959-469a-a3ce-3a0768e63b9c" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Collection", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Rule Type: BBR"] type = "eql" +building_block_type = "default" query = ''' sequence by user.name, source.port, source.ip with maxspan=15s @@ -40,7 +35,6 @@ sequence by user.name, source.port, source.ip with maxspan=15s source.ip != null and source.ip != "0.0.0.0" and source.ip != "::1" and source.ip != "::" and source.ip != "127.0.0.1"] ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -48,19 +42,19 @@ id = "T1135" name = "Network Share Discovery" reference = "https://attack.mitre.org/techniques/T1135/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1039" name = "Data from Network Shared Drive" reference = "https://attack.mitre.org/techniques/T1039/" - [rule.threat.tactic] id = "TA0009" name = "Collection" diff --git a/rules_building_block/discovery_net_view.toml b/rules_building_block/discovery_net_view.toml index 10e11ec992a..c07a155965b 100644 --- a/rules_building_block/discovery_net_view.toml +++ b/rules_building_block/discovery_net_view.toml @@ -1,9 +1,11 @@ [metadata] -bypass_bbr_timing = true creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] @@ -53,17 +55,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Collection", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Collection", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "eql" @@ -85,9 +86,9 @@ process where host.os.type == "windows" and event.type == "start" and */ ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" @@ -98,19 +99,20 @@ id = "T1135" name = "Network Share Discovery" reference = "https://attack.mitre.org/techniques/T1135/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1039" name = "Data from Network Shared Drive" reference = "https://attack.mitre.org/techniques/T1039/" - [rule.threat.tactic] id = "TA0009" name = "Collection" diff --git a/rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml b/rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml index 534e6b19c1c..eb07c9ed3c6 100644 --- a/rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml +++ b/rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml @@ -2,15 +2,19 @@ creation_date = "2023/07/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] building_block_type = "default" -description = "Adversaries may use built-in applications to get a listing of local system or domain accounts and groups.\n" +description = """ +Adversaries may use built-in applications to get a listing of local system or domain accounts and groups. +""" from = "now-119m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] interval = "60m" +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Account or Group Discovery via Built-In Tools" @@ -18,19 +22,18 @@ risk_score = 21 rule_id = "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( (process.name in ("groups", "id")) or @@ -41,13 +44,14 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" @@ -58,11 +62,11 @@ id = "T1069.002" name = "Domain Groups" reference = "https://attack.mitre.org/techniques/T1069/002/" - [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" @@ -73,10 +77,7 @@ id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_of_domain_groups.toml b/rules_building_block/discovery_of_domain_groups.toml index 6a1122dd0d6..fc2e465b263 100644 --- a/rules_building_block/discovery_of_domain_groups.toml +++ b/rules_building_block/discovery_of_domain_groups.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -12,8 +14,8 @@ Identifies the execution of Linux built-in commands related to account or group and group information to orient themselves before deciding how to act. """ from = "now-119m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] interval = "60m" +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Discovery of Domain Groups" @@ -21,18 +23,17 @@ risk_score = 21 rule_id = "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -40,17 +41,15 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_posh_password_policy.toml b/rules_building_block/discovery_posh_password_policy.toml index 717f91f01be..ff9a476a59b 100644 --- a/rules_building_block/discovery_posh_password_policy.toml +++ b/rules_building_block/discovery_posh_password_policy.toml @@ -2,18 +2,19 @@ creation_date = "2023/07/12" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools. """ from = "now-119m" -index = ["winlogbeat-*", "logs-windows.powershell*"] interval = "60m" +index = ["winlogbeat-*", "logs-windows.powershell*"] language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Password Policy Discovery Capabilities" @@ -38,17 +39,10 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Execution", - "Data Source: PowerShell Logs", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Execution", "Data Source: PowerShell Logs", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "query" +building_block_type = "default" query = ''' event.category: "process" and host.os.type:windows and @@ -98,11 +92,12 @@ id = "T1201" name = "Password Policy Discovery" reference = "https://attack.mitre.org/techniques/T1201/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml b/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml index ca94235feb2..e43887f6438 100644 --- a/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml +++ b/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml @@ -1,9 +1,11 @@ [metadata] -bypass_bbr_timing = true creation_date = "2020/09/04" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] @@ -62,15 +64,14 @@ references = [ risk_score = 21 rule_id = "1d72d014-e2ab-4707-b056-9b96abe7b511" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "eql" @@ -130,27 +131,25 @@ network where host.os.type == "windows" and network.protocol == "dns" and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique.subtechnique]] id = "T1016.001" name = "Internet Connection Discovery" reference = "https://attack.mitre.org/techniques/T1016/001/" - [[rule.threat.technique]] id = "T1614" name = "System Location Discovery" reference = "https://attack.mitre.org/techniques/T1614/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_potential_memory_seeking_activity.toml b/rules_building_block/discovery_potential_memory_seeking_activity.toml index 8b6be1ce1e2..d6dc62b89ea 100644 --- a/rules_building_block/discovery_potential_memory_seeking_activity.toml +++ b/rules_building_block/discovery_potential_memory_seeking_activity.toml @@ -3,7 +3,9 @@ bypass_bbr_timing = true creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -22,17 +24,16 @@ risk_score = 21 rule_id = "035a6f21-4092-471d-9cda-9e379f459b1e" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( (process.name == "tail" and process.args == "-c") or @@ -42,17 +43,15 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_process_discovery_via_builtin_tools.toml b/rules_building_block/discovery_process_discovery_via_builtin_tools.toml index d3826371012..8b30470080a 100644 --- a/rules_building_block/discovery_process_discovery_via_builtin_tools.toml +++ b/rules_building_block/discovery_process_discovery_via_builtin_tools.toml @@ -2,15 +2,17 @@ creation_date = "2023/07/11" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] building_block_type = "default" description = "Identifies the use of built-in tools attackers can use to discover running processes on an endpoint." from = "now-119m" -index = ["logs-endpoint.events.*", "endgame-*"] interval = "60m" +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Process Discovery via Built-In Applications" @@ -18,18 +20,17 @@ risk_score = 21 rule_id = "3f4d7734-2151-4481-b394-09d7c6c91f75" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where event.type == "start" and event.action in ("exec", "exec_event") and process.name in ( "ps", "pstree", "htop", "pgrep" @@ -37,9 +38,9 @@ process where event.type == "start" and event.action in ("exec", "exec_event") a not process.parent.name in ("amazon-ssm-agent", "snap") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1057" name = "Process Discovery" @@ -49,15 +50,13 @@ reference = "https://attack.mitre.org/techniques/T1057/" id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" + [[rule.threat.technique.subtechnique]] id = "T1518.001" name = "Security Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/001/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml index b7e1e6414dd..4fbf67eccde 100644 --- a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml +++ b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml @@ -1,9 +1,11 @@ [metadata] -bypass_bbr_timing = true creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] @@ -53,16 +55,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "eql" @@ -90,9 +91,9 @@ process where host.os.type == "windows" and event.type == "start" and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" @@ -103,9 +104,7 @@ id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_security_software_wmic.toml b/rules_building_block/discovery_security_software_wmic.toml index 42a76b8cd84..7811c935fe8 100644 --- a/rules_building_block/discovery_security_software_wmic.toml +++ b/rules_building_block/discovery_security_software_wmic.toml @@ -1,25 +1,20 @@ [metadata] -bypass_bbr_timing = true creation_date = "2020/10/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Security Software Discovery using WMIC" @@ -62,17 +57,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -81,32 +76,32 @@ process where host.os.type == "windows" and event.type == "start" and process.args : "/namespace:\\\\root\\SecurityCenter2" and process.args : "Get" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" + [[rule.threat.technique.subtechnique]] id = "T1518.001" name = "Security Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/001/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules_building_block/discovery_signal_unusual_user_host.toml b/rules_building_block/discovery_signal_unusual_user_host.toml index 6697231b3ee..5c46f340044 100644 --- a/rules_building_block/discovery_signal_unusual_user_host.toml +++ b/rules_building_block/discovery_signal_unusual_user_host.toml @@ -1,8 +1,10 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/10/10" maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/10/10" +bypass_bbr_timing = true [rule] author = ["Elastic"] @@ -19,16 +21,14 @@ name = "Unusual Discovery Activity by User" risk_score = 21 rule_id = "cf575427-0839-4c69-a9e6-99fde02606f3" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: Higher-Order Rule", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: Higher-Order Rule" + ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:( "d68e95ad-1c82-4074-a12a-125fe10ac8ba" or "7b8bfc26-81d2-435e-965c-d722ee397ef1" or @@ -39,7 +39,6 @@ host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:( ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" @@ -51,8 +50,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules_building_block/discovery_suspicious_memory_grep_activity.toml b/rules_building_block/discovery_suspicious_memory_grep_activity.toml index e5e09b92269..238e3a74056 100644 --- a/rules_building_block/discovery_suspicious_memory_grep_activity.toml +++ b/rules_building_block/discovery_suspicious_memory_grep_activity.toml @@ -3,7 +3,9 @@ bypass_bbr_timing = true creation_date = "2024/02/05" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -11,7 +13,7 @@ building_block_type = "default" description = """ Monitors for grep activity related to memory mapping. The /proc/*/maps file in Linux provides a memory map for a specific process, detailing the memory segments, permissions, and what files are mapped to these segments. Attackers may -read a process's memory map to identify memory addresses for code injection or process hijacking. +read a process's memory map to identify memory addresses for code injection or process hijacking. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -23,33 +25,30 @@ risk_score = 21 rule_id = "d74d6506-427a-4790-b170-0c2a6ddac799" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name in ("grep", "egrep", "fgrep", "rgrep") and process.args in ("[stack]", "[vdso]", "[heap]") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_suspicious_proc_enumeration.toml b/rules_building_block/discovery_suspicious_proc_enumeration.toml index 5416dfa0a22..58422eaadf7 100644 --- a/rules_building_block/discovery_suspicious_proc_enumeration.toml +++ b/rules_building_block/discovery_suspicious_proc_enumeration.toml @@ -2,19 +2,20 @@ creation_date = "2023/06/09" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/19" [rule] author = ["Elastic"] -building_block_type = "default" description = """ -This rule monitors for a rapid enumeration of 25 different proc cmd, stat, and exe files, which suggests an abnormal -activity pattern. Such behavior could be an indicator of a malicious process scanning or gathering information about -running processes, potentially for reconnaissance, privilege escalation, or identifying vulnerable targets. +This rule monitors for a rapid enumeration of 25 different proc cmd, stat, and exe files, which suggests an abnormal +activity pattern. Such behavior could be an indicator of a malicious process scanning or gathering information about +running processes, potentially for reconnaissance, privilege escalation, or identifying vulnerable targets. """ from = "now-119m" -index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] interval = "60m" +index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "kuery" license = "Elastic License v2" name = "Suspicious Proc Pseudo File System Enumeration" @@ -46,12 +47,12 @@ tags = [ "Data Source: Auditd Manager", "OS: Linux", "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", -] + "Tactic: Discovery", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "threshold" - +building_block_type = "default" query = ''' host.os.type:linux and event.category:file and event.action:"opened-file" and file.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.name : ( @@ -59,9 +60,9 @@ file.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.nam ) and not process.parent.pid : 1 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1057" name = "Process Discovery" @@ -72,7 +73,6 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -81,8 +81,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.threshold] field = ["host.id", "process.pid", "process.name"] value = 1 + [[rule.threshold.cardinality]] field = "file.path" value = 100 - - diff --git a/rules_building_block/discovery_system_network_connections.toml b/rules_building_block/discovery_system_network_connections.toml index 146fae92b45..8445acfedac 100644 --- a/rules_building_block/discovery_system_network_connections.toml +++ b/rules_building_block/discovery_system_network_connections.toml @@ -2,15 +2,17 @@ creation_date = "2023/07/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] building_block_type = "default" description = "Adversaries may attempt to get a listing of network connections to or from a compromised system." from = "now-119m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] interval = "60m" +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "System Network Connections Discovery" @@ -18,35 +20,32 @@ risk_score = 21 rule_id = "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name in ("netstat", "lsof", "who", "w") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1049" name = "System Network Connections Discovery" reference = "https://attack.mitre.org/techniques/T1049/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_system_service_discovery.toml b/rules_building_block/discovery_system_service_discovery.toml index 284105bfc7c..e558d25c5d3 100644 --- a/rules_building_block/discovery_system_service_discovery.toml +++ b/rules_building_block/discovery_system_service_discovery.toml @@ -1,41 +1,35 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/01/24" integration = ["windows", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] building_block_type = "default" description = """ -Detects the usage of commonly used system service discovery techniques, which attackers may use during the -reconnaissance phase after compromising a system in order to gain a better understanding of the environment and/or -escalate privileges. +Detects the usage of commonly used system service discovery techniques, which attackers may use during the reconnaissance phase +after compromising a system in order to gain a better understanding of the environment and/or escalate privileges. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "System Service Discovery through built-in Windows Utilities" risk_score = 21 rule_id = "e0881d20-54ac-457f-8733-fe0bc5d44c55" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "eql" @@ -50,17 +44,15 @@ process where host.os.type == "windows" and event.type == "start" and ) and not user.id : "S-1-5-18" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1007" name = "System Service Discovery" reference = "https://attack.mitre.org/techniques/T1007/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_system_time_discovery.toml b/rules_building_block/discovery_system_time_discovery.toml index 537fc9d8ae6..7f57882ce99 100644 --- a/rules_building_block/discovery_system_time_discovery.toml +++ b/rules_building_block/discovery_system_time_discovery.toml @@ -1,40 +1,35 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/01/24" integration = ["windows", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] building_block_type = "default" description = """ Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance -phase after compromising a system. +phase after compromising a system. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "System Time Discovery" risk_score = 21 rule_id = "06568a02-af29-4f20-929c-f3af281e41aa" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "eql" @@ -50,17 +45,15 @@ process where host.os.type == "windows" and event.type == "start" and ) and not user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1124" name = "System Time Discovery" reference = "https://attack.mitre.org/techniques/T1124/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_win_network_connections.toml b/rules_building_block/discovery_win_network_connections.toml index dc1f9d25751..318357b4d7d 100644 --- a/rules_building_block/discovery_win_network_connections.toml +++ b/rules_building_block/discovery_win_network_connections.toml @@ -1,17 +1,18 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/07/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] building_block_type = "default" description = """ This rule identifies the execution of commands that can be used to enumerate network connections. Adversaries may -attempt to get a listing of network connections to or from a compromised system to identify targets within an -environment. +attempt to get a listing of network connections to or from a compromised system to identify targets within an environment. """ from = "now-9m" index = ["logs-endpoint.events.process-*"] @@ -21,14 +22,13 @@ name = "Windows System Network Connections Discovery" risk_score = 21 rule_id = "c4e9ed3e-55a2-4309-a012-bc3c78dad10a" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -49,9 +49,9 @@ process where event.type == "start" and ) and not user.id : "S-1-5-18" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1049" name = "System Network Connections Discovery" @@ -62,9 +62,7 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_windows_system_information_discovery.toml b/rules_building_block/discovery_windows_system_information_discovery.toml index 3116404c902..0cd59156c58 100644 --- a/rules_building_block/discovery_windows_system_information_discovery.toml +++ b/rules_building_block/discovery_windows_system_information_discovery.toml @@ -1,9 +1,11 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/07/06" integration = ["windows", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] @@ -20,15 +22,13 @@ name = "Windows System Information Discovery" risk_score = 21 rule_id = "51176ed2-2d90-49f2-9f3d-17196428b169" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" @@ -52,17 +52,15 @@ process.parent.executable : ( ) and not user.id : "S-1-5-18" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/execution_github_new_event_action_for_pat.toml b/rules_building_block/execution_github_new_event_action_for_pat.toml index cc3256581ed..411b406a4b8 100644 --- a/rules_building_block/execution_github_new_event_action_for_pat.toml +++ b/rules_building_block/execution_github_new_event_action_for_pat.toml @@ -3,12 +3,16 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to GitHub Integration" +min_stack_version = "8.8.0" +updated_date = "2023/12/14" [rule] author = ["Elastic"] building_block_type = "default" -description = "Detects a first occurrence event for a personal access token (PAT) not seen in the last 14 days.\n" +description = """ +Detects a first occurrence event for a personal access token (PAT) not seen in the last 14 days. +""" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -17,14 +21,13 @@ name = "First Occurrence GitHub Event for a Personal Access Token (PAT)" risk_score = 21 rule_id = "ce08b55a-f67d-4804-92b5-617b0fe5a5b5" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -34,7 +37,6 @@ event.action:* and github.hashed_token:* and github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -48,11 +50,11 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "event.action"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules_building_block/execution_github_new_repo_interaction_for_pat.toml b/rules_building_block/execution_github_new_repo_interaction_for_pat.toml index f8c429ed7cb..98e6201bbf5 100644 --- a/rules_building_block/execution_github_new_repo_interaction_for_pat.toml +++ b/rules_building_block/execution_github_new_repo_interaction_for_pat.toml @@ -3,12 +3,16 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to GitHub Integration" +min_stack_version = "8.8.0" +updated_date = "2023/12/14" [rule] author = ["Elastic"] building_block_type = "default" -description = "Detects a new private repo interaction for a GitHub PAT not seen in the last 14 days.\n" +description = """ +Detects a new private repo interaction for a GitHub PAT not seen in the last 14 days. +""" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -17,14 +21,13 @@ name = "First Occurrence of Private Repo Event from Specific GitHub Personal Acc risk_score = 21 rule_id = "1e9b271c-8caa-4e20-aed8-e91e34de9283" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -35,7 +38,6 @@ github.programmatic_access_type:("OAuth access token" or "Fine-grained personal github.repository_public:false ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -49,11 +51,11 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "github.repo"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules_building_block/execution_github_new_repo_interaction_for_user.toml b/rules_building_block/execution_github_new_repo_interaction_for_user.toml index eeb3716928a..9f900204215 100644 --- a/rules_building_block/execution_github_new_repo_interaction_for_user.toml +++ b/rules_building_block/execution_github_new_repo_interaction_for_user.toml @@ -3,12 +3,16 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/12/14" [rule] author = ["Elastic"] building_block_type = "default" -description = "Detects a new private repo interaction for a GitHub user not seen in the last 14 days.\n" +description = """ +Detects a new private repo interaction for a GitHub user not seen in the last 14 days. +""" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -17,14 +21,13 @@ name = "First Occurrence of GitHub User Interaction with Private Repo" risk_score = 21 rule_id = "01c49712-25bc-49d2-a27d-d7ce52f5dc49" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -34,7 +37,6 @@ github.repo:* and user.name:* and github.repository_public:false ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -48,11 +50,11 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.new_terms] field = "new_terms_fields" value = ["user.name", "github.repo"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules_building_block/execution_github_repo_created.toml b/rules_building_block/execution_github_repo_created.toml index e8232137bfa..c10de1f2ea0 100644 --- a/rules_building_block/execution_github_repo_created.toml +++ b/rules_building_block/execution_github_repo_created.toml @@ -3,12 +3,16 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/14" [rule] author = ["Elastic"] building_block_type = "default" -description = "A new GitHub repository was created.\n" +description = """ +A new GitHub repository was created. +""" from = "now-9m" index = ["logs-github.audit-*"] language = "eql" @@ -17,14 +21,13 @@ name = "GitHub Repo Created" risk_score = 21 rule_id = "6cea88e4-6ce2-4238-9981-a54c140d6336" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "eql" @@ -32,7 +35,6 @@ query = ''' configuration where event.dataset == "github.audit" and event.action == "repo.create" ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,4 +47,3 @@ reference = "https://attack.mitre.org/techniques/T1648/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/execution_github_repo_interaction_from_new_ip.toml b/rules_building_block/execution_github_repo_interaction_from_new_ip.toml index 52daf9d6e29..a9b685231e8 100644 --- a/rules_building_block/execution_github_repo_interaction_from_new_ip.toml +++ b/rules_building_block/execution_github_repo_interaction_from_new_ip.toml @@ -1,14 +1,18 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to GitHub Integration" +min_stack_version = "8.8.0" +updated_date = "2023/12/14" +bypass_bbr_timing = true [rule] author = ["Elastic"] building_block_type = "default" -description = "Detects an interaction with a private GitHub repository from a new IP address not seen in the last 14 days.\n" +description = """ +Detects an interaction with a private GitHub repository from a new IP address not seen in the last 14 days. +""" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -17,14 +21,13 @@ name = "First Occurrence of GitHub Repo Interaction From a New IP" risk_score = 21 rule_id = "0294f105-d7af-4a02-ae90-35f56763ffa2" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -34,7 +37,6 @@ github.actor_ip:* and github.repo:* and github.repository_public:false ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -48,11 +50,11 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.new_terms] field = "new_terms_fields" value = ["github.repo", "github.actor_ip"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules_building_block/execution_linux_segfault.toml b/rules_building_block/execution_linux_segfault.toml index e1d006ca679..052ee041024 100644 --- a/rules_building_block/execution_linux_segfault.toml +++ b/rules_building_block/execution_linux_segfault.toml @@ -3,11 +3,12 @@ bypass_bbr_timing = true creation_date = "2023/10/26" integration = ["system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/26" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Monitors kernel logs for segfault messages. A segfault, or segmentation fault, is an error that occurs when a program tries to access a memory location that it's not allowed to access, typically leading to program termination. A segfault @@ -46,15 +47,20 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" +building_block_type = "default" type = "query" - query = ''' host.os.type:linux and event.dataset:"system.syslog" and process.name:kernel and message:segfault ''' - [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules_building_block/execution_settingcontent_ms_file_creation.toml b/rules_building_block/execution_settingcontent_ms_file_creation.toml index cef517d3a22..f4834c928b2 100644 --- a/rules_building_block/execution_settingcontent_ms_file_creation.toml +++ b/rules_building_block/execution_settingcontent_ms_file_creation.toml @@ -3,11 +3,12 @@ bypass_bbr_timing = true creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies the suspicious creation of SettingContents-ms files, which have been used in attacks to achieve code execution while evading defenses. @@ -17,19 +18,15 @@ index = ["logs-endpoint.events.file-*"] language = "eql" license = "Elastic License v2" name = "Creation of SettingContent-ms Files" -references = ["https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39"] +references = [ + "https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39", +] risk_score = 21 rule_id = "1e6363a6-3af5-41d4-b7ea-d475389c0ceb" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -41,39 +38,40 @@ file where host.os.type == "windows" and event.type == "creation" and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" -[[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" + [[rule.threat.technique.subtechnique]] + id = "T1204.002" + name = "Malicious File" + reference = "https://attack.mitre.org/techniques/T1204/002/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.001" -name = "Spearphishing Attachment" -reference = "https://attack.mitre.org/techniques/T1566/001/" + [[rule.threat.technique.subtechnique]] + id = "T1566.001" + name = "Spearphishing Attachment" + reference = "https://attack.mitre.org/techniques/T1566/001/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules_building_block/execution_unix_socket_communication.toml b/rules_building_block/execution_unix_socket_communication.toml index bd444e795c8..26e055dbed2 100644 --- a/rules_building_block/execution_unix_socket_communication.toml +++ b/rules_building_block/execution_unix_socket_communication.toml @@ -1,18 +1,19 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/09/04" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" +bypass_bbr_timing = true [rule] author = ["Elastic"] -building_block_type = "default" description = """ -This rule monitors for inter-process communication via Unix sockets. Adversaries may attempt to communicate with local -Unix sockets to enumerate application details, find vulnerabilities/configuration mistakes and potentially escalate -privileges or set up malicious communication channels via Unix sockets for inter-process communication to attempt to -evade detection. +This rule monitors for inter-process communication via Unix sockets. Adversaries may attempt to communicate with local +Unix sockets to enumerate application details, find vulnerabilities/configuration mistakes and potentially escalate +privileges or set up malicious communication channels via Unix sockets for inter-process communication to attempt to +evade detection. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -23,18 +24,18 @@ risk_score = 21 rule_id = "41284ba3-ed1a-4598-bfba-a97f75d9aba2" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Rule Type: BBR", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Rule Type: BBR", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -45,17 +46,15 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1559" name = "Inter-Process Communication" reference = "https://attack.mitre.org/techniques/T1559/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/execution_unsigned_service_executable.toml b/rules_building_block/execution_unsigned_service_executable.toml index e6c2b4816cc..ee7b2e8f624 100644 --- a/rules_building_block/execution_unsigned_service_executable.toml +++ b/rules_building_block/execution_unsigned_service_executable.toml @@ -1,9 +1,11 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/07/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] @@ -20,15 +22,14 @@ name = "Execution of an Unsigned Service" risk_score = 21 rule_id = "56fdfcf1-ca7c-4fd9-951d-e215ee26e404" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -39,37 +40,36 @@ process.parent.executable:"C:\\Windows\\System32\\services.exe" and not process.code_signature.status : (errorCode_endpoint* or "errorChaining") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1569" name = "System Services" reference = "https://attack.mitre.org/techniques/T1569/" + [[rule.threat.technique.subtechnique]] id = "T1569.002" name = "Service Execution" reference = "https://attack.mitre.org/techniques/T1569/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" @@ -78,8 +78,7 @@ reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "user.id"] + [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-14d" - - +value = "now-14d" \ No newline at end of file diff --git a/rules_building_block/execution_wmi_wbemtest.toml b/rules_building_block/execution_wmi_wbemtest.toml index 0e8da7c0534..6f65b1aca47 100644 --- a/rules_building_block/execution_wmi_wbemtest.toml +++ b/rules_building_block/execution_wmi_wbemtest.toml @@ -2,40 +2,28 @@ creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Adversaries may abuse the WMI diagnostic tool, wbemtest.exe, to enumerate WMI object instances or invoke methods against local or remote endpoints. """ from = "now-119m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] interval = "60m" +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "WMI WBEMTEST Utility Execution" risk_score = 21 rule_id = "d3551433-782f-4e22-bbea-c816af2d41c6" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Rule Type: BBR", - "Data Source: Elastic Endgame", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -45,14 +33,13 @@ process where host.os.type == "windows" and event.type == "start" and process.na [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/impact_github_member_removed_from_organization.toml b/rules_building_block/impact_github_member_removed_from_organization.toml index 9b6f36d684b..ddffcc741d0 100644 --- a/rules_building_block/impact_github_member_removed_from_organization.toml +++ b/rules_building_block/impact_github_member_removed_from_organization.toml @@ -1,14 +1,18 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/21" +bypass_bbr_timing = true [rule] author = ["Elastic"] building_block_type = "default" -description = "A member was removed or their invitation to join was removed from a GitHub Organization.\n" +description = """ +A member was removed or their invitation to join was removed from a GitHub Organization. +""" from = "now-9m" index = ["logs-github.audit-*"] language = "eql" @@ -17,14 +21,13 @@ name = "Member Removed From GitHub Organization" risk_score = 21 rule_id = "095b6a58-8f88-4b59-827c-ab584ad4e759" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Impact", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Impact", + "Rule Type: BBR", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "eql" @@ -32,7 +35,6 @@ query = ''' configuration where event.dataset == "github.audit" and event.action == "org.remove_member" ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,4 +47,3 @@ reference = "https://attack.mitre.org/techniques/T1531/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules_building_block/impact_github_pat_access_revoked.toml b/rules_building_block/impact_github_pat_access_revoked.toml index 40804acb163..aa9fc0e0c90 100644 --- a/rules_building_block/impact_github_pat_access_revoked.toml +++ b/rules_building_block/impact_github_pat_access_revoked.toml @@ -1,14 +1,18 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/14" +bypass_bbr_timing = true [rule] author = ["Elastic"] building_block_type = "default" -description = "Access to private GitHub organization resources was revoked for a PAT.\n" +description = """ +Access to private GitHub organization resources was revoked for a PAT. +""" from = "now-9m" index = ["logs-github.audit-*"] language = "eql" @@ -17,14 +21,13 @@ name = "GitHub PAT Access Revoked" risk_score = 21 rule_id = "8a0fd93a-7df8-410d-8808-4cc5e340f2b9" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Impact", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Impact", + "Rule Type: BBR", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "eql" @@ -32,7 +35,6 @@ query = ''' configuration where event.dataset == "github.audit" and event.action == "personal_access_token.access_revoked" ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,4 +47,3 @@ reference = "https://attack.mitre.org/techniques/T1531/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules_building_block/impact_github_user_blocked_from_organization.toml b/rules_building_block/impact_github_user_blocked_from_organization.toml index 01bce32d75a..96daeacf88f 100644 --- a/rules_building_block/impact_github_user_blocked_from_organization.toml +++ b/rules_building_block/impact_github_user_blocked_from_organization.toml @@ -1,14 +1,18 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/14" +bypass_bbr_timing = true [rule] author = ["Elastic"] building_block_type = "default" -description = "A GitHub user was blocked from access to an organization.\n" +description = """ +A GitHub user was blocked from access to an organization. +""" from = "now-9m" index = ["logs-github.audit-*"] language = "eql" @@ -17,14 +21,13 @@ name = "GitHub User Blocked From Organization" risk_score = 21 rule_id = "4030c951-448a-4017-a2da-ed60f6d14f4f" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Impact", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Impact", + "Rule Type: BBR", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "eql" @@ -32,7 +35,6 @@ query = ''' configuration where event.dataset == "github.audit" and event.action == "org.block_user" ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,4 +47,3 @@ reference = "https://attack.mitre.org/techniques/T1531/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules_building_block/initial_access_cross_site_scripting.toml b/rules_building_block/initial_access_cross_site_scripting.toml index c2a27be30ef..318d1616019 100644 --- a/rules_building_block/initial_access_cross_site_scripting.toml +++ b/rules_building_block/initial_access_cross_site_scripting.toml @@ -2,19 +2,20 @@ creation_date = "2023/07/12" integration = ["apm"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/12" [rule] author = ["Elastic"] -building_block_type = "default" description = """ -Cross-Site Scripting (XSS) is a type of attack in which malicious scripts are injected into trusted websites. In XSS -attacks, an attacker uses a benign web application to send malicious code, generally in the form of a browser-side -script. This detection rule identifies the potential malicious executions of such browser-side scripts. +Cross-Site Scripting (XSS) is a type of attack in which malicious scripts are injected into trusted websites. +In XSS attacks, an attacker uses a benign web application to send malicious code, generally in the form of a +browser-side script. This detection rule identifies the potential malicious executions of such browser-side scripts. """ from = "now-119m" -index = ["apm-*-transaction*", "traces-apm*"] interval = "60m" +index = ["apm-*-transaction*", "traces-apm*"] language = "eql" license = "Elastic License v2" name = "Potential Cross Site Scripting (XSS)" @@ -24,6 +25,7 @@ rule_id = "4aa58ac6-4dc0-4d18-b713-f58bf8bd015c" severity = "low" tags = ["Data Source: APM", "Use Case: Threat Detection", "Tactic: Initial Access"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -45,4 +47,3 @@ reference = "https://attack.mitre.org/techniques/T1189/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules_building_block/initial_access_github_new_ip_address_for_pat.toml b/rules_building_block/initial_access_github_new_ip_address_for_pat.toml index 85b7086c02e..b1fa1b90d21 100644 --- a/rules_building_block/initial_access_github_new_ip_address_for_pat.toml +++ b/rules_building_block/initial_access_github_new_ip_address_for_pat.toml @@ -1,14 +1,18 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to GitHub Integration" +min_stack_version = "8.8.0" +updated_date = "2023/12/14" +bypass_bbr_timing = true [rule] author = ["Elastic"] building_block_type = "default" -description = "Detects a new IP address used for a GitHub PAT not previously seen in the last 14 days.\n" +description = """ +Detects a new IP address used for a GitHub PAT not previously seen in the last 14 days. +""" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -17,14 +21,13 @@ name = "First Occurrence of IP Address For GitHub Personal Access Token (PAT)" risk_score = 21 rule_id = "fc909baa-fb34-4c46-9691-be276ef4234c" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Initial Access", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Initial Access", + "Rule Type: BBR", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -34,7 +37,6 @@ github.actor_ip:* and github.hashed_token:* and github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -46,8 +48,6 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" @@ -56,8 +56,7 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "github.actor_ip"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules_building_block/initial_access_github_new_ip_address_for_user.toml b/rules_building_block/initial_access_github_new_ip_address_for_user.toml index 25ef2800c7d..38bb8adf040 100644 --- a/rules_building_block/initial_access_github_new_ip_address_for_user.toml +++ b/rules_building_block/initial_access_github_new_ip_address_for_user.toml @@ -1,14 +1,18 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to GitHub Integration" +min_stack_version = "8.8.0" +updated_date = "2023/12/14" +bypass_bbr_timing = true [rule] author = ["Elastic"] building_block_type = "default" -description = "Detects a new IP address used for a GitHub user not previously seen in the last 14 days.\n" +description = """ +Detects a new IP address used for a GitHub user not previously seen in the last 14 days. +""" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -17,14 +21,13 @@ name = "First Occurrence of IP Address For GitHub User" risk_score = 21 rule_id = "3af4cb9b-973f-4c54-be2b-7623c0e21b2b" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Initial Access", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Initial Access", + "Rule Type: BBR", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -33,7 +36,6 @@ event.dataset:"github.audit" and event.category:"configuration" and github.actor_ip:* and user.name:* ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,8 +47,6 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" @@ -55,8 +55,7 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["user.name", "github.actor_ip"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules_building_block/initial_access_github_new_user_agent_for_pat.toml b/rules_building_block/initial_access_github_new_user_agent_for_pat.toml index b473839076e..64308ff178a 100644 --- a/rules_building_block/initial_access_github_new_user_agent_for_pat.toml +++ b/rules_building_block/initial_access_github_new_user_agent_for_pat.toml @@ -1,14 +1,18 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to GitHub Integration" +min_stack_version = "8.8.0" +updated_date = "2023/12/14" +bypass_bbr_timing = true [rule] author = ["Elastic"] building_block_type = "default" -description = "Detects a new user agent used for a GitHub PAT not previously seen in the last 14 days.\n" +description = """ +Detects a new user agent used for a GitHub PAT not previously seen in the last 14 days. +""" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -17,14 +21,13 @@ name = "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)" risk_score = 21 rule_id = "0e4367a0-a483-439d-ad2e-d90500b925fd" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Initial Access", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Initial Access", + "Rule Type: BBR", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -34,7 +37,6 @@ github.user_agent:* and github.hashed_token:* and github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -46,8 +48,6 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" @@ -56,8 +56,7 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "github.user_agent"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules_building_block/initial_access_github_new_user_agent_for_user.toml b/rules_building_block/initial_access_github_new_user_agent_for_user.toml index 8463648e69e..7980a538de6 100644 --- a/rules_building_block/initial_access_github_new_user_agent_for_user.toml +++ b/rules_building_block/initial_access_github_new_user_agent_for_user.toml @@ -1,14 +1,18 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to GitHub Integration" +min_stack_version = "8.8.0" +updated_date = "2023/12/14" +bypass_bbr_timing = true [rule] author = ["Elastic"] building_block_type = "default" -description = "Detects a new user agent used for a GitHub user not previously seen in the last 14 days.\n" +description = """ +Detects a new user agent used for a GitHub user not previously seen in the last 14 days. +""" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -17,14 +21,13 @@ name = "First Occurrence of User-Agent For a GitHub User" risk_score = 21 rule_id = "41761cd3-380f-4d4d-89f3-46d6853ee35d" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Initial Access", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Initial Access", + "Rule Type: BBR", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -33,7 +36,6 @@ event.dataset:"github.audit" and event.category:"configuration" and github.user_agent:* and user.name:* ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,8 +47,6 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" @@ -55,8 +55,7 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["user.name", "github.user_agent"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules_building_block/lateral_movement_at.toml b/rules_building_block/lateral_movement_at.toml index 17e6965f898..0ccabf7ce6f 100644 --- a/rules_building_block/lateral_movement_at.toml +++ b/rules_building_block/lateral_movement_at.toml @@ -2,41 +2,29 @@ creation_date = "2023/08/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies use of at.exe to interact with the task scheduler on remote hosts. Remote task creations, modifications or execution could be indicative of adversary lateral movement. """ from = "now-119m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] interval = "60m" +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "At.exe Command Lateral Movement" risk_score = 21 rule_id = "b483365c-98a8-40c0-92d8-0458ca25058a" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Rule Type: BBR", - "Data Source: Elastic Endgame", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" +building_block_type = "default" query = ''' process where host.os.type == "windows" and event.type == "start" and process.name : "at.exe" and process.args : "\\\\*" @@ -45,22 +33,25 @@ process where host.os.type == "windows" and event.type == "start" and process.na [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.002" name = "At" @@ -71,10 +62,7 @@ id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/lateral_movement_rdp_conn_unusual_process.toml b/rules_building_block/lateral_movement_rdp_conn_unusual_process.toml index 4a6aa3206d1..6110207d585 100644 --- a/rules_building_block/lateral_movement_rdp_conn_unusual_process.toml +++ b/rules_building_block/lateral_movement_rdp_conn_unusual_process.toml @@ -2,33 +2,29 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Adversaries may attempt to connect to a remote system over Windows Remote Desktop Protocol (RDP) to achieve lateral -movement. Adversaries may avoid using the Microsoft Terminal Services Client (mstsc.exe) binary to establish an RDP -connection to evade detection. +movement. Adversaries may avoid using the Microsoft Terminal Services Client (mstsc.exe) binary to establish +an RDP connection to evade detection. """ from = "now-119m" -index = ["logs-endpoint.events.network-*"] interval = "60m" +index = ["logs-endpoint.events.network-*"] language = "eql" license = "Elastic License v2" name = "Potential Outgoing RDP Connection by Unusual Process" risk_score = 21 rule_id = "8e39f54e-910b-4adb-a87e-494fbba5fb65" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -67,4 +63,3 @@ reference = "https://attack.mitre.org/techniques/T1021/001/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml b/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml index dbc9fce692a..1739922bb4f 100644 --- a/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml +++ b/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml @@ -1,16 +1,17 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/08/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] -building_block_type = "default" description = """ -Identifies unusual process executions using MSSQL Service accounts, which can indicate the exploitation/compromise of -SQL instances. Attackers may exploit exposed MSSQL instances for initial access or lateral movement. +Identifies unusual process executions using MSSQL Service accounts, which can indicate the exploitation/compromise of SQL +instances. Attackers may exploit exposed MSSQL instances for initial access or lateral movement. """ from = "now-9m" index = ["logs-endpoint.events.process-*"] @@ -19,22 +20,15 @@ license = "Elastic License v2" name = "Unusual Process For MSSQL Service Accounts" references = [ "https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/", - "https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions?view=sql-server-ver16", + "https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions?view=sql-server-ver16" ] risk_score = 21 rule_id = "e74d645b-fec6-431e-bf93-ca64a538e0de" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" +building_block_type = "default" query = ''' process where event.type == "start" and host.os.type == "windows" and @@ -88,21 +82,21 @@ reference = "https://attack.mitre.org/techniques/T1210/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" + [[rule.threat.technique.subtechnique]] id = "T1505.001" name = "SQL Stored Procedures" reference = "https://attack.mitre.org/techniques/T1505/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules_building_block/lateral_movement_wmic_remote.toml b/rules_building_block/lateral_movement_wmic_remote.toml index 27337528974..9238c44be4d 100644 --- a/rules_building_block/lateral_movement_wmic_remote.toml +++ b/rules_building_block/lateral_movement_wmic_remote.toml @@ -2,33 +2,28 @@ creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies the use of wmic.exe to run commands on remote hosts. While this can be used by administrators legitimately, attackers can abuse this built-in utility to achieve lateral movement. """ from = "now-119m" -index = ["logs-endpoint.events.process-*"] interval = "60m" +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "WMIC Remote Command" risk_score = 21 rule_id = "f59668de-caa0-4b84-94c1-3a1549e1e798" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -42,31 +37,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.006" name = "Windows Remote Management" reference = "https://attack.mitre.org/techniques/T1021/006/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml b/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml index f4aaaef461d..ed153da8642 100644 --- a/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml +++ b/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml @@ -3,7 +3,9 @@ bypass_bbr_timing = true creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/30" [rule] author = ["Elastic"] @@ -30,7 +32,7 @@ tags = [ "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Persistence", - "Rule Type: BBR", + "Rule Type: BBR" ] timestamp_override = "event.ingested" type = "query" @@ -43,16 +45,6 @@ event.dataset: aws.cloudtrail and event.provider: "iam.amazonaws.com" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" - - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" @@ -61,7 +53,14 @@ reference = "https://attack.mitre.org/techniques/T1098/" id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] diff --git a/rules_building_block/persistence_creation_of_kernel_module.toml b/rules_building_block/persistence_creation_of_kernel_module.toml index 4ba49615de2..1a5f88f2100 100644 --- a/rules_building_block/persistence_creation_of_kernel_module.toml +++ b/rules_building_block/persistence_creation_of_kernel_module.toml @@ -2,15 +2,19 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/22" [rule] author = ["Elastic"] building_block_type = "default" -description = "Identifies activity related to loading kernel modules on Linux via creation of new ko files in the LKM directory.\n" +description = """ +Identifies activity related to loading kernel modules on Linux via creation of new ko files in the LKM directory. +""" from = "now-119m" -index = ["logs-endpoint.events.*", "endgame-*"] interval = "60m" +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Creation of Kernel Module" @@ -18,17 +22,16 @@ risk_score = 21 rule_id = "947827c6-9ed6-4dec-903e-c856c86e72f3" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' file where host.os.type == "linux" and event.type in ("change", "creation") and file.path : "/lib/modules/*" and file.extension == "ko" and not process.name : ( @@ -36,22 +39,20 @@ file.extension == "ko" and not process.name : ( ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules_building_block/persistence_github_new_pat_for_user.toml b/rules_building_block/persistence_github_new_pat_for_user.toml index a7cfbd7e476..cfef12dc021 100644 --- a/rules_building_block/persistence_github_new_pat_for_user.toml +++ b/rules_building_block/persistence_github_new_pat_for_user.toml @@ -1,14 +1,18 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to GitHub Integration" +min_stack_version = "8.8.0" +updated_date = "2023/12/14" +bypass_bbr_timing = true [rule] author = ["Elastic"] building_block_type = "default" -description = "A new PAT was used for a GitHub user not previously seen in the last 14 days.\n" +description = """ +A new PAT was used for a GitHub user not previously seen in the last 14 days. +""" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -17,14 +21,13 @@ name = "First Occurrence of Personal Access Token (PAT) Use For a GitHub User" risk_score = 21 rule_id = "f94e898e-94f1-4545-8923-03e4b2866211" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Persistence", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Persistence", + "Rule Type: BBR", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -34,7 +37,6 @@ github.hashed_token:* and user.name:* and github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -46,8 +48,6 @@ id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -56,8 +56,7 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["user.name", "github.hashed_token"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules_building_block/persistence_github_new_user_added_to_organization.toml b/rules_building_block/persistence_github_new_user_added_to_organization.toml index 6de318f9160..685fa8fbe53 100644 --- a/rules_building_block/persistence_github_new_user_added_to_organization.toml +++ b/rules_building_block/persistence_github_new_user_added_to_organization.toml @@ -1,14 +1,18 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/21" +bypass_bbr_timing = true [rule] author = ["Elastic"] building_block_type = "default" -description = "A new user was added to a GitHub organization.\n" +description = """ +A new user was added to a GitHub organization. +""" from = "now-9m" index = ["logs-github.audit-*"] language = "eql" @@ -17,14 +21,13 @@ name = "New User Added To GitHub Organization" risk_score = 21 rule_id = "61336fe6-c043-4743-ab6e-41292f439603" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Persistence", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Persistence", + "Rule Type: BBR", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "eql" @@ -32,7 +35,6 @@ query = ''' configuration where event.dataset == "github.audit" and event.action == "org.add_member" ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -44,10 +46,7 @@ id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules_building_block/persistence_startup_folder_lnk.toml b/rules_building_block/persistence_startup_folder_lnk.toml index 0cfb8ff93eb..c8967f887ff 100644 --- a/rules_building_block/persistence_startup_folder_lnk.toml +++ b/rules_building_block/persistence_startup_folder_lnk.toml @@ -1,13 +1,14 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies shortcut files written to or modified in the startup folder. Adversaries may use this technique to maintain persistence. @@ -20,15 +21,9 @@ name = "Shortcut File Written or Modified on Startup Folder" risk_score = 21 rule_id = "ee53d67a-5f0c-423c-a53c-8084ae562b5c" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -68,4 +63,3 @@ reference = "https://attack.mitre.org/techniques/T1547/009/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules_building_block/persistence_transport_agent_exchange.toml b/rules_building_block/persistence_transport_agent_exchange.toml index 41a64eb14b5..993b637e4ae 100644 --- a/rules_building_block/persistence_transport_agent_exchange.toml +++ b/rules_building_block/persistence_transport_agent_exchange.toml @@ -2,19 +2,20 @@ creation_date = "2023/07/14" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies the use of Cmdlets and methods related to Microsoft Exchange Transport Agents install. Adversaries may leverage malicious Microsoft Exchange Transport Agents to execute tasks in response to adversary-defined criteria, establishing persistence. """ from = "now-119m" -index = ["winlogbeat-*", "logs-windows.powershell*"] interval = "60m" +index = ["winlogbeat-*", "logs-windows.powershell*"] language = "kuery" license = "Elastic License v2" name = "Microsoft Exchange Transport Agent Install Script" @@ -36,16 +37,10 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: PowerShell Logs", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: PowerShell Logs", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "query" +building_block_type = "default" query = ''' event.category: "process" and host.os.type:windows and @@ -63,35 +58,34 @@ event.category: "process" and host.os.type:windows and ) ''' - [[rule.filters]] - [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -case_insensitive = true -value = "?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\*" -[[rule.filters]] +"case_insensitive" = true +"value" = "?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\*" +[[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -case_insensitive = true -value = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" -[[rule.filters]] +"case_insensitive" = true +"value" = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" +[[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -case_insensitive = true -value = "?:\\\\Windows\\\\TEMP\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" -[[rule.filters]] +"case_insensitive" = true +"value" = "?:\\\\Windows\\\\TEMP\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" +[[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -case_insensitive = true -value = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" +"case_insensitive" = true +"value" = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -126,4 +120,3 @@ reference = "https://attack.mitre.org/techniques/T1059/001/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/privilege_escalation_trap_execution.toml b/rules_building_block/privilege_escalation_trap_execution.toml index 52787ad90e8..f077ca029f9 100644 --- a/rules_building_block/privilege_escalation_trap_execution.toml +++ b/rules_building_block/privilege_escalation_trap_execution.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/24" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -12,8 +14,8 @@ Identify activity related where adversaries can include a trap command which the commands that will be executed upon receiving interrupt signals. """ from = "now-119m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] interval = "60m" +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Trap Signals Execution" @@ -21,40 +23,37 @@ risk_score = 21 rule_id = "cf6995ec-32a9-4b2d-9340-f8e61acf3f4e" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "trap" and process.args : "SIG*" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.005" name = "Trap" reference = "https://attack.mitre.org/techniques/T1546/005/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index f73dcd8f420..2170d5a7551 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -28,7 +28,7 @@ ThresholdAlertSuppression, TOMLRuleContents) from detection_rules.rule_loader import FILE_PATTERN from detection_rules.rule_validators import EQLValidator, KQLValidator -from detection_rules.schemas import definitions, get_min_supported_stack_version, get_stack_schemas +from detection_rules.schemas import definitions, get_stack_schemas from detection_rules.utils import INTEGRATION_RULE_DIR, PatchedTemplate, get_path, load_etc_dump from detection_rules.version_lock import default_version_lock from rta import get_available_tests @@ -1111,7 +1111,6 @@ class TestBuildTimeFields(BaseRuleTest): def test_build_fields_min_stack(self): """Test that newly introduced build-time fields for a min_stack for applicable rules.""" current_stack_ver = PACKAGE_STACK_VERSION - min_supported_stack_version = get_min_supported_stack_version() invalids = [] for rule in self.production_rules: @@ -1121,12 +1120,7 @@ def test_build_fields_min_stack(self): errors = [] for build_field, field_versions in build_fields.items(): start_ver, end_ver = field_versions - # when a _new_ build time field is introduced, _all_ rules _must_ have a min_stack_version for the stack - # version in which the field was introduced. This is because the initial change will result in a hash - # change which is different because of the build time fields. - # This also ensures that the introduced version is greater than the min supported, in order to age off - # old and unneeded checks. (i.e. 8.3.0 < 8.9.0 min supported, so it is irrelevant now) - if start_ver is not None and current_stack_ver >= start_ver >= min_supported_stack_version: + if start_ver is not None and current_stack_ver >= start_ver: if min_stack is None or not Version.parse(min_stack) >= start_ver: errors.append(f'{build_field} >= {start_ver}')