diff --git a/.github/workflows/lock-versions.yml b/.github/workflows/lock-versions.yml index bda7d3dbe3b..1dfd97ad776 100644 --- a/.github/workflows/lock-versions.yml +++ b/.github/workflows/lock-versions.yml @@ -6,7 +6,7 @@ on: description: 'List of branches to lock versions (ordered, comma separated)' required: true # 7.17 was intentionally skipped because it was added late and was bug fix only - default: '8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13,8.14' + default: '8.9,8.10,8.11,8.12,8.13,8.14' jobs: pr: diff --git a/detection_rules/devtools.py b/detection_rules/devtools.py index 71bd2f218eb..7befb9d1a37 100644 --- a/detection_rules/devtools.py +++ b/detection_rules/devtools.py @@ -812,8 +812,9 @@ def raw_permalink(raw_link): @dev_group.command('trim-version-lock') @click.argument('stack_version') +@click.option('--skip-rule-updates', is_flag=True, help='Skip updating the rules') @click.option('--dry-run', is_flag=True, help='Print the changes rather than saving the file') -def trim_version_lock(stack_version: str, dry_run: bool): +def trim_version_lock(stack_version: str, skip_rule_updates: bool, dry_run: bool): """Trim all previous entries within the version lock file which are lower than the min_version.""" stack_versions = get_stack_versions() assert stack_version in stack_versions, \ @@ -821,36 +822,78 @@ def trim_version_lock(stack_version: str, dry_run: bool): min_version = Version.parse(stack_version) version_lock_dict = default_version_lock.version_lock.to_dict() - removed = {} + removed = defaultdict(list) + rule_msv_drops = [] + + today = time.strftime('%Y/%m/%d') + rc: RuleCollection | None = None + if dry_run: + rc = RuleCollection() + else: + if not skip_rule_updates: + click.echo('Loading rules ...') + rc = RuleCollection.default() for rule_id, lock in version_lock_dict.items(): + file_min_stack: Version | None = None + if 'min_stack_version' in lock: + file_min_stack = Version.parse((lock['min_stack_version']), optional_minor_and_patch=True) + if file_min_stack <= min_version: + removed[rule_id].append( + f'locked min_stack_version <= {min_version} - {"will remove" if dry_run else "removing"}!' + ) + rule_msv_drops.append(rule_id) + file_min_stack = None + + if not dry_run: + lock.pop('min_stack_version') + if not skip_rule_updates: + # remove the min_stack_version and min_stack_comments from rules as well (and update date) + rule = rc.id_map.get(rule_id) + if rule: + new_meta = dataclasses.replace( + rule.contents.metadata, + updated_date=today, + min_stack_version=None, + min_stack_comments=None + ) + contents = dataclasses.replace(rule.contents, metadata=new_meta) + new_rule = TOMLRule(contents=contents, path=rule.path) + new_rule.save_toml() + removed[rule_id].append('rule min_stack_version dropped') + else: + removed[rule_id].append('rule not found to update!') + if 'previous' in lock: prev_vers = [Version.parse(v, optional_minor_and_patch=True) for v in list(lock['previous'])] - outdated_vers = [f"{v.major}.{v.minor}" for v in prev_vers if v < min_version] + outdated_vers = [v for v in prev_vers if v < min_version] if not outdated_vers: continue # we want to remove all "old" versions, but save the latest that is >= the min version supplied as the new # stack_version. + latest_version = max(outdated_vers) - if dry_run: - outdated_minus_current = [str(v) for v in outdated_vers if v < stack_version] - if outdated_minus_current: - removed[rule_id] = outdated_minus_current for outdated in outdated_vers: - popped = lock['previous'].pop(str(outdated)) - if outdated >= stack_version: - lock['previous'][str(Version(stack_version[:2]))] = popped + short_outdated = f"{outdated.major}.{outdated.minor}" + popped = lock['previous'].pop(str(short_outdated)) + # the core of the update - we only need to keep previous entries that are newer than the min supported + # version (from stack-schema-map and stack-version parameter) and older than the locked + # min_stack_version for a given rule, if one exists + if file_min_stack and outdated == latest_version and outdated < file_min_stack: + lock['previous'][f'{min_version.major}.{min_version.minor}'] = popped + removed[rule_id].append(f'{short_outdated} updated to: {min_version.major}.{min_version.minor}') + else: + removed[rule_id].append(f'{outdated} dropped') # remove the whole previous entry if it is now blank if not lock['previous']: lock.pop('previous') - if dry_run: - click.echo(f'The following versions would be collapsed to {stack_version}:' if removed else 'No changes') - click.echo('\n'.join(f'{k}: {", ".join(v)}' for k, v in removed.items())) - else: + click.echo(f'Changes {"that will be " if dry_run else ""} applied:' if removed else 'No changes') + click.echo('\n'.join(f'{k}: {", ".join(v)}' for k, v in removed.items())) + if not dry_run: new_lock = VersionLockFile.from_dict(dict(data=version_lock_dict)) new_lock.save_to_file() diff --git a/detection_rules/etc/stack-schema-map.yaml b/detection_rules/etc/stack-schema-map.yaml index 9daf9547d8a..f2ea604e4ca 100644 --- a/detection_rules/etc/stack-schema-map.yaml +++ b/detection_rules/etc/stack-schema-map.yaml @@ -42,39 +42,38 @@ # beats: "8.2.1" # ecs: "8.2.1" # endgame: "1.9.0" +# "8.3.0": +# beats: "8.3.3" +# ecs: "8.3.1" +# endgame: "1.9.0" + +# "8.4.0": +# beats: "8.4.3" +# ecs: "8.4.0" +# endgame: "8.4.0" + +# "8.5.0": +# beats: "8.5.3" +# ecs: "8.5.2" +# endgame: "8.4.0" + +# "8.6.0": +# beats: "8.6.1" +# ecs: "8.6.1" +# endgame: "8.4.0" + +# "8.7.0": +# beats: "8.7.0" +# ecs: "8.7.0" +# endgame: "8.4.0" + +# "8.8.0": +# beats: "8.8.2" +# ecs: "8.8.0" +# endgame: "8.4.0" ## Supported -"8.3.0": - beats: "8.3.3" - ecs: "8.3.1" - endgame: "1.9.0" - -"8.4.0": - beats: "8.4.3" - ecs: "8.4.0" - endgame: "8.4.0" - -"8.5.0": - beats: "8.5.3" - ecs: "8.5.2" - endgame: "8.4.0" - -"8.6.0": - beats: "8.6.1" - ecs: "8.6.1" - endgame: "8.4.0" - -"8.7.0": - beats: "8.7.0" - ecs: "8.7.0" - endgame: "8.4.0" - -"8.8.0": - beats: "8.8.2" - ecs: "8.8.0" - endgame: "8.4.0" - "8.9.0": beats: "8.9.0" ecs: "8.9.0" diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index d28d74a8359..b59efb5d6fd 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -2,7 +2,7 @@ "000047bb-b27a-47ec-8b62-ef1a5d2c9e19": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 206, "rule_name": "Attempt to Modify an Okta Policy Rule", "sha256": "ab816235d1086e87acda877a4f3bc72e72af952ecf7a40b59d2d45991812ef73", @@ -16,346 +16,258 @@ "version": 207 }, "00140285-b827-4aee-aa09-8113f58a08f3": { - "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Windows Utilities", "sha256": "ac7d08baf88d495e5767d5845ee47e22b500b643e11ca7e806309d30e958a1fc", "type": "eql", "version": 112 }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { - "min_stack_version": "8.3", "rule_name": "System Shells via Services", "sha256": "6685da19ff0ea1ee48d11d6029d1c69a780149fe7f8d8d9b2f60ed9766f28e71", "type": "eql", "version": 110 }, "00678712-b2df-11ed-afe9-f661ea17fbcc": { - "min_stack_version": "8.4", "rule_name": "Google Workspace Suspended User Account Renewed", "sha256": "cfbc6ffe95e39937d68146e42f932947e2c3c96cc9a42ab296e12bc8c613f5f1", "type": "query", "version": 2 }, "0136b315-b566-482f-866c-1d8e2477ba16": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 User Restricted from Sending Email", - "sha256": "3801a06e2eb380734652847208adb12ceb5e1bb394da148a047b8a25afe3bc17", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 User Restricted from Sending Email", "sha256": "35df6afe89ac91c72e0499d991574f17f0b1d4567e874f7e65976b6828bfac4f", "type": "query", "version": 206 }, "015cca13-8832-49ac-a01b-a396114809f6": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS Redshift Cluster Creation", - "sha256": "7a1faa4c3dfde300711d7bb69b6a93b8e64a3d33cc83a37a3d5cfcf6d9b09b2d", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS Redshift Cluster Creation", "sha256": "4b8809bf7107aa3e8169d82047acb52c422c663b159574d29a8176d7a9fb6dca", "type": "query", "version": 206 }, "0171f283-ade7-4f87-9521-ac346c68cc9b": { - "min_stack_version": "8.3", "rule_name": "Potential Network Scan Detected", "sha256": "931bd95c0fff284b33e383dce3f3fccaf7b0c36b8b6b946b1c39ff5ded2aa8e1", "type": "threshold", "version": 5 }, "01c49712-25bc-49d2-a27d-d7ce52f5dc49": { - "min_stack_version": "8.6", "rule_name": "First Occurrence of GitHub User Interaction with Private Repo", "sha256": "adb33991bc7e05efa461ee20ccaa7ac960c540154ae482921c711a1e850b06cf", "type": "new_terms", "version": 1 }, "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { - "min_stack_version": "8.3", "rule_name": "Potential Cookies Theft via Browser Debugging", "sha256": "0ae709b171f47f1273c0e0cdc34fd30e5b64862da6d9840ff006ba59d85f9b10", "type": "eql", "version": 105 }, "0294f105-d7af-4a02-ae90-35f56763ffa2": { - "min_stack_version": "8.8", "rule_name": "First Occurrence of GitHub Repo Interaction From a New IP", "sha256": "5c428cb19c48c4a48a019d8275c5361269f5caba6736aec0a5304d2790f5789c", "type": "new_terms", "version": 1 }, "02a23ee7-c8f8-4701-b99d-e9038ce313cb": { - "min_stack_version": "8.4", "rule_name": "Process Created with an Elevated Token", "sha256": "a08170ff704e6eee3ac998cc9775b0a089926b6ba906ba421faa17c0c11a47db", "type": "eql", "version": 6 }, "02a4576a-7480-4284-9327-548a806b5e48": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", - "sha256": "8f8844fda927ba3149c7d983e7f7619e33e5745f8b1f389c0e10f3b6ba852e0a", - "type": "eql", - "version": 106 - } - }, "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", "sha256": "08ccb0b77ba1240408e1418cf800f0677b541367930b3cb9a986a4adfcbe2dac", "type": "eql", "version": 208 }, "02bab13d-fb14-4d7c-b6fe-4a28874d37c5": { - "min_stack_version": "8.3", "rule_name": "Potential Ransomware Note File Dropped via SMB", "sha256": "dafd8f85b8e37f96aaabd0405826cb232ac4c2f22571f2878d3a875a0e141da8", "type": "eql", "version": 1 }, "02ea4563-ec10-4974-b7de-12e65aa4f9b3": { - "min_stack_version": "8.3", "rule_name": "Dumping Account Hashes via Built-In Commands", "sha256": "450f7c6f060ecb022c4c2e14be6190a34524d0c07a56809370cfbd62e51f85bb", "type": "query", "version": 106 }, "03024bd9-d23f-4ec1-8674-3cf1a21e130b": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", - "sha256": "f0f075e54cb17ce304f0d93b12277a29c7b1454d8bec5c05615e31fc6ebee725", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", "sha256": "74d0cdf9039c5f529d26a7d3c4c076e387ed8e163e3ae7e021feb78bbd355573", "type": "query", "version": 206 }, "035889c4-2686-4583-a7df-67f89c292f2c": { - "min_stack_version": "8.3", "rule_name": "High Number of Process and/or Service Terminations", "sha256": "5bb8f568879a496363f640b8866b46e0a39fe4e15005cab6f5af9eb499e3584d", "type": "threshold", "version": 109 }, "035a6f21-4092-471d-9cda-9e379f459b1e": { - "min_stack_version": "8.3", "rule_name": "Potential Memory Seeking Activity", "sha256": "4fa0b41dabe97414e45d4ae961a4c4fd9c445bca04d51659e7251547e80fe258", "type": "eql", "version": 2 }, "0369e8a6-0fa7-4e7a-961a-53180a4c966e": { - "min_stack_version": "8.3", "rule_name": "Suspicious Dynamic Linker Discovery via od", "sha256": "4ae40153ed65b4fdddee0a5528f9123c100ef8e2ba1710993374975e3b6320d8", "type": "eql", "version": 2 }, "03a514d9-500e-443e-b6a9-72718c548f6c": { - "min_stack_version": "8.8", "rule_name": "SSH Process Launched From Inside A Container", "sha256": "f4b1b23b638e8ea812f6cf173daedccc2a82fb1df5feeca4e6723b6726052c4d", "type": "eql", "version": 2 }, "03c23d45-d3cb-4ad4-ab5d-b361ffe8724a": { - "min_stack_version": "8.3", "rule_name": "Potential Network Scan Executed From Host", "sha256": "d8d678cf5d5ac1994120d5171bc69702a7acd37f5bb9611dd14a19a952652ea4", "type": "threshold", "version": 3 }, "0415f22a-2336-45fa-ba07-618a5942e22c": { - "min_stack_version": "8.3", "rule_name": "Modification of OpenSSH Binaries", "sha256": "ceef6d0c728c9575da9bd78da19050dc7e02eaee57eca642272639b91d863494", "type": "query", "version": 109 }, "041d4d41-9589-43e2-ba13-5680af75ebc2": { - "min_stack_version": "8.3", "rule_name": "Deprecated - Potential DNS Tunneling via Iodine", "sha256": "bee1691d491fbbea753a91ebb85df78974469ba5769d4a517e72420787563047", "type": "query", "version": 105 }, "04c5a96f-19c5-44fd-9571-a0b033f9086f": { - "min_stack_version": "8.3", "rule_name": "Azure AD Global Administrator Role Assigned", "sha256": "fd3270ab237a24dde97ddba5bd81bde19c086742e131a59117fa0e610f05bef9", "type": "query", "version": 102 }, "053a0387-f3b5-4ba5-8245-8002cca2bd08": { - "min_stack_version": "8.3", "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", "sha256": "08eeec4ed1f73497e06767edc13231268e1d647f7b29f0401175d1618d04affa", "type": "eql", "version": 110 }, "054db96b-fd34-43b3-9af2-587b3bd33964": { - "min_stack_version": "8.6", "rule_name": "Potential Persistence Through Systemd-udevd", "sha256": "f62fb7313ec0d7a280a370adae0caf8ba65410a71d6574ade7ab588a95963763", "type": "new_terms", "version": 3 }, "0564fb9d-90b9-4234-a411-82a546dc1343": { - "min_stack_version": "8.3", "rule_name": "Microsoft IIS Service Account Password Dumped", "sha256": "a85b92effa53537c7a86f7871455c176bc2c48a6928248fa29dcf8a548677730", "type": "eql", "version": 110 }, "05b358de-aa6d-4f6c-89e6-78f74018b43b": { - "min_stack_version": "8.3", "rule_name": "Conhost Spawned By Suspicious Parent Process", "sha256": "0437ed81150e42654cb33e6ad318152edb266126d44225341bc12cc678bc578e", "type": "eql", "version": 110 }, "05cad2fb-200c-407f-b472-02ea8c9e5e4a": { - "min_stack_version": "8.3", "rule_name": "Tainted Kernel Module Load", "sha256": "ce113c2fec8fb1bd012edc6533530b5ebe0b8145fa062e4e77c0a909435c6bf4", "type": "query", "version": 4 }, "05e5a668-7b51-4a67-93ab-e9af405c9ef3": { - "min_stack_version": "8.3", "rule_name": "Interactive Terminal Spawned via Perl", "sha256": "e7a0bce29457ba5f1e9159d5e17e7344da87a83b390be4e989e842573acca754", "type": "query", "version": 108 }, "0635c542-1b96-4335-9b47-126582d2c19a": { - "min_stack_version": "8.3", "rule_name": "Remote System Discovery Commands", "sha256": "b86728d65216af8f9dfa8912908f8a4225fdff95bd52dd63c2483d7bdd8385b4", "type": "eql", "version": 112 }, "06568a02-af29-4f20-929c-f3af281e41aa": { - "min_stack_version": "8.3", "rule_name": "System Time Discovery", "sha256": "c26f50ed371b312a315bf0bbbc399f65d446218ecd7f63e471538c0e145ea7c9", "type": "eql", "version": 7 }, "0678bc9c-b71a-433b-87e6-2f664b6b3131": { - "min_stack_version": "8.9", "rule_name": "Unusual Remote File Size", "sha256": "db958e84da3e58cefee53ec77d608ff51199a4e721318451ce091585bb908cc1", "type": "machine_learning", "version": 3 }, "06a7a03c-c735-47a6-a313-51c354aef6c3": { - "min_stack_version": "8.3", "rule_name": "Enumerating Domain Trusts via DSQUERY.EXE", "sha256": "4e653f97afcad71acd94ddf79e5534455c79986773fc543839900cc60e129d88", "type": "eql", "version": 7 }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { - "min_stack_version": "8.3", "rule_name": "Potential Evasion via Filter Manager", "sha256": "547a848b0b1c9458a6a838abb3430914bb8557a0b1bd030f11d882f5605e024c", "type": "eql", "version": 110 }, "074464f9-f30d-4029-8c03-0ed237fffec7": { - "min_stack_version": "8.3", "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", "sha256": "4682c4aac80de38bf56894acd47cac808366a9f47329763291361bb23756d3a8", "type": "eql", "version": 110 }, "07639887-da3a-4fbf-9532-8ce748ff8c50": { - "min_stack_version": "8.3", "rule_name": "GitHub Protected Branch Settings Changed", "sha256": "092ecb6ac6f1197744e2e114398553fa810674561481b66f9665c3ed95ff0017", "type": "eql", "version": 2 }, "0787daa6-f8c5-453b-a4ec-048037f6c1cd": { - "min_stack_version": "8.3", "rule_name": "Suspicious Proc Pseudo File System Enumeration", "sha256": "9dfcd341fcbfb91ac853a20da424eeb340c470adbfda7667e5f86e796de58ce5", "type": "threshold", "version": 7 }, "07b1ef73-1fde-4a49-a34a-5dd40011b076": { - "min_stack_version": "8.3", "rule_name": "Local Account TokenFilter Policy Disabled", "sha256": "1a734f41fd03d0ba5772ea20c1ee6db1efa178fc9f2c859a901c9c597ffaec46", "type": "eql", "version": 8 }, "07b5f85a-240f-11ed-b3d9-f661ea17fbce": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 103, - "rule_name": "Google Drive Ownership Transferred via Google Workspace", - "sha256": "4ec0b63c545009d7d16d34cd9b95f34edbcf4135f498aa77a805f544b07e6310", - "type": "query", - "version": 5 - } - }, "rule_name": "Google Drive Ownership Transferred via Google Workspace", "sha256": "9df4d9a342110c032419b2564bf6376a9357291ca8b3ead073faf9e5214419e6", "type": "query", "version": 106 }, "080bc66a-5d56-4d1f-8071-817671716db9": { - "min_stack_version": "8.3", "rule_name": "Suspicious Browser Child Process", - "sha256": "1678ce85ef34f778c0a71b6aec184f3f30550c0c641544c922f4ae9eee9dd5be", + "sha256": "1678ce85ef34f778c0a71b6aec184f3f30550c0c641544c922f4ae9eee9dd5be", "type": "eql", "version": 107 }, "082e3f8c-6f80-485c-91eb-5b112cb79b28": { - "min_stack_version": "8.3", "rule_name": "Launch Agent Creation or Modification and Immediate Loading", "sha256": "e27de95651bbdd93ef96aab3c00d5d496a005ac796a8a277a28331ad9552a879", "type": "eql", "version": 106 }, "083fa162-e790-4d85-9aeb-4fea04188adb": { - "min_stack_version": "8.3", "rule_name": "Suspicious Hidden Child Process of Launchd", "sha256": "997d8ce81fcbd8b47fa77b50434bd99ba1c4606f6d935a4af76098e5d9c28ece", "type": "query", "version": 106 }, "0859355c-0f08-4b43-8ff5-7d2a4789fc08": { - "min_stack_version": "8.4", "rule_name": "First Time Seen Removable Device", "sha256": "085b5157400c5090fec630066b9c606cb33fa8334b9c49babca8242399a11b91", "type": "new_terms", "version": 4 }, "089db1af-740d-4d84-9a5b-babd6de143b0": { - "min_stack_version": "8.3", "rule_name": "Windows Account or Group Discovery", "sha256": "45048599d6d9175e13e297d71afbd3a7d4d80e6d6421abd188c563a5c862bfbb", "type": "eql", @@ -368,21 +280,18 @@ "version": 100 }, "092b068f-84ac-485d-8a55-7dd9e006715f": { - "min_stack_version": "8.3", "rule_name": "Creation of Hidden Launch Agent or Daemon", "sha256": "bd61ec617f7cc0e401d2a89073a35ae316baab560f044fda528a0a38bbd2c993", "type": "eql", "version": 107 }, "09443c92-46b3-45a4-8f25-383b028b258d": { - "min_stack_version": "8.3", "rule_name": "Process Termination followed by Deletion", "sha256": "8628999b147b10ff30f618a79c4aee2123744abc0e2bb05cc8c98d11017145ad", "type": "eql", "version": 109 }, "095b6a58-8f88-4b59-827c-ab584ad4e759": { - "min_stack_version": "8.3", "rule_name": "Member Removed From GitHub Organization", "sha256": "425013c02e030ebacc0fd4c5249f59222b5afe82c2e8f03b6a1cc1139bdf917a", "type": "eql", @@ -395,21 +304,18 @@ "version": 100 }, "09bc6c90-7501-494d-b015-5d988dc3f233": { - "min_stack_version": "8.3", "rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory", "sha256": "bdc3b02c0073ad81ac689ad056327c1e74d84408ac65b51b4738e1fc7c3b5d13", "type": "eql", "version": 4 }, "09d028a5-dcde-409f-8ae0-557cef1b7082": { - "min_stack_version": "8.3", "rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted", "sha256": "08faf9e24053c3b8463889e3c47cec194c8acedaad33ce17bc7acd6ac50c3a53", "type": "query", "version": 102 }, "0a97b20f-4144-49ea-be32-b540ecc445de": { - "min_stack_version": "8.3", "rule_name": "Malware - Detected - Elastic Endgame", "sha256": "6e5837c5ce6d6866ed28e8c33e2bd9945580de7462f25874b585d7f96997daa2", "type": "query", @@ -425,7 +331,7 @@ "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": { "min_stack_version": "8.12", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 105, "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", "sha256": "434f9932a025ca56e9e7088380e4e35b25f922c6694252391c071315e7c84f14", @@ -439,58 +345,42 @@ "version": 106 }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { - "min_stack_version": "8.3", "rule_name": "Anomalous Windows Process Creation", "sha256": "a97e8495484e9053dfe57d0b3b3e2cc47984f3e326f8bce2c00bcab788337579", "type": "machine_learning", "version": 105 }, "0b2f3da5-b5ec-47d1-908b-6ebb74814289": { - "min_stack_version": "8.3", "rule_name": "User account exposed to Kerberoasting", "sha256": "830231e34039027f460477ed025efa9ef0a7efb45b9d97d43080f7d9deceeec3", "type": "query", "version": 109 }, "0b803267-74c5-444d-ae29-32b5db2d562a": { - "min_stack_version": "8.3", "rule_name": "Potential Shell via Wildcard Injection Detected", "sha256": "d23957bdc3e4530971529039105978c60ef34d1dda87b408528c03a1d39da1ca", "type": "eql", "version": 5 }, "0c093569-dff9-42b6-87b1-0242d9f7d9b4": { - "min_stack_version": "8.3", "rule_name": "Processes with Trailing Spaces", "sha256": "29769b5de5c0ab41be457818db9d6f387037ff6423addf05789011df15cbf286", "type": "eql", "version": 2 }, "0c41e478-5263-4c69-8f9e-7dfd2c22da64": { - "min_stack_version": "8.5", "rule_name": "Threat Intel IP Address Indicator Match", "sha256": "cd59f82b14abfb2a445bdd96682846602eb2f8abc1ef27f64dda99f452f99290", "type": "threat_match", "version": 6 }, "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { - "min_stack_version": "8.3", "rule_name": "Peripheral Device Discovery", "sha256": "f01eac25f9c7d222bc6e12ea4b86f7b4a06d4b76608183e9be91aaf9671427b7", "type": "eql", "version": 109 }, "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": { - "min_stack_version": "8.5", - "previous": { - "8.3": { - "max_allowable_version": 203, - "rule_name": "Threat Intel Indicator Match", - "sha256": "7d0bb73186b47e9fa99ec5b21fe2b862b5cbd6432100901fc476e30bced047a3", - "type": "threat_match", - "version": 105 - } - }, "rule_name": "Deprecated - Threat Intel Indicator Match", "sha256": "ec5023dc861db76d527d73f0343ba6a97b38c94f47aaa698929029d922d98e6a", "type": "threat_match", @@ -504,97 +394,60 @@ "version": 1 }, "0ce6487d-8069-4888-9ddd-61b52490cebc": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "O365 Exchange Suspicious Mailbox Right Delegation", - "sha256": "2dfc5642c7eff9f946739bbe4289e5bd8fe6f4374a492ed1fc5215e7b6e721ff", - "type": "query", - "version": 106 - } - }, "rule_name": "O365 Exchange Suspicious Mailbox Right Delegation", "sha256": "68fc02b03cbb322ff078a6a531807bf5fe21ae93726dad1ea16c11ed71d4c746", "type": "query", "version": 206 }, "0d160033-fab7-4e72-85a3-3a9d80c8bff7": { - "min_stack_version": "8.3", "rule_name": "Multiple Alerts Involving a User", "sha256": "43984fe31af84306a2a8266b867a70c8b185159a7419988e7211ff4a74fde252", "type": "threshold", "version": 3 }, "0d69150b-96f8-467c-a86d-a67a3378ce77": { - "min_stack_version": "8.3", "rule_name": "Nping Process Activity", "sha256": "b3f71d6cd3a2c3a2f492e825c65e78db5b3faa4eefed530678b5c504496230ec", "type": "eql", "version": 108 }, "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": { - "min_stack_version": "8.3", "rule_name": "Execution of File Written or Modified by Microsoft Office", "sha256": "e6fecbbaa834a04e699f62857b0e60f7e8c9bb3cb40d033165265ace22ac1cbb", "type": "eql", "version": 110 }, "0e4367a0-a483-439d-ad2e-d90500b925fd": { - "min_stack_version": "8.8", "rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)", "sha256": "87d0a19367e8add592f2100c95bd1076e0a1aea6b46d62bc39297eb59dffb3b8", "type": "new_terms", "version": 1 }, "0e52157a-8e96-4a95-a6e3-5faae5081a74": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "SharePoint Malware File Upload", - "sha256": "e32858e7a0449a506cfe595eabf2e1e82954cf683de287c05d0bf7295253c579", - "type": "query", - "version": 106 - } - }, "rule_name": "SharePoint Malware File Upload", "sha256": "815889da8ead699edd9b19124c697cd9038a641d065cf2dbfef062e81dfb5393", "type": "query", "version": 206 }, "0e5acaae-6a64-4bbc-adb8-27649c03f7e1": { - "min_stack_version": "8.3", "rule_name": "GCP Service Account Key Creation", "sha256": "ffe1bc8de6ff95c0fd9bb67fb93eace9b0ba96055cbf863fe0286dd7b033061b", "type": "query", "version": 104 }, "0e79980b-4250-4a50-a509-69294c14e84b": { - "min_stack_version": "8.3", "rule_name": "MsBuild Making Network Connections", "sha256": "c8013d923873ed418f022b29c77bb4c548a392af89e2a3cd747186d534386880", "type": "eql", "version": 109 }, "0f4d35e4-925e-4959-ab24-911be207ee6f": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 102, - "rule_name": "RC Script Creation", - "sha256": "56ff748867dc738357a731cfd37b4ae44c954383780d616e3d9034aed76dd9e1", - "type": "eql", - "version": 6 - } - }, "rule_name": "Potential Persistence Through Run Control Detected", "sha256": "6feb69680930d9a84dce295a56510b4938d7455565609a55b6f340a60f9eee5b", "type": "new_terms", "version": 110 }, "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": { - "min_stack_version": "8.3", "rule_name": "Netcat Listener Established via rlwrap", "sha256": "1f0f4f689d14c5e8a3b4843b2eeaad564fbc252458ad52473fa7fdcee3d19147", "type": "eql", @@ -607,30 +460,18 @@ "version": 100 }, "0f93cb9a-1931-48c2-8cd0-f173fd3e5283": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", - "sha256": "62abee660a99e58c72f6c4c79047fea8effc510ba10448a766fc3d03d4a36720", - "type": "threshold", - "version": 106 - } - }, "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", "sha256": "47d7607c096aab4bd73fbeb257e8746ed0ebb08d3f0e1cf65c62bc978d545735", "type": "threshold", "version": 208 }, "0ff84c42-873d-41a2-a4ed-08d74d352d01": { - "min_stack_version": "8.3", "rule_name": "Privilege Escalation via Root Crontab File Modification", "sha256": "77aa00047d7d61f2d5e30b916036032f69c56b68731a43c72c0c8f18adf55895", "type": "query", "version": 106 }, "10445cf0-0748-11ef-ba75-f661ea17fbcc": { - "min_stack_version": "8.9", "rule_name": "AWS IAM Login Profile Added to User", "sha256": "aa8a7eac601e73065c58f11ee43537d79be77a14b5a766d34772f5b1cc74c2e9", "type": "query", @@ -643,53 +484,30 @@ "version": 100 }, "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": { - "min_stack_version": "8.7", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "WebProxy Settings Modification", - "sha256": "6a6fc5b28bc33810532d1d7a900fbf07ff13f612317d5e8518f9b19104567c0a", - "type": "query", - "version": 106 - } - }, "rule_name": "WebProxy Settings Modification", "sha256": "aea77c71f5a15f5ba810f2f316aef50e4fa6948ad6b4e6b1c77449fd584157af", "type": "query", "version": 206 }, "11013227-0301-4a8c-b150-4db924484475": { - "min_stack_version": "8.3", "rule_name": "Abnormally Large DNS Response", "sha256": "a8cf0f414de9d2716b4dbf0198d541bf88a0777aefe1be83c09fc6f472d86721", "type": "query", "version": 105 }, "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { - "min_stack_version": "8.3", "rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs", "sha256": "47fb83a4f1705416ad0ba2cf6d42e319617bf0e145a68f21652116832e770309", "type": "eql", "version": 110 }, "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { - "min_stack_version": "8.3", "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", "sha256": "94905ad569d414ab1a3c0037dcdb641498c790debb11ceeea8d3354c9b7acd76", "type": "eql", "version": 111 }, "119c8877-8613-416d-a98a-96b6664ee73a": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS RDS Snapshot Export", - "sha256": "d7c79adde1bf89e2a7544eec2729c0b5c45c62fdcdd5f00090d28e5cb73f6da7", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS RDS Snapshot Export", "sha256": "a00e77547551b6a8212c1d2b2c97be59f34bacf51a65366e59724bb0f5d3060c", "type": "query", @@ -702,30 +520,18 @@ "version": 100 }, "11dd9713-0ec6-4110-9707-32daae1ee68c": { - "min_stack_version": "8.3", "rule_name": "PowerShell Script with Token Impersonation Capabilities", "sha256": "049b0cbfdd71a4ec9ecdce8350842eb7d32d60c45681f6342878de029adf212a", "type": "query", "version": 11 }, "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { - "min_stack_version": "8.3", "rule_name": "Third-party Backup Files Deleted via Unexpected Process", "sha256": "c0a79cd64ff9bae3ad1545d8a18809dd34644d93ed177bd5f4586a2bb2cb4dba", "type": "eql", "version": 112 }, "12051077-0124-4394-9522-8f4f4db1d674": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", - "sha256": "845e16fdf9dd59a0ee37658ad41a83a6149e5487422dac763de90cde6aad227f", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", "sha256": "15feead7d77394bd6bf71dd30d81329b1fbca72fbffc872a6f07f0b3a696b0d7", "type": "query", @@ -738,7 +544,6 @@ "version": 100 }, "1224da6c-0326-4b4f-8454-68cdc5ae542b": { - "min_stack_version": "8.9", "rule_name": "Suspicious Windows Process Cluster Spawned by a User", "sha256": "37bda4461229741fa959b9d762f3bf17c0d03378734fbc1a04cbe4563675bea6", "type": "machine_learning", @@ -751,83 +556,48 @@ "version": 100 }, "128468bf-cab1-4637-99ea-fdf3780a4609": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 104, - "rule_name": "Suspicious Lsass Process Access", - "sha256": "c30f6e62697cdaf210db4d6f79d2686bc91e4427ee7bbaea3468482a88373d5c", - "type": "eql", - "version": 5 - } - }, "rule_name": "Suspicious Lsass Process Access", "sha256": "5c2585fe5a2a7819a271da84ecd01be9aae6dd102b4b648aba3170d710547554", "type": "eql", "version": 107 }, "12a2f15d-597e-4334-88ff-38a02cb1330b": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 199, - "rule_name": "Kubernetes Suspicious Self-Subject Review", - "sha256": "658882e3d31e0988978c24743e8f15fb3423fde5b395cbfc75a641548a291359", - "type": "query", - "version": 101 - } - }, "rule_name": "Kubernetes Suspicious Self-Subject Review", "sha256": "88110d27337692c0a9c75ea40f6f8f7a3d14cb6e22a5864992d0ca94879b45ec", "type": "query", "version": 203 }, "12cbf709-69e8-4055-94f9-24314385c27e": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 199, - "rule_name": "Kubernetes Pod Created With HostNetwork", - "sha256": "00e261301692eeb8bc7453cbea5c4605ca9c6d2ae38199b35ad83ffd4a9d0c4b", - "type": "query", - "version": 101 - } - }, "rule_name": "Kubernetes Pod Created With HostNetwork", "sha256": "e48fb5d94222f67fbea19233c7fea01163d00908c3844df80f9e36d5e87ad7b7", "type": "query", "version": 203 }, "12de29d4-bbb0-4eef-b687-857e8a163870": { - "min_stack_version": "8.3", "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", "sha256": "cfc3f15827b9bb563753aa681d0ca6558f43be24b76a68468ff0df98e1f80d7a", "type": "eql", "version": 3 }, "12f07955-1674-44f7-86b5-c35da0a6f41a": { - "min_stack_version": "8.3", "rule_name": "Suspicious Cmd Execution via WMI", "sha256": "07748a896518875c7361a26af5beac29e29097fd6ec0285208e2e88d7df4a538", "type": "eql", "version": 111 }, "1327384f-00f3-44d5-9a8c-2373ba071e92": { - "min_stack_version": "8.3", "rule_name": "Persistence via Scheduled Job Creation", "sha256": "614d79b1b8057b2eb0a33fea72890f4c745a48ab6092bb1919f7a503d2de9471", "type": "eql", "version": 108 }, "138c5dd5-838b-446e-b1ac-c995c7f8108a": { - "min_stack_version": "8.3", "rule_name": "Rare User Logon", "sha256": "84ad771aac0fd0883efd7525692d964e0f85a436752431c84b7dc4e012b05679", "type": "machine_learning", "version": 104 }, "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": { - "min_stack_version": "8.3", "rule_name": "Potential Ransomware Behavior - High count of Readme files by System", "sha256": "c119669a028d3ccf727586836356bcd2113986db9358089ed57907330b748a73", "type": "threshold", @@ -840,137 +610,102 @@ "version": 100 }, "13e908b9-7bf0-4235-abc9-b5deb500d0ad": { - "min_stack_version": "8.9", "rule_name": "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity", "sha256": "e4aac0fcc25bbc7121134faf7852704142d562d2c72bf9973c69b0dfd8d6046c", "type": "eql", "version": 4 }, "141e9b3a-ff37-4756-989d-05d7cbf35b0e": { - "min_stack_version": "8.3", "rule_name": "Azure External Guest User Invitation", "sha256": "c606c9477a2fa88e6a1b70468ffa95df50528629745068026ef6c9758caadaf1", "type": "query", "version": 102 }, "143cb236-0956-4f42-a706-814bcaa0cf5a": { - "min_stack_version": "8.3", "rule_name": "RPC (Remote Procedure Call) from the Internet", "sha256": "9b392ee77e47d008944419960e03112af84f3ccc7b043af0c2d16d636e610214", "type": "query", "version": 103 }, "14dab405-5dd9-450c-8106-72951af2391f": { - "min_stack_version": "8.3", "rule_name": "Office Test Registry Persistence", "sha256": "b2c192b0f4c41a2de5c1f96b495002c57338a58a1e385275e8ea17208673bda2", "type": "eql", "version": 3 }, "14de811c-d60f-11ec-9fd7-f661ea17fbce": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 199, - "rule_name": "Kubernetes User Exec into Pod", - "sha256": "3d39cfe20aef41ad7da949c25c18b33868177276c2c4ee9af234be4282e68392", - "type": "query", - "version": 101 - } - }, "rule_name": "Kubernetes User Exec into Pod", "sha256": "2e20c515d2b1304091833efa5d5f19b38c4f1eaa4f2a5b3cdee64f89ed7bf4a9", "type": "query", "version": 203 }, "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { - "min_stack_version": "8.3", "rule_name": "Potential Persistence via Time Provider Modification", "sha256": "d3adc721588e0ae5b24bc4f24e2615b84100397158efd20f6fa50212746fb697", "type": "eql", "version": 109 }, "1542fa53-955e-4330-8e4d-b2d812adeb5f": { - "min_stack_version": "8.3", "rule_name": "Execution from a Removable Media with Network Connection", "sha256": "08e49b310aebe20ea4da9f40fb9ce90e74aecdd6f957b972419ec258f95a26b4", "type": "eql", "version": 3 }, "15a8ba77-1c13-4274-88fe-6bd14133861e": { - "min_stack_version": "8.3", "rule_name": "Scheduled Task Execution at Scale via GPO", "sha256": "6bc3367c8bea5ce3680aa60ee8341e332dc12fe82786393e1b98fa8130a817c4", "type": "query", "version": 110 }, "15c0b7a7-9c34-4869-b25b-fa6518414899": { - "min_stack_version": "8.3", "rule_name": "Remote File Download via Desktopimgdownldr Utility", "sha256": "f31b60069f41b2547dfb226805c62256ec852c2b5ec5014524230d20ca42a646", "type": "eql", "version": 112 }, "15dacaa0-5b90-466b-acab-63435a59701a": { - "min_stack_version": "8.3", "rule_name": "Virtual Private Network Connection Attempt", "sha256": "52e3e7aa2ff5aaa21a773c0bc30319fdc45efdaaba99697504cbe1d2d2fd12a0", "type": "eql", "version": 107 }, "160896de-b66f-42cb-8fef-20f53a9006ea": { - "min_stack_version": "8.8", "rule_name": "Potential Container Escape via Modified release_agent File", "sha256": "198ac6af38569c23460312f45acfeb0bb1489a5761ed5536c026e9b6f8154ac3", "type": "eql", "version": 1 }, "16280f1e-57e6-4242-aa21-bb4d16f13b2f": { - "min_stack_version": "8.3", "rule_name": "Azure Automation Runbook Created or Modified", "sha256": "d63660127e37638852d3943a3f02745a9d7ecf28ffba3fd3d314558d66fa3633", "type": "query", "version": 102 }, "166727ab-6768-4e26-b80c-948b228ffc06": { - "min_stack_version": "8.3", "rule_name": "File Creation Time Changed", "sha256": "97689ef71b5c442a2f7ab44c32a163607b4189beb06ee6d37b4563b34ddedd0c", "type": "eql", "version": 5 }, "16904215-2c95-4ac8-bf5c-12354e047192": { - "min_stack_version": "8.3", "rule_name": "Potential Kerberos Attack via Bifrost", "sha256": "a410bedff2a62e53036e60647e7db0a18a0cc64c1bb6e0f0e225395665a9be6d", "type": "query", "version": 106 }, "169f3a93-efc7-4df2-94d6-0d9438c310d1": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS IAM Group Creation", - "sha256": "b742e26488a024ca917c76ed8b6d78e38bceaf88b12ac5a184cba21816858e5c", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS IAM Group Creation", "sha256": "4620f71e7445e4762398530b8020b93c31a36073051ab2f0820f982f55d43df1", "type": "query", "version": 206 }, "16a52c14-7883-47af-8745-9357803f0d4c": { - "min_stack_version": "8.3", "rule_name": "Component Object Model Hijacking", "sha256": "0895ba08cf37c96cf8d9fa25aa47f21883cbb621246244853ae74168e9818f08", "type": "eql", "version": 113 }, "16fac1a1-21ee-4ca6-b720-458e3855d046": { - "min_stack_version": "8.3", "rule_name": "Startup/Logon Script added to Group Policy Object", "sha256": "59d27ffb2150faa1ebe4b4b332f29ed9b1a561166aa568c6b699a55de0aec81f", "type": "query", @@ -984,63 +719,54 @@ "version": 1 }, "1781d055-5c66-4adf-9c59-fc0fa58336a5": { - "min_stack_version": "8.3", "rule_name": "Unusual Windows Username", "sha256": "3f017bebc4cd49b96144c2c37d613353b9c74438bb528240c830a99a32537120", "type": "machine_learning", "version": 104 }, "1781d055-5c66-4adf-9c71-fc0fa58338c7": { - "min_stack_version": "8.3", "rule_name": "Unusual Windows Service", "sha256": "89e1fd74a24609ea12f4b8735c03de06e82fa5940400ce7cc3860d473e9f9b9a", "type": "machine_learning", "version": 103 }, "1781d055-5c66-4adf-9d60-fc0fa58337b6": { - "min_stack_version": "8.3", "rule_name": "Suspicious Powershell Script", "sha256": "c3d4419ad9b4d398652f573451d61439143854032c964a86b28b44f63627d3d3", "type": "machine_learning", "version": 104 }, "1781d055-5c66-4adf-9d82-fc0fa58449c8": { - "min_stack_version": "8.3", "rule_name": "Unusual Windows User Privilege Elevation Activity", "sha256": "3e378c975b7684d44d468c1b90b70fd66198d70f52b1af31c2d9877e6e01cda5", "type": "machine_learning", "version": 103 }, "1781d055-5c66-4adf-9e93-fc0fa69550c9": { - "min_stack_version": "8.3", "rule_name": "Unusual Windows Remote User", "sha256": "83958e6d3f7ccbbbba3e4f0796b176f124604f15277f14ce33c142029d6c8ff9", "type": "machine_learning", "version": 103 }, "17b0a495-4d9f-414c-8ad0-92f018b8e001": { - "min_stack_version": "8.6", "rule_name": "New Systemd Service Created by Previously Unknown Process", "sha256": "a5967e9202be0f4e0df4d0f82dfd5f067e8bc9eea60585cbc5664b744761966d", "type": "new_terms", "version": 9 }, "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { - "min_stack_version": "8.3", "rule_name": "Renamed Utility Executed with Short Program Name", "sha256": "23f4030c21a08bb1eb019a328b8fe62aeea2683957f343f0399abdff84347b22", "type": "eql", "version": 109 }, "17e68559-b274-4948-ad0b-f8415bb31126": { - "min_stack_version": "8.3", "rule_name": "Unusual Network Destination Domain Name", "sha256": "d0d9eef72ecbbb7af63f2aa522abc13a4cba650dd6da7a17c6b37218c39c1fb8", "type": "machine_learning", "version": 103 }, "184dfe52-2999-42d9-b9d1-d1ca54495a61": { - "min_stack_version": "8.3", "rule_name": "GCP Logging Sink Modification", "sha256": "f831f5412e30676ce24c068dcaf3521ab6be818cb202bca3625fb0f61ea6c3b2", "type": "query", @@ -1053,169 +779,114 @@ "version": 100 }, "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": { - "min_stack_version": "8.9", "rule_name": "Spike in Number of Connections Made to a Destination IP", "sha256": "3e6623fdaad77b45863a2c6f198c7624d4b02fa0f1934011776802944a3348fb", "type": "machine_learning", "version": 3 }, "193549e8-bb9e-466a-a7f9-7e783f5cb5a6": { - "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Recently Compiled Executable", "sha256": "1fd050c07f8fd38281dde31dc1bba3256181b411f576fcaa07b6ff077393de1f", "type": "eql", "version": 4 }, "19de8096-e2b0-4bd8-80c9-34a820813fff": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "Rare AWS Error Code", - "sha256": "36fb7f357ab4c1d87f38a2a9f453fb1093c959582b23dda8d3071db185b7d65d", - "type": "machine_learning", - "version": 108 - } - }, "rule_name": "Rare AWS Error Code", "sha256": "45da42408e9e47f7550b2ff787fd33fe211dc4d0c4ccbfd9342ae768d88384ec", "type": "machine_learning", "version": 208 }, "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": { - "min_stack_version": "8.9", "rule_name": "Spike in Number of Processes in an RDP Session", "sha256": "fc1329361d122f9fce2eca535c54dd0b8a1fee4f8d33775b225227e2d4084002", "type": "machine_learning", "version": 3 }, "1a289854-5b78-49fe-9440-8a8096b1ab50": { - "min_stack_version": "8.8", "rule_name": "Suspicious Network Tool Launched Inside A Container", "sha256": "e456a59a32e02e71884dee04e925140b321a34650d49651cf7216610213066fc", "type": "eql", "version": 2 }, "1a36cace-11a7-43a8-9a10-b497c5a02cd3": { - "min_stack_version": "8.3", "rule_name": "Azure Application Credential Modification", "sha256": "e08f14b9002ce52664d169dc98fd7a2d3fd3dd0e24933ce44ec2f0cc93f14b7a", "type": "query", "version": 102 }, "1a6075b0-7479-450e-8fe7-b8b8438ac570": { - "min_stack_version": "8.3", "rule_name": "Execution of COM object via Xwizard", "sha256": "069735bb9cd4e472acbdcba371bd44bb50df1f225267d294773ac746e8ecc9e5", "type": "eql", "version": 109 }, "1aa8fa52-44a7-4dae-b058-f3333b91c8d7": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "AWS CloudTrail Log Suspended", - "sha256": "e728282d89ab6116e74d508a075da4f9a1388ba2da235fd87605b4ad580312f0", - "type": "query", - "version": 108 - } - }, "rule_name": "AWS CloudTrail Log Suspended", "sha256": "79a7a700b91ee492ba34e1584212dbac2ee5766b96b03f09c67c80be60c7726b", "type": "query", "version": 209 }, "1aa9181a-492b-4c01-8b16-fa0735786b2b": { - "min_stack_version": "8.3", "rule_name": "User Account Creation", "sha256": "96534addae6874564d720b53fb0d2b7f621702dd58f3fdebb1d3c69a80f55abb", "type": "eql", "version": 109 }, "1b0b4818-5655-409b-9c73-341cac4bb73f": { - "min_stack_version": "8.4", "rule_name": "Process Created with a Duplicated Token", "sha256": "8a3f85e624e03fc489be5ae5c3c3392fc053e5e5eed530158a04ccdf5754e802", "type": "eql", "version": 3 }, "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { - "min_stack_version": "8.3", "rule_name": "Connection to Internal Network via Telnet", "sha256": "803c07bf24bc75956c52cc55234f63d9d5a1f1212b218d05190d23eb47d81f2e", "type": "eql", "version": 107 }, "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS ElastiCache Security Group Modified or Deleted", - "sha256": "bcef75f6d49bb03184f9398613ed080bc7bd2279da99afaa50ba68d3a99f3b4c", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS ElastiCache Security Group Modified or Deleted", "sha256": "4ec77baf3f125b101b58f9cdec2c125de10cdb0a80f5c9112906dc0be6b3480d", "type": "query", "version": 206 }, "1c27fa22-7727-4dd3-81c0-de6da5555feb": { - "min_stack_version": "8.3", "rule_name": "Potential Internal Linux SSH Brute Force Detected", "sha256": "346faa48fc37e53ed0faaaa6a2bee5597d92a0306565cfad61329c29b22f7516", "type": "eql", "version": 11 }, "1c5a04ae-d034-41bf-b0d8-96439b5cc774": { - "min_stack_version": "8.3", "rule_name": "Potential Process Injection from Malicious Document", "sha256": "cf0f3605f0acb1cc600d240d90683e7996a55174af3ca9f770db65371eb95bc1", "type": "eql", "version": 2 }, "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 211, - "rule_name": "Possible Consent Grant Attack via Azure-Registered Application", - "sha256": "bf4b6f557cbd3c0c009d3f0aa39401b563a920b2ed64f0d20ef86c9a95fc5e45", - "type": "query", - "version": 112 - } - }, "rule_name": "Possible Consent Grant Attack via Azure-Registered Application", "sha256": "483537ca1f0a318f54568c093b78b5eca0658c9ceb0ab3daeed48949bb0e18c7", "type": "query", "version": 212 }, "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { - "min_stack_version": "8.3", "rule_name": "Suspicious File Creation in /etc for Persistence", "sha256": "dde38b44453671943b7ae6cb4d6fef20e85307ac3723a158fe57ee96d8b1f29d", "type": "eql", "version": 113 }, "1c966416-60c1-436b-bfd0-e002fddbfd89": { - "min_stack_version": "8.3", "rule_name": "Azure Kubernetes Rolebindings Created", "sha256": "d86625ab5e731436d6846810c232431aafe71ea4ce7684c0f5ad7b03709bb6ce", "type": "query", "version": 102 }, "1ca62f14-4787-4913-b7af-df11745a49da": { - "min_stack_version": "8.3", "rule_name": "New GitHub App Installed", "sha256": "02e98cecd6d72a19ba1f1961d35d14774632ecb42f89c7fc7f1e162b60bc89fe", "type": "eql", "version": 1 }, "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { - "min_stack_version": "8.3", "rule_name": "Incoming Execution via WinRM Remote Shell", "sha256": "c2dcf9dc41b1c7835b791709f6bae17ad8765e7d39f7ab93d95f5368f5330f3a", "type": "eql", @@ -1229,49 +900,42 @@ "version": 2 }, "1d276579-3380-4095-ad38-e596a01bc64f": { - "min_stack_version": "8.3", "rule_name": "Remote File Download via Script Interpreter", "sha256": "3afe36281fd5b755b076bbb9801c4924e40bd5ea64954a50fc5bc408c7ddabed", "type": "eql", "version": 110 }, "1d72d014-e2ab-4707-b056-9b96abe7b511": { - "min_stack_version": "8.3", "rule_name": "External IP Lookup from Non-Browser Process", "sha256": "912ddc841c0eace4d5cc31a814d86a6177d5f51e6038d37bde4b9ed37ee62433", "type": "eql", "version": 108 }, "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": { - "min_stack_version": "8.3", "rule_name": "PowerShell Script with Encryption/Decryption Capabilities", "sha256": "56bbf0cae42f67fdd41f149363a1891554948e2dbd182c1e0c9fed1a39f36100", "type": "query", "version": 6 }, "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { - "min_stack_version": "8.3", "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", "sha256": "b09a3222c4eab9324474c30ec5eddb3cd13c0f86e3b9776fc690aa77d8fe9e9d", "type": "eql", "version": 109 }, "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": { - "min_stack_version": "8.4", "rule_name": "Suspicious Inter-Process Communication via Outlook", "sha256": "eb4c56089e3f5a64944ea09016b315e24d78a78381989d1d29939502318b82f1", "type": "eql", "version": 6 }, "1defdd62-cd8d-426e-a246-81a37751bb2b": { - "min_stack_version": "8.3", "rule_name": "Execution of File Written or Modified by PDF Reader", "sha256": "b1632c3ea7afb58a44d388ad05920751d22614d6714b65ffeb29af66d7ebf70d", "type": "eql", "version": 108 }, "1df1152b-610a-4f48-9d7a-504f6ee5d9da": { - "min_stack_version": "8.3", "rule_name": "Potential Linux Hack Tool Launched", "sha256": "d83c19a46e9401aef5cd62ba06786de63e0ea6448479965630475a6b00667731", "type": "eql", @@ -1280,7 +944,7 @@ "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": { "min_stack_version": "8.12", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 105, "rule_name": "PowerShell Script with Discovery Capabilities", "sha256": "f190de5af14bbb60e793a9add72d0cf2b89e9a8fd2f593c098664a50360aaf06", @@ -1294,107 +958,84 @@ "version": 107 }, "1e0b832e-957e-43ae-b319-db82d228c908": { - "min_stack_version": "8.3", "rule_name": "Azure Storage Account Key Regenerated", "sha256": "49bb6b71d6e597de0157a424d93fdb4690ae7ad2586b8d725a627878c02edc1e", "type": "query", "version": 102 }, "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc": { - "min_stack_version": "8.3", "rule_name": "Creation of a DNS-Named Record", "sha256": "9b97868151d1bdb1c5754a996d30cf988232f389c492b7f9132402adae176f75", "type": "eql", "version": 1 }, "1e6363a6-3af5-41d4-b7ea-d475389c0ceb": { - "min_stack_version": "8.3", "rule_name": "Creation of SettingContent-ms Files", "sha256": "411958937e7a1d399c000c3ee9bc6e256d0b92a5aea3474e468b84f5991e8bed", "type": "eql", "version": 3 }, "1e9b271c-8caa-4e20-aed8-e91e34de9283": { - "min_stack_version": "8.8", "rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)", "sha256": "c4f772b100c3877e71a485342787e5f29775002ef02710d07bffd3db397230d0", "type": "new_terms", "version": 1 }, "1e9fc667-9ff1-4b33-9f40-fefca8537eb0": { - "min_stack_version": "8.3", "rule_name": "Unusual Sudo Activity", "sha256": "aad0990989bfa63d159c45b28e23cec25bcdd6cb4054ad31584f085b1e38568c", "type": "machine_learning", "version": 103 }, "1f0a69c0-3392-4adf-b7d5-6012fd292da8": { - "min_stack_version": "8.3", "rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell", "sha256": "dac35e0c6992ca7c37e472c37d77eaf0c2e9f17c74efd5f6531194cc4a769762", "type": "query", "version": 8 }, "1f460f12-a3cf-4105-9ebb-f788cc63f365": { - "min_stack_version": "8.3", "rule_name": "Unusual Process Execution on WBEM Path", "sha256": "3e850845c9653b3956dd9ccfe15415b8f6399a899dd58c87a592f2ae81b921de", "type": "eql", "version": 2 }, "1faec04b-d902-4f89-8aff-92cd9043c16f": { - "min_stack_version": "8.3", "rule_name": "Unusual Linux User Calling the Metadata Service", "sha256": "8eb47dead708d739318e797d2fac9c942978cd80eca1354c0063c15ff502adb9", "type": "machine_learning", "version": 103 }, "1fe3b299-fbb5-4657-a937-1d746f2c711a": { - "min_stack_version": "8.3", "rule_name": "Unusual Network Activity from a Windows System Binary", "sha256": "276423364d5b8bf0affee9f5efd056cba314fa27ef1d574a4ebe6f5b4e0e542e", "type": "eql", "version": 111 }, "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { - "min_stack_version": "8.3", "rule_name": "Exploit - Detected - Elastic Endgame", "sha256": "fc5bc7344b50468b39f14fc82c958267c265618e2278cadaecafa7a7f1dab9a2", "type": "query", "version": 103 }, "201200f1-a99b-43fb-88ed-f65a45c4972c": { - "min_stack_version": "8.3", "rule_name": "Suspicious .NET Code Compilation", "sha256": "5fd6637d01d25848657a37779415e23778a84ee81a913351ee2bbb54701fe88a", "type": "eql", "version": 110 }, "202829f6-0271-4e88-b882-11a655c590d4": { - "min_stack_version": "8.3", "rule_name": "Executable Masquerading as Kernel Process", "sha256": "fa7e58294659262a26ba947cc59044854477a5a49edc98f0d6f896d91e1d9f6d", "type": "eql", "version": 2 }, "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { - "min_stack_version": "8.3", "rule_name": "Creation or Modification of Root Certificate", "sha256": "a137b8929c8afb05318cec2dac421d5e03d1bba700cb7978151e0429bb7a6e53", "type": "eql", "version": 110 }, "2045567e-b0af-444a-8c0b-0b6e2dae9e13": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS Route 53 Domain Transferred to Another Account", - "sha256": "cd100d12464b46b1f170d8e6b26ed144023ba52b4077a97354a6a9fcbabf7465", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS Route 53 Domain Transferred to Another Account", "sha256": "140169be7f1e330d6e6068d329d4de47c02db8df773930e4ae57f7e5f36c9297", "type": "query", @@ -1403,7 +1044,7 @@ "20457e4f-d1de-4b92-ae69-142e27a4342a": { "min_stack_version": "8.11", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 206, "rule_name": "Access of Stored Browser Credentials", "sha256": "2096c9935d4a0209a44ab553fb8f3453c10cb834b1b2665a96e6f2852635d563", @@ -1417,14 +1058,12 @@ "version": 207 }, "205b52c4-9c28-4af4-8979-935f3278d61a": { - "min_stack_version": "8.3", "rule_name": "Werfault ReflectDebugger Persistence", "sha256": "b892d4534c1a5905601ccc529ccaedbf3f944ac4e46b8475f4ac04d2752af982", "type": "eql", "version": 2 }, "208dbe77-01ed-4954-8d44-1e5751cb20de": { - "min_stack_version": "8.3", "rule_name": "LSASS Memory Dump Handle Access", "sha256": "407aa36a170976cc90021ba2e2b10b9d211b7142cb685d4fcdede10a65073287", "type": "eql", @@ -1437,137 +1076,102 @@ "version": 100 }, "210d4430-b371-470e-b879-80b7182aa75e": { - "min_stack_version": "8.3", "rule_name": "Mofcomp Activity", "sha256": "a7bd50e06e9eecee6eb4de339db9e9e7ffc5b08ce32a9bc2a119b2aa4f2fdf45", "type": "eql", "version": 2 }, "2138bb70-5a5e-42fd-be5e-b38edf6a6777": { - "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Child", "sha256": "cda609fdc97eb250f4f9c03ad3abf9c6760ae78ab03cc3f8fad23789f6ca8ade", "type": "eql", "version": 2 }, "21bafdf0-cf17-11ed-bd57-f661ea17fbcc": { - "min_stack_version": "8.4", "rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application", "sha256": "8b83d7d20910ac09b5cd9f7b2e96a38f9b03f38f314ecf1f779637906818161b", "type": "new_terms", "version": 3 }, "220be143-5c67-4fdb-b6ce-dd6826d024fd": { - "min_stack_version": "8.3", "rule_name": "Full User-Mode Dumps Enabled System-Wide", "sha256": "9252233dd00ddb80533d2b70ccda0987fc97cab21f4fe935dcb0806e07dc9354", "type": "eql", "version": 7 }, "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 203, - "rule_name": "SSH Authorized Keys File Modification", - "sha256": "8e07f35dbd0f747e519638ad9464ab2502ac2d84b6db85f092155081cf57f23c", - "type": "query", - "version": 104 - } - }, "rule_name": "SSH Authorized Keys File Modification", "sha256": "093ec92b83608b188904a800b2dc5dc20b93d5e0b11e10e6da27f754f44a18e0", "type": "new_terms", "version": 205 }, "22599847-5d13-48cb-8872-5796fee8692b": { - "min_stack_version": "8.3", "rule_name": "SUNBURST Command and Control Activity", "sha256": "28c3a8e43a93472d905579b46b496842487fb7c462bf01bdbde7cdc16361b2e7", "type": "eql", "version": 108 }, "227dc608-e558-43d9-b521-150772250bae": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "AWS S3 Bucket Configuration Deletion", - "sha256": "ad8600664f0e0704b136c9959aec90beb90d433fd1457d49adc4e920ad882f17", - "type": "query", - "version": 106 - } - }, "rule_name": "AWS S3 Bucket Configuration Deletion", "sha256": "c893799e9c59f2c1403b0350b301a705c63a0d1c86f201f9b1effafd647a7629", "type": "query", "version": 207 }, "231876e7-4d1f-4d63-a47c-47dd1acdc1cb": { - "min_stack_version": "8.3", "rule_name": "Potential Shell via Web Server", "sha256": "95829ac14cae4f4c82e003be08372f6c44edc266c796409e6971824d0be747f1", "type": "query", "version": 105 }, "2326d1b2-9acf-4dee-bd21-867ea7378b4d": { - "min_stack_version": "8.3", "rule_name": "GCP Storage Bucket Permissions Modification", "sha256": "278f8d56c3932a208c4873795aa99690d1d05550d1e099c6fcdb6f6fca729604", "type": "query", "version": 104 }, "2339f03c-f53f-40fa-834b-40c5983fc41f": { - "min_stack_version": "8.3", "rule_name": "Kernel Module Load via insmod", "sha256": "3327b2f3c9c739028f181cd20b7cf3e768c7eae5f4363b478ef982fee21b8eb2", "type": "eql", "version": 109 }, "2377946d-0f01-4957-8812-6878985f515d": { - "min_stack_version": "8.9", "rule_name": "Deprecated - Remote File Creation on a Sensitive Directory", "sha256": "6a0b13ec054468e1055fdcc971c3fbc84f6f9054c828eca4d3c0fa648b9c5fb4", "type": "eql", "version": 2 }, "23bcd283-2bc0-4db2-81d4-273fc051e5c0": { - "min_stack_version": "8.6", "rule_name": "Unknown Execution of Binary with RWX Memory Region", "sha256": "b160874aab9501cba7d0344a3fcb2181a25f3d7a5067a23804bc3f8abb705dd1", "type": "new_terms", "version": 1 }, "24401eca-ad0b-4ff9-9431-487a8e183af9": { - "min_stack_version": "8.3", "rule_name": "New GitHub Owner Added", "sha256": "30fc492bcc0364696d21c281124ec1d963222a387430bd66f8db31b80df23764", "type": "eql", "version": 3 }, "25224a80-5a4a-4b8a-991e-6ab390465c4f": { - "min_stack_version": "8.3", "rule_name": "Lateral Movement via Startup Folder", "sha256": "dcf5239bdf937bd790a721fc5c7fceea3af8c5377ce0b466359a5ebb23a57ed6", "type": "eql", "version": 108 }, "2553a9af-52a4-4a05-bb03-85b2a479a0a0": { - "min_stack_version": "8.3", "rule_name": "Potential PowerShell HackTool Script by Author", "sha256": "cbf8a4fc5c8f2ee86365483602e84f800fbd791c3e29fe467f20a6333d47dfc3", "type": "query", "version": 1 }, "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": { - "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Background Process", "sha256": "0ffb76c84bbd4407b32cb3cde060faa39ff1aca7f3f59d031d45d7e449cb74d5", "type": "eql", "version": 4 }, "25d917c4-aa3c-4111-974c-286c0312ff95": { - "min_stack_version": "8.6", "rule_name": "Network Activity Detected via Kworker", "sha256": "6169ab76be1ab1b6d165bc6e91e309957523da07f42cfa74c0b2eabc0fff457b", "type": "new_terms", @@ -1581,51 +1185,36 @@ "version": 1 }, "2605aa59-29ac-4662-afad-8d86257c7c91": { - "min_stack_version": "8.3", "rule_name": "Potential Suspicious DebugFS Root Device Access", "sha256": "412a8490a6178fe02adf3eb8d88b4b119d8af57a0e8583ca4a61a6504c554ab5", "type": "eql", "version": 5 }, "2636aa6c-88b5-4337-9c31-8d0192a8ef45": { - "min_stack_version": "8.3", "rule_name": "Azure Blob Container Access Level Modification", "sha256": "b8c9984ea50176ed7e98738246a92b5729623ecdef068b256bd5deae26c26534", "type": "query", "version": 102 }, "265db8f5-fc73-4d0d-b434-6483b56372e2": { - "min_stack_version": "8.3", "rule_name": "Persistence via Update Orchestrator Service Hijack", "sha256": "b97eb034c01d5415f2b4529e1b4aeacb6d1b5858e035d9f7b16071f08a107800", "type": "eql", "version": 111 }, "26b01043-4f04-4d2f-882a-5a1d2e95751b": { - "min_stack_version": "8.3", "rule_name": "Privileges Elevation via Parent Process PID Spoofing", "sha256": "fe01406a8aba7ef1783b900ebd444367f6c97053baf29469fd03f5fe099c7517", "type": "eql", "version": 7 }, "26edba02-6979-4bce-920a-70b080a7be81": { - "min_stack_version": "8.3", "rule_name": "Azure Active Directory High Risk User Sign-in Heuristic", "sha256": "81486e6269e07586e44c0e2e31d679dd20a6c335f856a8adad10143d41b7ada7", "type": "query", "version": 105 }, "26f68dba-ce29-497b-8e13-b4fde1db5a2d": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 206, - "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", - "sha256": "ab30e15051fb603800f933ba9b3f6539ac75a662fd2dfcbe66c8f7121c7608a9", - "type": "threshold", - "version": 107 - } - }, "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", "sha256": "a8e968ab16236593316417aca2763610f442cfa6d00fe3c5a4a453085fc7f633", "type": "threshold", @@ -1634,7 +1223,7 @@ "27071ea3-e806-4697-8abc-e22c92aa4293": { "min_stack_version": "8.12", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 104, "rule_name": "PowerShell Script with Archive Compression Capabilities", "sha256": "e45eab95dfc89f02571c3f4a759eccf69d16d6b97a471c585cf0cea086acc29f", @@ -1648,60 +1237,36 @@ "version": 105 }, "2724808c-ba5d-48b2-86d2-0002103df753": { - "min_stack_version": "8.3", "rule_name": "Attempt to Clear Kernel Ring Buffer", "sha256": "b84e6128363d24d3503b13f1a618bc430f08140f5a82611c3c3e4f3a5271d2b5", "type": "eql", "version": 4 }, "272a6484-2663-46db-a532-ef734bf9a796": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Exchange Transport Rule Modification", - "sha256": "fbfde864c7e1f31e7fcfef374c9517e890a58223969f83a4c15fee6afb623353", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Exchange Transport Rule Modification", "sha256": "4901f8288ffd58d58227242aedd0caaab898038617870ffef05e9c235a9a082e", "type": "query", "version": 206 }, "2772264c-6fb9-4d9d-9014-b416eed21254": { - "min_stack_version": "8.3", "rule_name": "Incoming Execution via PowerShell Remoting", "sha256": "115702bf56a63d8b0495b440b3bc5f48f161657df80ecb5dd778177cad8cf99b", "type": "eql", "version": 109 }, "2783d84f-5091-4d7d-9319-9fceda8fa71b": { - "min_stack_version": "8.3", "rule_name": "GCP Firewall Rule Modification", "sha256": "7f903b4ec5008e277d2c4f30f030c9063155c7624b7938ba5d57635458cfbbdf", "type": "query", "version": 104 }, "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Teams External Access Enabled", - "sha256": "94685626f0a0ed06951084baeb71eae9ec250c07e2ccd46be608e1f1321d5726", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Teams External Access Enabled", "sha256": "0cb5f4c7faf103570f876bb43508577a2927c58a22ed1b35c609f2d195630f56", "type": "query", "version": 206 }, "2820c9c2-bcd7-4d6e-9eba-faf3891ba450": { - "min_stack_version": "8.3", "rule_name": "Account Password Reset Remotely", "sha256": "b3b4c980cf7d25e52dfb1d1cc53500ac0a87c2b13922dccaf6b9de0b389532e7", "type": "eql", @@ -1715,21 +1280,18 @@ "version": 1 }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { - "min_stack_version": "8.3", "rule_name": "Account Discovery Command via SYSTEM Account", "sha256": "7395e4f0038f91caff80f8f82fb7a573cc2e3be731008e546f8e2f2738da7397", "type": "eql", "version": 111 }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { - "min_stack_version": "8.3", "rule_name": "Exploit - Prevented - Elastic Endgame", "sha256": "72767580ec9592b48af7b23c8f44b94bf3c619c87d45496757413417e9238c4d", "type": "query", "version": 103 }, "28738f9f-7427-4d23-bc69-756708b5f624": { - "min_stack_version": "8.3", "rule_name": "Suspicious File Changes Activity Detected", "sha256": "a5b402b3a9e4d3ba808b853c5d78107f40d164ba390a347ef0ac078afaa5cc67", "type": "eql", @@ -1749,44 +1311,30 @@ "version": 2 }, "28d39238-0c01-420a-b77a-24e5a7378663": { - "min_stack_version": "8.3", "rule_name": "Sudo Command Enumeration Detected", "sha256": "70ed05b5053d1ac43542f1f8ffef64b0cfb2cb35c0a94eb8be86882438034320", "type": "eql", "version": 5 }, "28f6f34b-8e16-487a-b5fd-9d22eb903db8": { - "min_stack_version": "8.6", "rule_name": "Shell Configuration Modification", "sha256": "1082bfbb3e988caa2fc49527f3dcd4024a4657a591fb5edc4d08e2ba311ca62c", "type": "new_terms", "version": 1 }, "29052c19-ff3e-42fd-8363-7be14d7c5469": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS Security Group Configuration Change Detection", - "sha256": "6eafdfc2847d0f8150d36752200d76b3777de7dd46ac7d6c1dab97c2b6afaa67", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS Security Group Configuration Change Detection", "sha256": "193c2c66e45942d40a519ed5a0c174f69daf4d7c4057ce0af2cc77baa1e9658c", "type": "query", "version": 206 }, "290aca65-e94d-403b-ba0f-62f320e63f51": { - "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", "sha256": "f64dc97be4c992f52e4ecf99c9d964a2d99544bea2d8d33d80ba5e96d62d8f80", "type": "eql", "version": 112 }, "2917d495-59bd-4250-b395-c29409b76086": { - "min_stack_version": "8.3", "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", "sha256": "28ea0bbb12cf1c1a72a0c1b87a80fea6c5d0e587cd14d5b24db0b2b9550f5efc", "type": "eql", @@ -1795,14 +1343,7 @@ "291a0de9-937a-4189-94c0-3e847c8b13e4": { "min_stack_version": "8.12", "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "Enumeration of Privileged Local Groups Membership", - "sha256": "f1ce7be911b34a06915e3f07c41e6e91d314bf37dfb168fb109057d04b56b5c3", - "type": "eql", - "version": 108 - }, - "8.6": { + "8.9": { "max_allowable_version": 310, "rule_name": "Enumeration of Privileged Local Groups Membership", "sha256": "4d67c645c194c7be0ae57c04360e2e8d9a4af8927da4a2dd4f0696029148e26d", @@ -1823,148 +1364,96 @@ "version": 1 }, "29ef5686-9b93-433e-91b5-683911094698": { - "min_stack_version": "8.6", "rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line", "sha256": "18bae187efca3e9942f377e9508ca6f0266f122ab379929ab8d6a0d22dc4a342", "type": "new_terms", "version": 1 }, "29f0cf93-d17c-4b12-b4f3-a433800539fa": { - "min_stack_version": "8.3", "rule_name": "Potential Linux SSH X11 Forwarding", "sha256": "359e41830e4fd4bfc9775176917b335b3c9188c05a983a056b52e796d20b6fd7", "type": "eql", "version": 3 }, "2a692072-d78d-42f3-a48a-775677d79c4e": { - "min_stack_version": "8.3", "rule_name": "Potential Code Execution via Postgresql", "sha256": "8bfe7f061ea6409e5ec8657a58cc81d8fd705e930ef358d31347a1ee67035391", "type": "eql", "version": 6 }, "2abda169-416b-4bb3-9a6b-f8d239fd78ba": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 199, - "rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume", - "sha256": "bd95cc69164fae41e991e31ae5435c01f2785e2c361dafea62766db0b0f66a10", - "type": "query", - "version": 101 - } - }, "rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume", "sha256": "2704808ccae32f5b44395171db755258b7e7a248df4bab32a33cddb2ac181df0", "type": "query", "version": 203 }, "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": { - "min_stack_version": "8.5", "rule_name": "ESXI Discovery via Grep", "sha256": "7f6bc06878f5c089508b21b556ed4a227c059d655b54717af4863db317dd6504", "type": "eql", "version": 6 }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { - "min_stack_version": "8.3", "rule_name": "Adobe Hijack Persistence", "sha256": "8cf9629ff73512110d78ffdd80f59c0e6d033ca48831d47133dee6dd51cb185d", "type": "eql", "version": 111 }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { - "min_stack_version": "8.3", "rule_name": "Windows Defender Exclusions Added via PowerShell", "sha256": "df6ed2953eabd8c292df3200fc51dd9222b2c0c3fd5b9174f66efb61a28bcd5b", "type": "eql", "version": 110 }, "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": { - "min_stack_version": "8.3", "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", "sha256": "de455f667043e9cf42dd5fe4ac1a588f29bf04c9e5ac3c78bf84f5849ae48494", "type": "eql", "version": 109 }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 203, - "rule_name": "Enumeration of Kernel Modules", - "sha256": "b3bad6443210cec62c090d0872efcafedb7565ac5fed882aa46afab6073c4e08", - "type": "eql", - "version": 105 - } - }, "rule_name": "Enumeration of Kernel Modules", "sha256": "4f8354117b7013f27de2b6338d831ecebb494b5dd5dc310f3d36de2e9df3e46e", "type": "new_terms", "version": 209 }, "2dd480be-1263-4d9c-8672-172928f6789a": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "Suspicious Process Access via Direct System Call", - "sha256": "9aa09b7a6367bc4d21531ae1e5860ac4f0f89b9a2331c0c63032d8fa85c753e5", - "type": "eql", - "version": 108 - } - }, "rule_name": "Suspicious Process Access via Direct System Call", "sha256": "aaba8635a16d40c33ab3f1e45cdefdd5afa1682b6b46e0a9e59bb5714053e328", "type": "eql", "version": 211 }, "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea": { - "min_stack_version": "8.3", "rule_name": "Potential SSH-IT SSH Worm Downloaded", "sha256": "b15d311e27e1605b59979cfacff8ed02534809f2ac3067c91d6f252b9c99532c", "type": "eql", "version": 3 }, "2de10e77-c144-4e69-afb7-344e7127abd0": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 206, - "rule_name": "O365 Excessive Single Sign-On Logon Errors", - "sha256": "6aafdc4d1c33f41d82f7a067cce68c407f9cc905aa5f0bcee8e8a3626f89a88e", - "type": "threshold", - "version": 107 - } - }, "rule_name": "O365 Excessive Single Sign-On Logon Errors", "sha256": "a6c2623e22edf439212d0065ea3329407e43fdc9756008e2a6cc39150c927f46", "type": "threshold", "version": 207 }, "2de87d72-ee0c-43e2-b975-5f0b029ac600": { - "min_stack_version": "8.3", "rule_name": "Wireless Credential Dumping using Netsh Command", "sha256": "469f29380de3612562dd52d96cf08b2590670a1f0ed5c09882c3caa6420fc78f", "type": "eql", "version": 8 }, "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { - "min_stack_version": "8.3", "rule_name": "Renamed AutoIt Scripts Interpreter", "sha256": "a23203b35000455d7e15f08f4aa4523ffb4cf37e6277c5ad2afff5dfb75f06d4", "type": "eql", "version": 110 }, "2e29e96a-b67c-455a-afe4-de6183431d0d": { - "min_stack_version": "8.3", "rule_name": "Potential Process Injection via PowerShell", "sha256": "81ff8ad3429868b3ae4e62b20cdf7861c5912ea5ea56a373eb053a9ba8cafb2d", "type": "query", "version": 110 }, "2e311539-cd88-4a85-a301-04f38795007c": { - "min_stack_version": "8.3", "rule_name": "Accessing Outlook Data Files", "sha256": "d2e5a15c87b68da8ded83c3f04fd1cc0b2f38a858d9d58825ea43aa5b4d13c9d", "type": "eql", @@ -1978,233 +1467,192 @@ "version": 1 }, "2e580225-2a58-48ef-938b-572933be06fe": { - "min_stack_version": "8.3", "rule_name": "Halfbaked Command and Control Beacon", "sha256": "67f17bb4543d663bbd223adf3ed78c7e8f5018d561d5600b0b835ed24d9a6174", "type": "query", "version": 104 }, "2edc8076-291e-41e9-81e4-e3fcbc97ae5e": { - "min_stack_version": "8.3", "rule_name": "Creation of a Hidden Local User Account", "sha256": "04e25e2a367da2d230efdd2c089caf2310ebc0b4555468d52654ae40cd73624f", "type": "eql", "version": 110 }, "2f0bae2d-bf20-4465-be86-1311addebaa3": { - "min_stack_version": "8.3", "rule_name": "GCP Kubernetes Rolebindings Created or Patched", "sha256": "bd0cfcd18ddea0b9730c52e91f2de67a9b343831ce2a5351233e44a328498830", "type": "query", "version": 101 }, "2f2f4939-0b34-40c2-a0a3-844eb7889f43": { - "min_stack_version": "8.3", "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", "sha256": "c854f417e250f05be348cb5bd38338d7abaf467dc4b5ab1ef0fd15c0fe00d652", "type": "query", "version": 110 }, "2f8a1226-5720-437d-9c20-e0029deb6194": { - "min_stack_version": "8.3", "rule_name": "Attempt to Disable Syslog Service", "sha256": "8780262dbf51119a57e1482fdc257e16b74e0e78063f08f70039f0e84bd8e10e", "type": "eql", "version": 109 }, "2f95540c-923e-4f57-9dae-de30169c68b9": { - "min_stack_version": "8.3", "rule_name": "Suspicious /proc/maps Discovery", "sha256": "ceb64517a4f38ec0b520e88bfd10c759040ae2fc573d8712c77889e56afddd93", "type": "eql", "version": 2 }, "2fba96c0-ade5-4bce-b92f-a5df2509da3f": { - "min_stack_version": "8.3", "rule_name": "Startup Folder Persistence via Unsigned Process", "sha256": "16889344ca9108bf590521debc5e7f4f79d260b86172b2f1df97f6014b9e5813", "type": "eql", "version": 109 }, "2ffa1f1e-b6db-47fa-994b-1512743847eb": { - "min_stack_version": "8.3", "rule_name": "Windows Defender Disabled via Registry Modification", "sha256": "c25dfc5c295e5fe0ef6c4bd03401308cc79d8069474d9a66e34a91f53a75d793", "type": "eql", "version": 111 }, "301571f3-b316-4969-8dd0-7917410030d3": { - "min_stack_version": "8.9", "rule_name": "Malicious Remote File Creation", "sha256": "3b64dae20a1caf09073534a22a7e22eb31c7ac6212a08748110048e1e2f0f2f0", "type": "eql", "version": 1 }, "30562697-9859-4ae0-a8c5-dab45d664170": { - "min_stack_version": "8.3", "rule_name": "GCP Firewall Rule Creation", "sha256": "bb0dfe6b9f2f4b9ceed60017b384a9ec5cdb5c52df95261b4b306681aa1f7a1e", "type": "query", "version": 104 }, "30bfddd7-2954-4c9d-bbc6-19a99ca47e23": { - "min_stack_version": "8.5", "rule_name": "ESXI Timestomping using Touch Command", "sha256": "3aded99ffea86675df0ab0f003bf86c0e5a794828e77b17812a3f979d0fb70ea", "type": "eql", "version": 8 }, "30e1e9f2-eb9c-439f-aff6-1e3068e99384": { - "min_stack_version": "8.3", "rule_name": "Suspicious Network Connection via Sudo Binary", "sha256": "7c7f71f10f08bbfa8f116046faf6e9487e82a654dc7c8ff4155bbb67fb267058", "type": "eql", "version": 2 }, "3115bd2c-0baa-4df0-80ea-45e474b5ef93": { - "min_stack_version": "8.3", "rule_name": "Agent Spoofing - Mismatched Agent ID", "sha256": "edb96a30a9a4b522b0f24c47e6c9e97132020bca3d111e9f0fb2478062ca5c46", "type": "query", "version": 101 }, "31295df3-277b-4c56-a1fb-84e31b4222a9": { - "min_stack_version": "8.3", "rule_name": "Inbound Connection to an Unsecure Elasticsearch Node", "sha256": "7aca9860d8b4e2d6a3c826f3c89aad15a3ccef60bdb18f3a6c0e5d9d5eb96446", "type": "query", "version": 104 }, "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { - "min_stack_version": "8.3", "rule_name": "Bypass UAC via Event Viewer", "sha256": "e6a2af9522e0e9af476dbdd8aacdf56e95e20a452abd93a0bbd42f622856b52c", "type": "eql", "version": 112 }, "3202e172-01b1-4738-a932-d024c514ba72": { - "min_stack_version": "8.3", "rule_name": "GCP Pub/Sub Topic Deletion", "sha256": "124b074b61fa892959b957078f6b0ce22d6fc14dfa12721b099e26e56784daa0", "type": "query", "version": 104 }, "32300431-c2d5-432d-8ec8-0e03f9924756": { - "min_stack_version": "8.6", "rule_name": "Network Connection from Binary with RWX Memory Region", "sha256": "2037bc6827adab74cd7f5d34cc9724885806f9d8b3ca6aad279ca53096b8b6f6", "type": "eql", "version": 1 }, "323cb487-279d-4218-bcbd-a568efe930c6": { - "min_stack_version": "8.3", "rule_name": "Azure Network Watcher Deletion", "sha256": "2639a17ce5e5d5cbfafd00c48a0d20d73a8f7fd26a389a962808a2d552c1cd1a", "type": "query", "version": 102 }, "32923416-763a-4531-bb35-f33b9232ecdb": { - "min_stack_version": "8.3", "rule_name": "RPC (Remote Procedure Call) to the Internet", "sha256": "7ca9c8daa861f8675fc6d90454ceb1fbbeb55621db753f0ffa615be1509581ea", "type": "query", "version": 103 }, "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { - "min_stack_version": "8.3", "rule_name": "Program Files Directory Masquerading", "sha256": "8cec03274c88dea9a86f4cc7af3af538103fe9b253736b1c5dd81848830076fa", "type": "eql", "version": 109 }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { - "min_stack_version": "8.3", "rule_name": "Suspicious MS Outlook Child Process", "sha256": "ab072081c0f447b8ae3f174016da6d44b3a3a21b5a3c6ca71506c4e0fd7246d3", "type": "eql", "version": 111 }, "333de828-8190-4cf5-8d7c-7575846f6fe0": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "AWS IAM User Addition to Group", - "sha256": "02db7a25c54c4fbd473ce6ca4a124bfeaba29b63ff68e2d89d4cd27167d6ae7d", - "type": "query", - "version": 108 - } - }, "rule_name": "AWS IAM User Addition to Group", "sha256": "5797f109e144dd874da2cd92796142c3e024058b0b7239fa006a719364423b46", "type": "query", "version": 209 }, "33a6752b-da5e-45f8-b13a-5f094c09522f": { - "min_stack_version": "8.5", "rule_name": "ESXI Discovery via Find", "sha256": "65285808d7e3a2abc4e4eafa9288e8e9c5d82f2dc7fd8f2cf160f7c224988f04", "type": "eql", "version": 6 }, "33f306e8-417c-411b-965c-c2812d6d3f4d": { - "min_stack_version": "8.3", "rule_name": "Remote File Download via PowerShell", "sha256": "a468cf285aeec523223067030229793d4769bc5659502779d939657e57a77976", "type": "eql", "version": 110 }, "342f834b-21a6-41bf-878c-87d116eba3ee": { - "min_stack_version": "8.8", "rule_name": "Modification of Dynamic Linker Preload Shared Object Inside A Container", "sha256": "80a1285a2fc10cd2a83830beb16066febaf04201e827216516c4e4dc9b47ade6", "type": "eql", "version": 1 }, "345889c4-23a8-4bc0-b7ca-756bd17ce83b": { - "min_stack_version": "8.3", "rule_name": "GitHub Repository Deleted", "sha256": "e9e82f5d7ee55a265684b97bea6518e4cefa09ffbe5466a156316ba98ba8c744", "type": "eql", "version": 2 }, "34fde489-94b0-4500-a76f-b8a157cf9269": { - "min_stack_version": "8.3", "rule_name": "Accepted Default Telnet Port Connection", "sha256": "5a1c81a6f5119308ed2c419c07cd7d61610c4bf863351341f4f1c5c3d54644b1", "type": "query", "version": 104 }, "35330ba2-c859-4c98-8b7f-c19159ea0e58": { - "min_stack_version": "8.3", "rule_name": "Execution via Electron Child Process Node.js Module", "sha256": "e62ff0708c98fc9c3f113e773084f58a137eabb8da806c25c3871f0131fd7934", "type": "query", "version": 106 }, "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { - "min_stack_version": "8.3", "rule_name": "Port Forwarding Rule Addition", "sha256": "6898cb41a0f614b74222c1863817dc993d7470c5953727d9199a63308685d9cd", "type": "eql", "version": 110 }, "35a3b253-eea8-46f0-abd3-68bdd47e6e3d": { - "min_stack_version": "8.9", "rule_name": "Spike in Bytes Sent to an External Device", "sha256": "67a35f156241abf955e83450c9f9e4de70743aa2b982ae6e96fe95b1734847ac", "type": "machine_learning", "version": 3 }, "35df0dd8-092d-4a83-88c1-5151a804f31b": { - "min_stack_version": "8.3", "rule_name": "Unusual Parent-Child Relationship", "sha256": "1984aac08fb341387ffbc60fed85f41724c02408e79a0837eebfaff0eea168c3", "type": "eql", "version": 111 }, "35f86980-1fb1-4dff-b311-3be941549c8d": { - "min_stack_version": "8.3", "rule_name": "Network Traffic to Rare Destination Country", "sha256": "599670166b519587f8e2c8712aaec4839a9edfbd71f94eef4d3ca35a4bff8e82", "type": "machine_learning", @@ -2217,51 +1665,36 @@ "version": 100 }, "3688577a-d196-11ec-90b0-f661ea17fbce": { - "min_stack_version": "8.3", "rule_name": "Process Started from Process ID (PID) File", "sha256": "299fc2aae27ca710fe1c8e92af61046ea6040c245173fc7572644fa2aa4a9b1e", "type": "eql", "version": 109 }, "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { - "min_stack_version": "8.3", "rule_name": "Suspicious ImagePath Service Creation", "sha256": "dd157344f60c0f8cdf534de6a25fd8ec70ae6b174250971f224102c56b1ed3d2", "type": "eql", "version": 107 }, "36c48a0c-c63a-4cbc-aee1-8cac87db31a9": { - "min_stack_version": "8.9", "rule_name": "High Mean of Process Arguments in an RDP Session", "sha256": "9fa7888003d814e16febe8363b55e5c5d98fbebc187b1134b988a70bfa227457", "type": "machine_learning", "version": 3 }, "3728c08d-9b70-456b-b6b8-007c7d246128": { - "min_stack_version": "8.3", "rule_name": "Potential Suspicious File Edit", "sha256": "ad661308418ae98d99acfbe93160fc7b79bd560af7e212b8b2d582ca93665254", "type": "eql", "version": 4 }, "378f9024-8a0c-46a5-aa08-ce147ac73a4e": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS RDS Security Group Creation", - "sha256": "5b75c7ff3b23af486b2a98aa509dba99b6e5935a1884bcf20ce26298c87a413a", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS RDS Security Group Creation", "sha256": "a980e64d0ef17442e319eed703e3dc756434170c637087afded818fc1942c2e0", "type": "query", "version": 206 }, "37994bca-0611-4500-ab67-5588afe73b77": { - "min_stack_version": "8.3", "rule_name": "Azure Active Directory High Risk Sign-in", "sha256": "81cfc0cf1d22eac182fb2dbed83295eb880bff4c46b583ac7a02667c2bd7140a", "type": "query", @@ -2274,16 +1707,6 @@ "version": 100 }, "37b211e8-4e2f-440f-86d8-06cc8f158cfa": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "AWS Execution via System Manager", - "sha256": "2cbc10f8cfc4b487c2e60d03f65c07f3edfffcc2aff4715f233e6dc5d5164c60", - "type": "query", - "version": 108 - } - }, "rule_name": "AWS Execution via System Manager", "sha256": "5262f35d3a77b7ea661f2c08269986f36b47c9e01836ec71acf45e6f3653b88e", "type": "query", @@ -2292,7 +1715,7 @@ "37f638ea-909d-4f94-9248-edd21e4a9906": { "min_stack_version": "8.11", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Finder Sync Plugin Registered and Enabled", "sha256": "b0d1702942012aaf400be87038c53cf2ccc337510f3956545d8344b96c98a598", @@ -2308,7 +1731,7 @@ "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 206, "rule_name": "Attempted Bypass of Okta MFA", "sha256": "f4d46f02451d1b387f81c66eaf2bac499ae2b55dab8b5ff072060d572c17bae2", @@ -2322,81 +1745,54 @@ "version": 207 }, "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { - "min_stack_version": "8.3", "rule_name": "Network Connection via Certutil", "sha256": "6f47f5ed6240c55d50a34719a69f8cc06e2e1a96b3d7dbf8caed23d34f6fb612", "type": "eql", "version": 111 }, "38948d29-3d5d-42e3-8aec-be832aaaf8eb": { - "min_stack_version": "8.7", - "previous": { - "8.3": { - "max_allowable_version": 206, - "rule_name": "Prompt for Credentials with OSASCRIPT", - "sha256": "5b889bbfa953251d11d08f3f3b13847eb4b5f05777c8cc9d80806943bc1e3d08", - "type": "eql", - "version": 107 - } - }, "rule_name": "Prompt for Credentials with OSASCRIPT", "sha256": "3032a13d5103580a7a71c386fb3b0871d65a29e3b195d7c15ef594679579b277", "type": "eql", "version": 207 }, "38e5acdd-5f20-4d99-8fe4-f0a1a592077f": { - "min_stack_version": "8.3", "rule_name": "User Added as Owner for Azure Service Principal", "sha256": "0366d38e25390f27d5a88679fdeb1186fa00482024bab6e37b84f6d6ee4bdf2f", "type": "query", "version": 102 }, "38f384e0-aef8-11ed-9a38-f661ea17fbcc": { - "min_stack_version": "8.4", "rule_name": "External User Added to Google Workspace Group", "sha256": "5b576006ba63579d8d410c1b6a505b7129e0e534887b142f08e9778bab82d1a1", "type": "eql", "version": 2 }, "39144f38-5284-4f8e-a2ae-e3fd628d90b0": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS EC2 Network Access Control List Creation", - "sha256": "dea5a5643f79a683de4d055fc1e7c3f2444af041cad46e962eea1d3f5f8310d4", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS EC2 Network Access Control List Creation", "sha256": "e91381a670fa911026a21863f0f82af1de6b7d106b32bea4d783d4e2c8ceddee", "type": "query", "version": 206 }, "39157d52-4035-44a8-9d1a-6f8c5f580a07": { - "min_stack_version": "8.3", "rule_name": "Downloaded Shortcut Files", "sha256": "a78fe7706bba28d2e8916c6285d2aa614ab127534029912e8e9ad9ab133792dc", "type": "eql", "version": 2 }, "397945f3-d39a-4e6f-8bcb-9656c2031438": { - "min_stack_version": "8.3", "rule_name": "Persistence via Microsoft Outlook VBA", "sha256": "552ee91e75f7ccd44773852337f72d88a83bf6868aa5afbefe6ff4634db9fff3", "type": "eql", "version": 107 }, "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { - "min_stack_version": "8.3", "rule_name": "Potential DNS Tunneling via NsLookup", "sha256": "4a18eb2fad582229c98d6a037fd50e8c8c1ce71cc2a6442d5f73f60435460035", "type": "eql", "version": 110 }, "3a6001a0-0939-4bbe-86f4-47d8faeb7b97": { - "min_stack_version": "8.3", "rule_name": "Suspicious Module Loaded by LSASS", "sha256": "b774f07509146c401d27897d918bded4c1725c4bf5e8b457e9a749116e912d1f", "type": "eql", @@ -2409,56 +1805,48 @@ "version": 100 }, "3ad49c61-7adc-42c1-b788-732eda2f5abf": { - "min_stack_version": "8.3", "rule_name": "VNC (Virtual Network Computing) to the Internet", "sha256": "75c83bc25b63f6d009bfaa4c5ad8ac726f34d8463a71addc994107e75c6f41e3", "type": "query", "version": 104 }, "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": { - "min_stack_version": "8.3", "rule_name": "Azure Full Network Packet Capture Detected", "sha256": "5ff3c05e76cc5d8d9d4be4f532e57b7f4b864c7b441e409db8c6424396b0030d", "type": "query", "version": 103 }, "3af4cb9b-973f-4c54-be2b-7623c0e21b2b": { - "min_stack_version": "8.8", "rule_name": "First Occurrence of IP Address For GitHub User", "sha256": "4d1bb8c98fc64a88e74bb4e5379ca7a368d1223b9cfd87c6711e8cdb55b2e93a", "type": "new_terms", "version": 1 }, "3b382770-efbb-44f4-beed-f5e0a051b895": { - "min_stack_version": "8.3", "rule_name": "Malware - Prevented - Elastic Endgame", "sha256": "6f120439816dc0fbb5966bc6163654d86dd3d1325de8e31e9b58acc704fca442", "type": "query", "version": 103 }, "3b47900d-e793-49e8-968f-c90dc3526aa1": { - "min_stack_version": "8.3", "rule_name": "Unusual Parent Process for cmd.exe", "sha256": "b684f4c5fbb972a39c7c5707d9dd7519013e2a23854d99612acc986458b8327f", "type": "eql", "version": 110 }, "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { - "min_stack_version": "8.3", "rule_name": "NTDS or SAM Database File Copied", "sha256": "9b7f98ccce2835bb0f4a66f0d771402a60aa80c0516f3c461f25258464d92dde", "type": "eql", "version": 112 }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { - "min_stack_version": "8.3", "rule_name": "Unusual Linux Network Port Activity", "sha256": "a2800c6cc225debfe9958195da944e5b1ead6405ccad4dac405b7e7d337dade9", "type": "machine_learning", "version": 103 }, "3d00feab-e203-4acc-a463-c3e15b7e9a73": { - "min_stack_version": "8.3", "rule_name": "ScreenConnect Server Spawning Suspicious Processes", "sha256": "b8cf058fc04d31b542a9af0b67afca6876cd61ca3cbae997f11f1750d0e5c24c", "type": "eql", @@ -2467,7 +1855,7 @@ "3d3aa8f9-12af-441f-9344-9f31053e316d": { "min_stack_version": "8.12", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 104, "rule_name": "PowerShell Script with Log Clear Capabilities", "sha256": "89e12f38568452e05edf82a51f7ea6467b8b1350950e26a393767e49f1c702d0", @@ -2481,197 +1869,138 @@ "version": 105 }, "3e002465-876f-4f04-b016-84ef48ce7e5d": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "AWS CloudTrail Log Updated", - "sha256": "c544d2bed3c1f0c3eb62422883fdd5c1a029d8a1e4ade88af0b3aaaa0955dc99", - "type": "query", - "version": 108 - } - }, "rule_name": "AWS CloudTrail Log Updated", "sha256": "3f2192854f2b83093646d34a7cf62799413c920c797225c07eb86ab7f8021262", "type": "query", "version": 209 }, "3e0561b5-3fac-4461-84cc-19163b9aaa61": { - "min_stack_version": "8.9", "rule_name": "Spike in Number of Connections Made from a Source IP", "sha256": "e0f94b4cfe4ca344a1904651585a27509c31993709b1767adc5d92d1e020eb62", "type": "machine_learning", "version": 3 }, "3e0eeb75-16e8-4f2f-9826-62461ca128b7": { - "min_stack_version": "8.3", "rule_name": "Suspicious Execution via Windows Subsystem for Linux", "sha256": "2a6df6ecfdcec0cacd6cd3fbe669354f173ae5e52c45c067290621e97758d904", "type": "eql", "version": 6 }, "3e12a439-d002-4944-bc42-171c0dcb9b96": { - "min_stack_version": "8.3", "rule_name": "Kernel Driver Load", "sha256": "0d805e30368d7d1a1c774e0e29386cb807ff617bc0d294c11a6ecf97e9cf3bdc", "type": "eql", "version": 4 }, "3e3d15c6-1509-479a-b125-21718372157e": { - "min_stack_version": "8.3", "rule_name": "Suspicious Emond Child Process", "sha256": "7d78dc70f6217f921486f43f26839cb0fe33c9dcd5bfc983e0a3117ce260f1db", "type": "eql", "version": 106 }, "3e441bdb-596c-44fd-8628-2cfdf4516ada": { - "min_stack_version": "8.3", "rule_name": "Potential Remote File Execution via MSIEXEC", "sha256": "f427e7262f3caaa30fad3f63a14f32e77e72e8e8606381f64c7b2b3718fe7684", "type": "eql", "version": 3 }, "3ecbdc9e-e4f2-43fa-8cca-63802125e582": { - "min_stack_version": "8.3", "rule_name": "Privilege Escalation via Named Pipe Impersonation", "sha256": "f7be2ac3e9aac82f91122e2416bba98480072d50a299c9fb593ea60bf876b8d8", "type": "eql", "version": 110 }, "3ed032b2-45d8-4406-bc79-7ad1eabb2c72": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 206, - "rule_name": "Suspicious Process Creation CallTrace", - "sha256": "ef3b36cfe9937ac9e94d85f43e7c8d1eb725f6edec2353a6c3df2745f5d06fbb", - "type": "eql", - "version": 107 - } - }, "rule_name": "Suspicious Process Creation CallTrace", "sha256": "198d879bb094b81e6bb30e836abf7c7c2a2d4b08cf6f8de140a531126de8f927", "type": "eql", "version": 208 }, "3efee4f0-182a-40a8-a835-102c68a4175d": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 206, - "rule_name": "Potential Password Spraying of Microsoft 365 User Accounts", - "sha256": "6f5fb726f163898f2ca5b0b8de75a346cda8451de239adb986ada4f3128b4c67", - "type": "threshold", - "version": 107 - } - }, "rule_name": "Potential Password Spraying of Microsoft 365 User Accounts", "sha256": "3ee6a597bfe462c8b9132d7ca83768025a28634b18c009db462cb0c3bd7bfe39", "type": "threshold", "version": 207 }, "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": { - "min_stack_version": "8.3", "rule_name": "CyberArk Privileged Access Security Error", "sha256": "c386d6369ab49aa1ccb5c14a29f84d5f2856b09ca44e9d53418a1477ace1a37a", "type": "query", "version": 102 }, "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": { - "min_stack_version": "8.3", "rule_name": "Potential Protocol Tunneling via Chisel Client", "sha256": "506ac5257e3fbd5947ce89f51b4a1154eea0e4245f3b8d26f1579ed36d7de792", "type": "eql", "version": 5 }, "3f3f9fe2-d095-11ec-95dc-f661ea17fbce": { - "min_stack_version": "8.3", "rule_name": "Binary Executed from Shared Memory Directory", "sha256": "6fe016ba390e8dc87666f4ef0c548568711ad0404b3acab74fedccdc68e0880d", "type": "eql", "version": 110 }, "3f4d7734-2151-4481-b394-09d7c6c91f75": { - "min_stack_version": "8.3", "rule_name": "Process Discovery via Built-In Applications", "sha256": "a1d18add228db670e888de746acabb7856747a256b80bf999d0e0b8829193b07", "type": "eql", "version": 3 }, "3f4e2dba-828a-452a-af35-fe29c5e78969": { - "min_stack_version": "8.9", "rule_name": "Unusual Time or Day for an RDP Session", "sha256": "2d41f9c292e0cfb545738b9fefb92890c35a74f559c525d8882ff69abb589281", "type": "machine_learning", "version": 3 }, "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": { - "min_stack_version": "8.9", "rule_name": "Unusual Process Spawned by a User", "sha256": "605a890392cba9a22d8ca7c2285cf0fe0e562dfeccb201126b50540f02b6567b", "type": "machine_learning", "version": 4 }, "4030c951-448a-4017-a2da-ed60f6d14f4f": { - "min_stack_version": "8.3", "rule_name": "GitHub User Blocked From Organization", "sha256": "6f42e7b01599241829e9077f402bbf6ff1ee20d99e201fb4416aeb827edbcce6", "type": "eql", "version": 1 }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { - "min_stack_version": "8.3", "rule_name": "Unusual Persistence via Services Registry", "sha256": "ff437c6e2c47619b352ee9e1a2afc7a9efc07196a586924803b1daaf14e3c9d6", "type": "eql", "version": 108 }, "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 102, - "rule_name": "Suspicious Modprobe File Event", - "sha256": "57d346776e2d53dc371be91bf8eee48d1a5551497057024f0cba657e1b22f6d0", - "type": "eql", - "version": 4 - } - }, "rule_name": "Suspicious Modprobe File Event", "sha256": "2a6caaea58f921647c925b776c5a3263205f0e14402adfb96fe9784742822f0c", "type": "new_terms", "version": 107 }, "41284ba3-ed1a-4598-bfba-a97f75d9aba2": { - "min_stack_version": "8.3", "rule_name": "Unix Socket Connection", "sha256": "3205e8361a1f086b49b3af871c969ed11481015e0dff4ac8a9a0d72db9843e22", "type": "eql", "version": 2 }, "416697ae-e468-4093-a93d-59661fa619ec": { - "min_stack_version": "8.3", "rule_name": "Control Panel Process with Unusual Arguments", "sha256": "aa2506ef37c17be2ee06aaebfabb669748b8247f50e0664debb0e789db74ca71", "type": "eql", "version": 111 }, "41761cd3-380f-4d4d-89f3-46d6853ee35d": { - "min_stack_version": "8.8", "rule_name": "First Occurrence of User-Agent For a GitHub User", "sha256": "a9f5a86fb7a36ee7d65d9e567514f2f7240710d978434b414df63e8a2255365d", "type": "new_terms", "version": 1 }, "41824afb-d68c-4d0e-bfee-474dac1fa56e": { - "min_stack_version": "8.3", "rule_name": "EggShell Backdoor Execution", "sha256": "a000d7946f2d9c6608fef001a71aa8b626b93b668a56cb558aae7b94e49089cb", "type": "query", "version": 103 }, "41b638a1-8ab6-4f8e-86d9-466317ef2db5": { - "min_stack_version": "8.3", "rule_name": "Potential Hidden Local User Account Creation", "sha256": "41e2911f06e94357105e93c803ee44dbd7f4ec32bd8d4913fd5154123b4b677a", "type": "query", @@ -2685,7 +2014,6 @@ "version": 1 }, "420e5bb4-93bf-40a3-8f4a-4cc1af90eca1": { - "min_stack_version": "8.8", "rule_name": "Interactive Exec Command Launched Against A Running Container", "sha256": "3e2d9d02297e6659a2e22c12019c924caed14914e8e223416d9275a1c232f063", "type": "eql", @@ -2694,7 +2022,7 @@ "42bf698b-4738-445b-8231-c834ddefd8a0": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 206, "rule_name": "Okta Brute Force or Password Spraying Attack", "sha256": "882dcaea90df31c2153dbabfb17dc21bcc8f8866c862b5a02c20026eac301621", @@ -2708,126 +2036,108 @@ "version": 208 }, "42eeee3d-947f-46d3-a14d-7036b962c266": { - "min_stack_version": "8.3", "rule_name": "Process Creation via Secondary Logon", "sha256": "02389fa2b314a4c1b09a7516f22580f4b91f255f5f87e61cad90039acb6a26b0", "type": "eql", "version": 9 }, "4330272b-9724-4bc6-a3ca-f1532b81e5c2": { - "min_stack_version": "8.3", "rule_name": "Unusual Login Activity", "sha256": "178b730df2f0523fca5d50f1c7bfb91a3b574b4d6bfa9a475d11d6208ef93b2c", "type": "machine_learning", "version": 103 }, "43303fd4-4839-4e48-b2b2-803ab060758d": { - "min_stack_version": "8.3", "rule_name": "Web Application Suspicious Activity: No User Agent", "sha256": "dba7037fea9889f8f9bb14d8bc56ff2eb114acab0af17a595d777e53783c3919", "type": "query", "version": 101 }, "43d6ec12-2b1c-47b5-8f35-e9de65551d3b": { - "min_stack_version": "8.3", "rule_name": "Linux User Added to Privileged Group", "sha256": "3d53c3cf46875865535f808e7c6c2ef22a6d516d653fd23e37c8faaf4d477438", "type": "eql", "version": 6 }, "440e2db4-bc7f-4c96-a068-65b78da59bde": { - "min_stack_version": "8.3", "rule_name": "Startup Persistence by a Suspicious Process", "sha256": "83d79f7e35b069d84ce239901a6f3aaabd224e0494355f02c61e2650de4099c6", "type": "eql", "version": 110 }, "445a342e-03fb-42d0-8656-0367eb2dead5": { - "min_stack_version": "8.3", "rule_name": "Unusual Windows Path Activity", "sha256": "0c0dc0204bae57db331547a95b8be8a1a7a915fd32f0e9ed199b109a8418db7e", "type": "machine_learning", "version": 104 }, "4494c14f-5ff8-4ed2-8e99-bf816a1642fc": { - "min_stack_version": "8.3", "rule_name": "Potential Masquerading as VLC DLL", "sha256": "d9597f07d834346b49d0ec5d44b690415e313ac8d159ee72e5fa8335fd7e85fb", "type": "eql", "version": 3 }, "44fc462c-1159-4fa8-b1b7-9b6296ab4f96": { - "min_stack_version": "8.3", "rule_name": "Multiple Vault Web Credentials Read", "sha256": "24ee5dd513d2411aadcf6700b279d44bb0d803d6514f3d920e7071076e34d242", "type": "eql", "version": 10 }, "453183fa-f903-11ee-8e88-f661ea17fbce": { - "min_stack_version": "8.9", "rule_name": "Route53 Resolver Query Log Configuration Deleted", "sha256": "98d3f47b38a2e490eb32fe435fb1a3cdc74636dabc5fe7a97b731551b87ec8cd", "type": "query", "version": 1 }, "453f659e-0429-40b1-bfdb-b6957286e04b": { - "min_stack_version": "8.3", "rule_name": "Permission Theft - Prevented - Elastic Endgame", "sha256": "e125e05070fd9e4879366bc19b3262c739e7820cfa207a0de2ddd94c30c7459a", "type": "query", "version": 103 }, "45ac4800-840f-414c-b221-53dd36a5aaf7": { - "min_stack_version": "8.3", "rule_name": "Windows Event Logs Cleared", "sha256": "fc09cce15ed08c912228c02d8c8a913febbcfde1263a2410a281a5b780cbc1bd", "type": "query", "version": 108 }, "45d273fb-1dca-457d-9855-bcb302180c21": { - "min_stack_version": "8.3", "rule_name": "Encrypting Files with WinRar or 7z", "sha256": "b3b214a87a2d7efdda2a6e79454b84fdbae8dbfdb3834d1b51bdc0524f4e0b41", "type": "eql", "version": 111 }, "4630d948-40d4-4cef-ac69-4002e29bc3db": { - "min_stack_version": "8.3", "rule_name": "Adding Hidden File Attribute via Attrib", "sha256": "f28a8d21784231d74baa3c2c1bc50c52047b904b90baf5f454eff45f52d1ca07", "type": "eql", "version": 111 }, "4682fd2c-cfae-47ed-a543-9bed37657aa6": { - "min_stack_version": "8.3", "rule_name": "Potential Local NTLM Relay via HTTP", "sha256": "532a6ef376ad303e213a6c18952dbfd541118f748ed30402beff2be0870e927f", "type": "eql", "version": 109 }, "46f804f5-b289-43d6-a881-9387cf594f75": { - "min_stack_version": "8.3", "rule_name": "Unusual Process For a Linux Host", "sha256": "5fbea0760b51ff40b45435e9978a27fd21ee1b2a9792c2892ca01cc45f6dc782", "type": "machine_learning", "version": 104 }, "474fd20e-14cc-49c5-8160-d9ab4ba16c8b": { - "min_stack_version": "8.6", "rule_name": "Potential Persistence Through init.d Detected", "sha256": "cd769b23546bc7c66a492fb80d7c336f31823e527982f3185a9ad7b4c3686ee1", "type": "new_terms", "version": 9 }, "475b42f0-61fb-4ef0-8a85-597458bfb0a1": { - "min_stack_version": "8.8", "rule_name": "Sensitive Files Compression Inside A Container", "sha256": "4e4eac63997eab8b7b05da7301b3f3d904afbc53f9ac2c2789df7ff023df7939", "type": "eql", "version": 2 }, "47e22836-4a16-4b35-beee-98f6c4ee9bf2": { - "min_stack_version": "8.3", "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", "sha256": "78feac62454588684cd56fc409cf666bba314b8537b67f5c8c1ee01afada874f", "type": "eql", @@ -2840,244 +2150,186 @@ "version": 100 }, "47f76567-d58a-4fed-b32b-21f571e28910": { - "min_stack_version": "8.3", "rule_name": "Apple Script Execution followed by Network Connection", "sha256": "1e70613b9ab01d3e1eabe9dc9ec52bb46b06c551a2bd5f19bc437c35219afd3a", "type": "eql", "version": 106 }, "483c4daf-b0c6-49e0-adf3-0bfa93231d6b": { - "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", "sha256": "daa833de111fdd82adf05f6795ee87754f8dd5a0631fdc3857995779eeb0743e", "type": "eql", "version": 109 }, "48819484-9826-4083-9eba-1da74cd0eaf2": { - "min_stack_version": "8.8", - "previous": { - "8.6": { - "max_allowable_version": 104, - "rule_name": "Suspicious Microsoft 365 Mail Access by ClientAppId", - "sha256": "fadad966a91f932ed17c91f28dccd142d23d55cd4ae7ea7c57bdd1571b0c95ea", - "type": "new_terms", - "version": 5 - } - }, "rule_name": "Suspicious Microsoft 365 Mail Access by ClientAppId", "sha256": "25daf6eb0539fcc0694b22088a27dd0f67fcba06669cc69450e34b994cc642ea", "type": "new_terms", "version": 105 }, "48b3d2e3-f4e8-41e6-95e6-9b2091228db3": { - "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell", "sha256": "d2d12619cc88da5d442a1f223e4ccf1cdb06d037c5ab3440a7814cb9d6b11736", "type": "eql", "version": 8 }, "48b6edfc-079d-4907-b43c-baffa243270d": { - "min_stack_version": "8.3", "rule_name": "Multiple Logon Failure from the same Source Address", "sha256": "9ab25d365ce5c55e8b3447548326215241c5e3e269772cfda3d53460a796bd70", "type": "eql", "version": 9 }, "48d7f54d-c29e-4430-93a9-9db6b5892270": { - "min_stack_version": "8.3", "rule_name": "Unexpected Child Process of macOS Screensaver Engine", "sha256": "14e09fb223671c9a69d290403ce41fb14decb3fa7b322e5cdfee720edf523312", "type": "eql", "version": 107 }, "48ec9452-e1fd-4513-a376-10a1a26d2c83": { - "min_stack_version": "8.3", "rule_name": "Potential Persistence via Periodic Tasks", "sha256": "195c6ae2218bd1ce6a72411bb052c6c8be490604c24657b057699c3f7302aac6", "type": "query", "version": 106 }, "48f657ee-de4f-477c-aa99-ed88ee7af97a": { - "min_stack_version": "8.3", "rule_name": "Remote XSL Script Execution via COM", "sha256": "8dcdd68d3f519784397cb030a40cfccbf754fcc330df54ab782ff54a1bed69fc", "type": "eql", "version": 3 }, "493834ca-f861-414c-8602-150d5505b777": { - "min_stack_version": "8.3", "rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent", "sha256": "6928326257c9c13a06c0f1b72217966aa1141319570100427a2bc9edc41964c0", "type": "threshold", "version": 101 }, "494ebba4-ecb7-4be4-8c6f-654c686549ad": { - "min_stack_version": "8.3", "rule_name": "Potential Linux Backdoor User Account Creation", "sha256": "13db3c2d1fc38751e03a07125ee9720d077032ecc780b0474951dcffa438ece8", "type": "eql", "version": 6 }, "495e5f2e-2480-11ed-bea8-f661ea17fbce": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 103, - "rule_name": "Application Removed from Blocklist in Google Workspace", - "sha256": "e61b1bbcf81ae0a39c5740592307709fdd354ac9c7ca1cff724f403f2683e67e", - "type": "query", - "version": 5 - } - }, "rule_name": "Application Removed from Blocklist in Google Workspace", "sha256": "458d45e2d4ec3ad54e104516c1bf827f241392740f457d0b358ed439cea466f4", "type": "query", "version": 106 }, "4973e46b-a663-41b8-a875-ced16dda2bb0": { - "min_stack_version": "8.6", "rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable", "sha256": "9fa82ebadcb5c5f29578c49072ea5d921ce9a8af05291cd755e5c6aefcc422d7", "type": "eql", "version": 3 }, "4982ac3e-d0ee-4818-b95d-d9522d689259": { - "min_stack_version": "8.3", "rule_name": "Process Discovery Using Built-in Tools", "sha256": "3760e37b4f14a48147ffb42a0e6ac8615c7a41564dcffc483719244adf4aac52", "type": "eql", "version": 4 }, "4a4e23cf-78a2-449c-bac3-701924c269d3": { - "min_stack_version": "8.3", "rule_name": "Possible FIN7 DGA Command and Control Behavior", "sha256": "42113dd49a2b2df45e90301ac64feac172a5fe2d5ae21baddb22e62943b28082", "type": "query", "version": 105 }, "4a99ac6f-9a54-4ba5-a64f-6eb65695841b": { - "min_stack_version": "8.3", "rule_name": "Potential Unauthorized Access via Wildcard Injection Detected", "sha256": "ead602528c1e965f9015450bec41285bbba8c0d37139735cfbf3eb7e954067ea", "type": "eql", "version": 5 }, "4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": { - "min_stack_version": "8.3", "rule_name": "Potential Cross Site Scripting (XSS)", "sha256": "0ddba68a65a560e542542a531d9b0222a706b62e38442f5afb342b989f8d70fa", "type": "eql", "version": 1 }, "4b1a807a-4e7b-414e-8cea-24bf580f6fc5": { - "min_stack_version": "8.3", "rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process", "sha256": "a8340e173929cc26fccdb80d23355387d04d41b26c099412fc6542025089e982", "type": "eql", "version": 6 }, "4b438734-3793-4fda-bd42-ceeada0be8f9": { - "min_stack_version": "8.3", "rule_name": "Disable Windows Firewall Rules via Netsh", "sha256": "b071ea55c3cd817e5aec99970cd493053e2b94783f1aafb56e89004674a69b22", "type": "eql", "version": 110 }, "4b4e9c99-27ea-4621-95c8-82341bc6e512": { - "min_stack_version": "8.8", "rule_name": "Container Workload Protection", "sha256": "232d94bfc84f58f133c5ffa086853fc01f635acea7ff1d6298f9d781a383ed24", "type": "query", "version": 4 }, "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": { - "min_stack_version": "8.3", "rule_name": "ProxyChains Activity", "sha256": "2997e880be8be8e48bd8066e4736d34483677decfa5262604e7c884d9ff407d3", "type": "eql", "version": 4 }, "4b95ecea-7225-4690-9938-2a2c0bad9c99": { - "min_stack_version": "8.9", "rule_name": "Unusual Process Writing Data to an External Device", "sha256": "3659127431f2145c49922aa110bbe7be12f4776825ee1a24f2409945b3f414f0", "type": "machine_learning", "version": 3 }, "4bd1c1af-79d4-4d37-9efa-6e0240640242": { - "min_stack_version": "8.3", "rule_name": "Unusual Process Execution Path - Alternate Data Stream", "sha256": "8cd12a854dbd43e2cd0db12f9515413ced21fa11fbc405bf87983c4e4635ae45", "type": "eql", "version": 109 }, "4c59cff1-b78a-41b8-a9f1-4231984d1fb6": { - "min_stack_version": "8.3", "rule_name": "PowerShell Share Enumeration Script", "sha256": "95583fef64f6c5454d616320d43ceda2a467cb8e217231374faa423e8363fdf1", "type": "query", "version": 9 }, "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": { - "min_stack_version": "8.3", "rule_name": "Kernel Load or Unload via Kexec Detected", "sha256": "8cdb4afadd73272dc07ee9b31b8a8f1e2ab6d9ba07e75a228d827eb5cedf236e", "type": "eql", "version": 6 }, "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS Management Console Brute Force of Root User Identity", - "sha256": "09c72f469d0aca040785500480c6c4086070ace209803e2f0b4f1d79de394a3f", - "type": "threshold", - "version": 106 - } - }, "rule_name": "AWS Management Console Brute Force of Root User Identity", "sha256": "64dc42dae58d6c7edafe597e4c2cf33845002b02ae71649f5f19a5efe11089c1", "type": "threshold", "version": 207 }, "4da13d6e-904f-4636-81d8-6ab14b4e6ae9": { - "min_stack_version": "8.3", "rule_name": "Attempt to Disable Gatekeeper", "sha256": "af8d10ad0bf3fd9de00ec04cf9ec8786a9deae55c4c5086fd8101b18e5ab22ba", "type": "query", "version": 106 }, "4de76544-f0e5-486a-8f84-eae0b6063cdc": { - "min_stack_version": "8.3", "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", "sha256": "8bf850df70b51fc76b714e18cd7a173376cb3f8b205d59d19bf4656ff704fada", "type": "eql", "version": 112 }, "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": { - "min_stack_version": "8.3", "rule_name": "Multiple Logon Failure Followed by Logon Success", "sha256": "8ed9b11012b3ceb54e839102d8ba6f90c8bc6f8e9c7d2069f8c01d504d8b13ce", "type": "eql", "version": 10 }, "4ec47004-b34a-42e6-8003-376a123ea447": { - "min_stack_version": "8.3", "rule_name": "Suspicious Process Spawned from MOTD Detected", "sha256": "5c74f520f2356f579a86fc666a87af41bd62c8e52f1edc1521b9f7bd58b3f461", "type": "eql", "version": 8 }, "4ed493fc-d637-4a36-80ff-ac84937e5461": { - "min_stack_version": "8.3", "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", "sha256": "46dc5171e6385fc71511dfe5c62bbfb3d211317614112565e2dbd8a177803a7b", "type": "eql", "version": 111 }, "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": { - "min_stack_version": "8.3", "rule_name": "Suspicious Script Object Execution", "sha256": "604ff31b37bb88ec61794d51e66317597ae32e1b24ffcd6bc110afddaf9259ed", "type": "eql", @@ -3086,7 +2338,7 @@ "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Unauthorized Access to an Okta Application", "sha256": "8e3e57e9dbe9ec6a8cc4673f80020513ca5a4c120e4a9efb9f8acc7a646de4c8", @@ -3107,7 +2359,6 @@ "version": 1 }, "4fe9d835-40e1-452d-8230-17c147cafad8": { - "min_stack_version": "8.3", "rule_name": "Execution via TSClient Mountpoint", "sha256": "7e36c4f41ffd47e55fb0504fb3dee66108c384d0a06ec60f2c6de1e2b5d702ef", "type": "eql", @@ -3121,109 +2372,78 @@ "version": 2 }, "51176ed2-2d90-49f2-9f3d-17196428b169": { - "min_stack_version": "8.3", "rule_name": "Windows System Information Discovery", "sha256": "e7f81d69a9300bde47134faf67e74e663bf52d62682494acfafebc8afa114273", "type": "eql", "version": 4 }, "5124e65f-df97-4471-8dcb-8e3953b3ea97": { - "min_stack_version": "8.3", "rule_name": "Hidden Files and Directories via Hidden Flag", "sha256": "997601d0253b1c3fc65712c6e0e2784ffba03a5f7b3926a5cf5e183aea3006d7", "type": "eql", "version": 2 }, "513f0ffd-b317-4b9c-9494-92ce861f22c7": { - "min_stack_version": "8.3", "rule_name": "Registry Persistence via AppCert DLL", "sha256": "0c9dc337aa75f6fa5139ce19167e415b0d8ecd48066d478250e49d78274e2ba1", "type": "eql", "version": 108 }, "514121ce-c7b6-474a-8237-68ff71672379": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", - "sha256": "a5c1852e0f0b5d54d522bc9d34146368b3966050fdbb0b514ad8a5c883a865c3", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", "sha256": "51cc46687ba4f2ec1ce8b6d3af9bcf1d8e6449e6300a2dfde2ec5442af150b87", "type": "query", "version": 206 }, "51859fa0-d86b-4214-bf48-ebb30ed91305": { - "min_stack_version": "8.3", "rule_name": "GCP Logging Sink Deletion", "sha256": "c9a8ece69b7f242aba612e1ba56c3839f13edb69babaff4ec9dd0f717dbcf827", "type": "query", "version": 104 }, "51a09737-80f7-4551-a3be-dac8ef5d181a": { - "min_stack_version": "8.3", "rule_name": "Tainted Out-Of-Tree Kernel Module Load", "sha256": "ade59253fc0de2627984007ba84a2d944a16000aa69c83193c63f1dda8b806fa", "type": "query", "version": 2 }, "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { - "min_stack_version": "8.3", "rule_name": "Incoming DCOM Lateral Movement with MMC", "sha256": "7592f24cbedd399be83dd10921cadbae21a7f07859288848bc34cce173c9a03a", "type": "eql", "version": 108 }, "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": { - "min_stack_version": "8.3", "rule_name": "Potential Successful Linux RDP Brute Force Attack Detected", "sha256": "3a3059d247c0e3ef2e352ab75eb703f91476c8c3f57f2b33c79c545cc0e34325", "type": "eql", "version": 7 }, "523116c0-d89d-4d7c-82c2-39e6845a78ef": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS GuardDuty Detector Deletion", - "sha256": "875d325d03aab871f3af655b2a4f09f60421b1863ada9a2e59e415560be70fa6", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS GuardDuty Detector Deletion", "sha256": "f4d0bc7c75781581ae0325bb506f235d080a25501776cac6a7268376499066ce", "type": "query", "version": 206 }, "52376a86-ee86-4967-97ae-1a05f55816f0": { - "min_stack_version": "8.3", "rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)", "sha256": "1bda048bcd9c1bf57b4b123d710a6c78eb505e8a06f8d13ced365be3a3abfa5d", "type": "eql", "version": 112 }, "5297b7f1-bccd-4611-93fa-ea342a01ff84": { - "min_stack_version": "8.3", "rule_name": "Execution via Microsoft DotNet ClickOnce Host", "sha256": "71ef45621a5ba89795ad23007d4a9f50038ad681e75b73c50d4f275e0cd848b7", "type": "eql", "version": 1 }, "52aaab7b-b51c-441a-89ce-4387b3aea886": { - "min_stack_version": "8.3", "rule_name": "Unusual Network Connection via RunDLL32", "sha256": "30b9af8ec0f1c7c96bfc668ec005cc11e6b68a9d649ea1270b7f576bc393b37b", "type": "eql", "version": 109 }, "52afbdc5-db15-485e-bc24-f5707f820c4b": { - "min_stack_version": "8.3", "rule_name": "Unusual Linux Network Activity", "sha256": "17357496d0db27a4d0ccddae1c436a5239eced079e597b6deaf8b586add984e7", "type": "machine_learning", @@ -3242,37 +2462,24 @@ "version": 100 }, "530178da-92ea-43ce-94c2-8877a826783d": { - "min_stack_version": "8.3", "rule_name": "Suspicious CronTab Creation or Modification", "sha256": "a7492fef4099c032e096729ad621e9e19ed59798e0df2a83ef45c381a4d821ab", "type": "eql", "version": 106 }, "53617418-17b4-4e9c-8a2c-8deb8086ca4b": { - "min_stack_version": "8.6", "rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", "sha256": "f88c3c6d45fbe0bb6e1869423ab9e7667f5019abcead82c85039f1775a2b37ca", "type": "new_terms", "version": 8 }, "536997f7-ae73-447d-a12d-bff1e8f5f0a0": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS EFS File System or Mount Deleted", - "sha256": "dea68832916d128880a091971ddca7401be50c5a91b85315b44276c17c34b3a2", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS EFS File System or Mount Deleted", "sha256": "f0730064c70db89a626831b93e76595c6003a60060e20198818f45aa1f710990", "type": "query", "version": 206 }, "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": { - "min_stack_version": "8.3", "rule_name": "Azure Diagnostic Settings Deletion", "sha256": "d8cf4f99c49156e9bc70819e7e213ddc8254034a37779b4650402dfe6597dce2", "type": "query", @@ -3286,21 +2493,18 @@ "version": 4 }, "53a26770-9cbd-40c5-8b57-61d01a325e14": { - "min_stack_version": "8.3", "rule_name": "Suspicious PDF Reader Child Process", "sha256": "e67568b9c981e928c8780997ad8a1ad3532c6816c7ba4e0eaf9b8b18c5f3923b", "type": "eql", "version": 110 }, "53dedd83-1be7-430f-8026-363256395c8b": { - "min_stack_version": "8.3", "rule_name": "Binary Content Copy via Cmd.exe", "sha256": "5932e2f55f6f1e70ca53785865b24d7c502633270fe5df05d898167c0c36ab43", "type": "eql", "version": 3 }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { - "min_stack_version": "8.3", "rule_name": "Uncommon Registry Persistence Change", "sha256": "62ae21bef70ecd1965d7f2e666f067077780c120bcbef93083911dea04b33b17", "type": "eql", @@ -3309,7 +2513,7 @@ "54a81f68-5f2a-421e-8eed-f888278bb712": { "min_stack_version": "8.12", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 107, "rule_name": "Exchange Mailbox Export via PowerShell", "sha256": "4a05779cfb9f68a05f85f4f67e3e5019e7ed90df2ad6d7626728154095aba9c2", @@ -3323,35 +2527,30 @@ "version": 108 }, "54c3d186-0461-4dc3-9b33-2dc5c7473936": { - "min_stack_version": "8.3", "rule_name": "Network Logon Provider Registry Modification", "sha256": "c432bc081898b9f4cbbf9aca1bfde2c778015db0534e78dddccc213f25c9ed59", "type": "eql", "version": 109 }, "55c2bf58-2a39-4c58-a384-c8b1978153c2": { - "min_stack_version": "8.3", "rule_name": "Windows Service Installed via an Unusual Client", "sha256": "522f9edf21b4768c2f43e0e448fb38e2603d76177730b764dd66e50b145aa56c", "type": "query", "version": 108 }, "55d551c6-333b-4665-ab7e-5d14a59715ce": { - "min_stack_version": "8.3", "rule_name": "PsExec Network Connection", "sha256": "b8614692008af5d487ed9f78c60675e92dacc3a24fce20a66b3c3b9fd0567f66", "type": "eql", "version": 109 }, "55f07d1b-25bc-4a0f-aa0c-05323c1319d0": { - "min_stack_version": "8.3", "rule_name": "Windows Installer with Suspicious Properties", "sha256": "ef9f5b3f0202dcd4e752c19f9ee8c807b55c72c653b8e1fa0399b2a0408c8753", "type": "eql", "version": 1 }, "56004189-4e69-4a39-b4a9-195329d226e9": { - "min_stack_version": "8.9", "rule_name": "Unusual Process Spawned by a Host", "sha256": "60181e72437ae398200e9082d83f05217fb1a24754604f6147a583f83048b853", "type": "machine_learning", @@ -3365,7 +2564,6 @@ "version": 1 }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { - "min_stack_version": "8.3", "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", "sha256": "aac24b839c4f5e1399effca0ee9a8800cd8ceebd4467a9a2785fab8cf4ae6576", "type": "query", @@ -3374,7 +2572,7 @@ "565c2b44-7a21-4818-955f-8d4737967d2e": { "min_stack_version": "8.11", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Potential Admin Group Account Addition", "sha256": "f0900e40693096576a20cfd51e40984df7b6149ec534b6d6e492162d871527e4", @@ -3388,14 +2586,12 @@ "version": 206 }, "565d6ca5-75ba-4c82-9b13-add25353471c": { - "min_stack_version": "8.3", "rule_name": "Dumping of Keychain Content via Security Command", "sha256": "ccf09271bdf9cd7de53d339b60a06f2e48c9a81fb9907a6f3d26b086d3e524fb", "type": "eql", "version": 107 }, "5663b693-0dea-4f2e-8275-f1ae5ff2de8e": { - "min_stack_version": "8.3", "rule_name": "GCP Logging Bucket Deletion", "sha256": "080210ccfb075c63c43cbbdd386dcf8857830563eb3757d61841656cf2099d2a", "type": "query", @@ -3404,7 +2600,7 @@ "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { "min_stack_version": "8.12", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 209, "rule_name": "PowerShell PSReflect Script", "sha256": "65cd952645b44e0f83790a6d8175f52c74830218d8ebf22044c520c4176a4179", @@ -3418,218 +2614,156 @@ "version": 210 }, "56fdfcf1-ca7c-4fd9-951d-e215ee26e404": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 101, - "rule_name": "Execution of an Unsigned Service", - "sha256": "d6a1937f8097432a0d45cff0e4c52746877e8dfc576edec64a5e6235c80ca1bc", - "type": "eql", - "version": 2 - } - }, "rule_name": "Execution of an Unsigned Service", "sha256": "950af04b073c7a2de490bf6fe99a6aea6add2dc983a53d0882b4b3c7263fe0d9", "type": "new_terms", "version": 105 }, "5700cb81-df44-46aa-a5d7-337798f53eb8": { - "min_stack_version": "8.3", "rule_name": "VNC (Virtual Network Computing) from the Internet", "sha256": "08484b01efb6cd6e700e6ac39d1766a24491ac8d9aee3de5719c03ee0e204a06", "type": "query", "version": 104 }, "571afc56-5ed9-465d-a2a9-045f099f6e7e": { - "min_stack_version": "8.3", "rule_name": "Credential Dumping - Detected - Elastic Endgame", "sha256": "8bab78d440c061852a74557b6d3192c69d78b18dd0cabb79ef54bf9ae6f27234", "type": "query", "version": 103 }, "573f6e7a-7acf-4bcd-ad42-c4969124d3c0": { - "min_stack_version": "8.3", "rule_name": "Azure Virtual Network Device Modified or Deleted", "sha256": "fe8f8cc7acb845230d488c2148d4c27351978ae3582a05be60a1d7373afa9762", "type": "query", "version": 102 }, "577ec21e-56fe-4065-91d8-45eb8224fe77": { - "min_stack_version": "8.3", "rule_name": "PowerShell MiniDump Script", "sha256": "e3e3e2fe5144a3499378aee5b2b69396812d7753cec0e05000a5910187f5684b", "type": "query", "version": 108 }, "57bccf1d-daf5-4e1a-9049-ff79b5254704": { - "min_stack_version": "8.3", "rule_name": "File Staged in Root Folder of Recycle Bin", "sha256": "8529bac526d51a184db69b13d9f15bf676bc2b0c6152f40ae73019f4dc20c408", "type": "eql", "version": 3 }, "581add16-df76-42bb-af8e-c979bfb39a59": { - "min_stack_version": "8.3", "rule_name": "Deleting Backup Catalogs with Wbadmin", "sha256": "abc7e66357468013a69f39627f5e9976245ba741d55515881174e59942bf5edc", "type": "eql", "version": 111 }, "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { - "min_stack_version": "8.3", "rule_name": "RDP Enabled via Registry", "sha256": "509028755d9bbaaabe41c984eebff548de67f107f346e42b1b4ee27cd12d5fdb", "type": "eql", "version": 111 }, "58ac2aa5-6718-427c-a845-5f3ac5af00ba": { - "min_stack_version": "8.3", "rule_name": "Zoom Meeting with no Passcode", "sha256": "b3970e307a90b3715cd0032cccccfdf1b0a62c7e414d20462f6f5107916e4bff", "type": "query", "version": 103 }, "58bc134c-e8d2-4291-a552-b4b3e537c60b": { - "min_stack_version": "8.3", "rule_name": "Potential Lateral Tool Transfer via SMB Share", "sha256": "09b2312a59b33f13a4be41c88d7b5a3177bc1c158c0fa3c8118d4f33d7ccfe08", "type": "eql", "version": 108 }, "58c6d58b-a0d3-412d-b3b8-0981a9400607": { - "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via InstallerFileTakeOver", "sha256": "9bae02d3c566f254d62cde13db4662546fcab189c9f3296fa8c3eea79178eb13", "type": "eql", "version": 111 }, "5919988c-29e1-4908-83aa-1f087a838f63": { - "min_stack_version": "8.3", "rule_name": "File or Directory Deletion Command", "sha256": "2aba7007a379369ba83e88547ca03adac0f28e90a937244de77c2270f5babb4a", "type": "eql", "version": 3 }, "5930658c-2107-4afc-91af-e0e55b7f7184": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "O365 Email Reported by User as Malware or Phish", - "sha256": "6f1117902fd841998a715673511a3831fe99e7a953113854fd094e8aaf57d935", - "type": "query", - "version": 106 - } - }, "rule_name": "O365 Email Reported by User as Malware or Phish", "sha256": "a384ae4e6ee0a0f14a297dd9980b3aae52fcba5a63e3fca63e28559480b62bef", "type": "query", "version": 206 }, "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "AWS CloudTrail Log Created", - "sha256": "0ebf115d87113f0fb8cfb856cf09dd40a7bc00703443d8f5dc149be5cf2d7a26", - "type": "query", - "version": 106 - } - }, "rule_name": "AWS CloudTrail Log Created", "sha256": "04381b6679e1f47a0de7e904dda384c87aaf3b510c9aca6f2045b8f2c4014fa7", "type": "query", "version": 207 }, "59756272-1998-4b8c-be14-e287035c4d10": { - "min_stack_version": "8.3", "rule_name": "Unusual Linux User Discovery Activity", "sha256": "f22f060fba5f9de2376d38ce5ced5885370cdee60ce06026422199c3d3636225", "type": "machine_learning", "version": 104 }, "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { - "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", "sha256": "de3f257cc742ca2b940857157f38cb15c99e74a1a22250b9dff96d6e8a1685c4", "type": "eql", "version": 109 }, "5a3d5447-31c9-409a-aed1-72f9921594fd": { - "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Java", "sha256": "7679d1b0d0e253dc2747cdf1dff275208029db01cdbf4fd7e77f9070d56861a1", "type": "eql", "version": 8 }, "5ae02ebc-a5de-4eac-afe6-c88de696477d": { - "min_stack_version": "8.3", "rule_name": "Potential Chroot Container Escape via Mount", "sha256": "b49bf35138ec9338b49af77beb42c3d6ec44d6901dd364fe7aac536e60dfcbfc", "type": "eql", "version": 2 }, "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": { - "min_stack_version": "8.3", "rule_name": "Remote SSH Login Enabled via systemsetup Command", "sha256": "b1baf6af7bac12181427143fe903673699b5df38a14f3a8617a90c981cf52058", "type": "query", "version": 106 }, "5aee924b-6ceb-4633-980e-1bde8cdb40c5": { - "min_stack_version": "8.3", "rule_name": "Potential Secure File Deletion via SDelete Utility", "sha256": "b6aed219192c8865a107b6529d4d67d837edb4ed446fb8d026683108c4fbcd30", "type": "eql", "version": 109 }, "5b03c9fb-9945-4d2f-9568-fd690fee3fba": { - "min_stack_version": "8.3", "rule_name": "Virtual Machine Fingerprinting", "sha256": "bfc51d0f01ccf26b16f823ba658b02bf6e682d0262d9dfe410d1c9cb06d859c2", "type": "query", "version": 108 }, "5b06a27f-ad72-4499-91db-0c69667bffa5": { - "min_stack_version": "8.3", "rule_name": "SUID/SGUID Enumeration Detected", "sha256": "9374dc2038bb7999021a8e926287cd2cda2bd1abfa06f2f01d0af8be01679b40", "type": "eql", "version": 5 }, "5b18eef4-842c-4b47-970f-f08d24004bde": { - "min_stack_version": "8.3", "rule_name": "Suspicious which Enumeration", "sha256": "ffbcf6b936ee4ef4c9b312ca9bb5da9d942f9a8680301b5f0debf394ad42c5fa", "type": "eql", "version": 5 }, "5b9eb30f-87d6-45f4-9289-2bf2024f0376": { - "min_stack_version": "8.3", "rule_name": "Potential Masquerading as Browser Process", "sha256": "bd50fb4c4b5ec6a4ebd52c50a505e5dc1fe75637d51ad57a0f0e79dff682aea5", "type": "eql", "version": 4 }, "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { - "min_stack_version": "8.3", "rule_name": "Suspicious PrintSpooler Service Executable File Creation", "sha256": "2e72ae9c5ca64669617999cec691b8f282cbf159464363b5d821bdddd4edd5d3", "type": "eql", "version": 108 }, "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS WAF Rule or Rule Group Deletion", - "sha256": "353bb55da009500a46a3701adb0b1bb680c718959d2e5969960085c211562f98", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS WAF Rule or Rule Group Deletion", "sha256": "6c4d3ab01c67010c4dd017c06f34cc2bba3765dc79133e8d5ba8fb7ecd657aa0", "type": "query", @@ -3643,116 +2777,84 @@ "version": 2 }, "5c602cba-ae00-4488-845d-24de2b6d8055": { - "min_stack_version": "8.3", "rule_name": "PowerShell Script with Veeam Credential Access Capabilities", "sha256": "c0587692912a44911b8bcee6cdac91e78ac6b0129e9fbb395e8b9c0381312ad0", "type": "query", "version": 1 }, "5c6f4c58-b381-452a-8976-f1b1c6aa0def": { - "min_stack_version": "8.4", "rule_name": "FirstTime Seen Account Performing DCSync", "sha256": "efaf2b94fb44203864342cbbad263757cf61dfe7c9be647fe038694e810170f4", "type": "new_terms", "version": 10 }, "5c81fc9d-1eae-437f-ba07-268472967013": { - "min_stack_version": "8.3", "rule_name": "Segfault Detected", "sha256": "67588b53b3aa8fcb88b35baa601ae2d44b31ffc590864787f6a46c72bc5b4dc8", "type": "query", "version": 1 }, "5c895b4f-9133-4e68-9e23-59902175355c": { - "min_stack_version": "8.6", "rule_name": "Potential Meterpreter Reverse Shell", "sha256": "eba0d9a274b902396a98f70bf3464b3faba30514532b52d48f11de4f46572076", "type": "eql", "version": 6 }, "5c983105-4681-46c3-9890-0c66d05e776b": { - "min_stack_version": "8.3", "rule_name": "Unusual Linux Process Discovery Activity", "sha256": "e67ff82fd38ab4af435c7cd93dee29535aac33d0dca591dada0c896337e58380", "type": "machine_learning", "version": 103 }, "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": { - "min_stack_version": "8.3", "rule_name": "Potential Defense Evasion via PRoot", "sha256": "74391c2ea26988cdbabaf1fe4da29601278aaa13c64140b557c38e53265b33e4", "type": "eql", "version": 7 }, "5cd55388-a19c-47c7-8ec4-f41656c2fded": { - "min_stack_version": "8.3", "rule_name": "Outbound Scheduled Task Activity via PowerShell", "sha256": "63aa403181709c3d123a628bdd843aacbbc3fff0eca0f17fccf30788068d58ef", "type": "eql", "version": 108 }, "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": { - "min_stack_version": "8.3", "rule_name": "User Added to Privileged Group", "sha256": "b33d6cc34a4b101cc79bc0c7f84cb361bcd02e5318b2295a57ebf4505ef0824d", "type": "eql", "version": 109 }, "5cf6397e-eb91-4f31-8951-9f0eaa755a31": { - "min_stack_version": "8.3", "rule_name": "Persistence via PowerShell profile", "sha256": "63c2a0fb94471a31f7240d9055c159236c52f32dc1da1e3e4487dbf3479a6b60", "type": "eql", "version": 9 }, "5d0265bf-dea9-41a9-92ad-48a8dcd05080": { - "min_stack_version": "8.3", "rule_name": "Persistence via Login or Logout Hook", "sha256": "1c0e0922c06fa8aa81d5e8321d94552753e41e9f939f8cb35940afe5438945d8", "type": "eql", "version": 107 }, "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { - "min_stack_version": "8.3", "rule_name": "Suspicious Execution via Scheduled Task", "sha256": "4051d22fd7d1721a31073f7a8b1173bdced88d11e883da07bafb67030c11d4fd", "type": "eql", "version": 108 }, "5d9f8cfc-0d03-443e-a167-2b0597ce0965": { - "min_stack_version": "8.3", "rule_name": "Suspicious Automator Workflows Execution", "sha256": "8a91321d4c4824d08e1ec1d1f2db52ad985b859f4e5838169834aa4bbdfff906", "type": "eql", "version": 106 }, "5e161522-2545-11ed-ac47-f661ea17fbce": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 103, - "rule_name": "Google Workspace 2SV Policy Disabled", - "sha256": "ddbea6e8e6fead49ee6b7eb17b83de0996fdabfef882164c7f04a134f1438293", - "type": "query", - "version": 5 - } - }, "rule_name": "Google Workspace 2SV Policy Disabled", "sha256": "90ed7cc03c1d2f50cb22cde81cefe5234690d44b19be19c4b0029735fa3e4f3a", "type": "query", "version": 106 }, "5e552599-ddec-4e14-bad1-28aa42404388": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Teams Guest Access Enabled", - "sha256": "4e4a262b9c4e5ab8a6ad524df85e1f6b13bdcae8c45ccea1db5bb31e2acd028f", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Teams Guest Access Enabled", "sha256": "92a0588bb516c3bf59cc84e1a9a07051d183c3a54df36ce698c176fe0a02d838", "type": "query", @@ -3772,58 +2874,42 @@ "version": 1 }, "5f2f463e-6997-478c-8405-fb41cc283281": { - "min_stack_version": "8.3", "rule_name": "Potential File Download via a Headless Browser", "sha256": "30c24a512438771d6de13cf9fbc3b909d451f6017b033ea015c1a99fc779f8b5", "type": "eql", "version": 1 }, "60884af6-f553-4a6c-af13-300047455491": { - "min_stack_version": "8.3", "rule_name": "Azure Command Execution on Virtual Machine", "sha256": "7e3e549fc0541f65e9d0ee9df09e5453f76574a9d8b90a03c5b8f905ebe6ce12", "type": "query", "version": 102 }, "60b6b72f-0fbc-47e7-9895-9ba7627a8b50": { - "min_stack_version": "8.3", "rule_name": "Azure Service Principal Addition", "sha256": "786b2ddb2ad2584581e0eeea78d24c23a5647d0a32680f1fa9625b6c06ebbda2", "type": "query", "version": 105 }, "60f3adec-1df9-4104-9c75-b97d9f078b25": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Exchange DLP Policy Removed", - "sha256": "0886a8d4f32a069d4f64c2559bfc5d527f4a2d24045aab00ae97f1de9ad9efb7", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Exchange DLP Policy Removed", "sha256": "807f4b28328d1f7ad9211882227887a21f3d288a8ad35dd75b1e3578f37251e9", "type": "query", "version": 206 }, "610949a1-312f-4e04-bb55-3a79b8c95267": { - "min_stack_version": "8.3", "rule_name": "Unusual Process Network Connection", "sha256": "be0a23cd5db1b1e9744ba6f8cfcbf419e70e2759108952394b4fd53a17da615c", "type": "eql", "version": 108 }, "61336fe6-c043-4743-ab6e-41292f439603": { - "min_stack_version": "8.3", "rule_name": "New User Added To GitHub Organization", "sha256": "90e535bf6daf394c14fb7d463f3a44120bd3a7a8df82406b1481123c490c23e8", "type": "eql", "version": 1 }, "61766ef9-48a5-4247-ad74-3349de7eb2ad": { - "min_stack_version": "8.3", "rule_name": "Interactive Logon by an Unusual Process", "sha256": "371c92a53ff6fe2812871b685def6102afb58b89c536d718eb67344227d117d2", "type": "eql", @@ -3832,7 +2918,7 @@ "61ac3638-40a3-44b2-855a-985636ca985e": { "min_stack_version": "8.12", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 212, "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", "sha256": "9321d3196034baa0a52034b07bbccafb94712b2ff10a634a6a451b65d5c7a23e", @@ -3852,7 +2938,6 @@ "version": 100 }, "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": { - "min_stack_version": "8.3", "rule_name": "AdminSDHolder SDProp Exclusion Added", "sha256": "596066dff727c29d10294ff6d205113bf4bc37e185127d4586a4a53eb1ed9cb0", "type": "eql", @@ -3866,70 +2951,60 @@ "version": 1 }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { - "min_stack_version": "8.3", "rule_name": "Incoming DCOM Lateral Movement via MSHTA", "sha256": "1c55d7f1db000719100662727934048ed282c6ca81a2401c68eb6de8edb1d08e", "type": "eql", "version": 107 }, "62a70f6f-3c37-43df-a556-f64fa475fba2": { - "min_stack_version": "8.3", "rule_name": "Account Configured with Never-Expiring Password", "sha256": "bff6971b2108d22178fe7e1ba59610ea438646b4c81a203c7c85e90f0b42b640", "type": "query", "version": 108 }, "62b68eb2-1e47-4da7-85b6-8f478db5b272": { - "min_stack_version": "8.3", "rule_name": "Potential Non-Standard Port HTTP/HTTPS connection", "sha256": "cda94f2b58b70076662143a46548455aa8e987cf042b4b051776a276aa0c495f", "type": "eql", "version": 4 }, "63c05204-339a-11ed-a261-0242ac120002": { - "min_stack_version": "8.4", "rule_name": "Kubernetes Suspicious Assignment of Controller Service Account", "sha256": "c3c4f5b5422708679b68f0f2fd71e860e9abfdc466e25b9cd35498d8a45cbdab", "type": "query", "version": 6 }, "63c056a0-339a-11ed-a261-0242ac120002": { - "min_stack_version": "8.4", "rule_name": "Kubernetes Denied Service Account Request", "sha256": "c04f7a46cbbd448139cfef70f2eaf9331faae7a4a1ab9a4a721463034e513e86", "type": "query", "version": 5 }, "63c057cc-339a-11ed-a261-0242ac120002": { - "min_stack_version": "8.4", "rule_name": "Kubernetes Anonymous Request Authorized", "sha256": "124c7243234a6880e622f6d2f811edd502e2406e6c96ad7066a7306794ced4fd", "type": "query", "version": 6 }, "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { - "min_stack_version": "8.3", "rule_name": "Network Connection via Signed Binary", "sha256": "a46c6b82143566c72c64c8288c549942594363613f856106a1b1e22b529caf49", "type": "eql", "version": 108 }, "647fc812-7996-4795-8869-9c4ea595fe88": { - "min_stack_version": "8.3", "rule_name": "Anomalous Process For a Linux Population", "sha256": "83b053309247f90ea7bda7f3c8e474257fe61dec3fc68d387888dc2da6ccf096", "type": "machine_learning", "version": 104 }, "6482255d-f468-45ea-a5b3-d3a7de1331ae": { - "min_stack_version": "8.3", "rule_name": "Modification of Safari Settings via Defaults Command", "sha256": "d6366ceb829546de9ee9785b9be89d03ee27409be5ce45526d3c6041f107f012", "type": "query", "version": 106 }, "64cfca9e-0f6f-4048-8251-9ec56a055e9e": { - "min_stack_version": "8.3", "rule_name": "Network Connection via Recently Compiled Executable", "sha256": "602b297ae58effa807f0bca106916c4f1902c7fa8f5c62bfd282b5b65de72f7b", "type": "eql", @@ -3942,58 +3017,42 @@ "version": 100 }, "65f9bccd-510b-40df-8263-334f03174fed": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 199, - "rule_name": "Kubernetes Exposed Service Created With Type NodePort", - "sha256": "c6cf6184bd1e4f3add0ac786022ed97b13163f8ef7278c905b94bcea8447509f", - "type": "query", - "version": 101 - } - }, "rule_name": "Kubernetes Exposed Service Created With Type NodePort", "sha256": "06a18e9f45ffe718b0156f37a7f5dc289078a2410a0e6ecb968b500a0e55378e", "type": "query", "version": 203 }, "661545b4-1a90-4f45-85ce-2ebd7c6a15d0": { - "min_stack_version": "8.3", "rule_name": "Attempt to Mount SMB Share via Command Line", "sha256": "2c9e3ab0668460f3f7e260f9353b575c300c84e6f8cded54fc5d21d659f4dbc4", "type": "eql", "version": 107 }, "6641a5af-fb7e-487a-adc4-9e6503365318": { - "min_stack_version": "8.5", "rule_name": "Suspicious Termination of ESXI Process", "sha256": "fded063447d8a8cf285be279a1620dacabff131d93f8fe4836a029e9fedf3ce2", "type": "eql", "version": 6 }, "665e7a4f-c58e-4fc6-bc83-87a7572670ac": { - "min_stack_version": "8.3", "rule_name": "WebServer Access Logs Deleted", "sha256": "3d487bb5d79f8850a52e52a4d8158c8d8fd68de886f1709be2af9495356e8977", "type": "eql", "version": 105 }, "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": { - "min_stack_version": "8.3", "rule_name": "Potential Successful Linux FTP Brute Force Attack Detected", "sha256": "9727c97648fb4b3afac9d4f9c9f0004fc5c2c23794cdd3be99f8df2b6ba1192a", "type": "eql", "version": 7 }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { - "min_stack_version": "8.3", "rule_name": "Connection to Commonly Abused Web Services", "sha256": "fd8374f717cf2af735052c2e6070cf34a2f345ffc0817d3633deedef52e54e18", "type": "eql", "version": 113 }, "66c058f3-99f4-4d18-952b-43348f2577a0": { - "min_stack_version": "8.3", "rule_name": "Linux Process Hooking via GDB", "sha256": "fbf357ed1d47b111ab6c612f8c15fd075755ac177461906e07824d7a0df4061d", "type": "eql", @@ -4002,7 +3061,7 @@ "66da12b1-ac83-40eb-814c-07ed1d82b7b9": { "min_stack_version": "8.11", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Suspicious macOS MS Office Child Process", "sha256": "fa49c48190d30ef29a48b101b182660b4498f72ff588291a7c1121e01dc0d489", @@ -4016,7 +3075,6 @@ "version": 206 }, "670b3b5a-35e5-42db-bd36-6c5b9b4b7313": { - "min_stack_version": "8.3", "rule_name": "Modification of the msPKIAccountCredentials", "sha256": "9a207172558146d200bc0297376b645cc44023db1b7a8202a16c432936fad1ab", "type": "query", @@ -4025,7 +3083,7 @@ "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Attempt to Modify an Okta Policy", "sha256": "bcc00051e5ab5b70c88a4b1559e4edcff319d79f2bbe5bfcab404a3d63457d63", @@ -4039,16 +3097,6 @@ "version": 206 }, "675239ea-c1bc-4467-a6d3-b9e2cc7f676d": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "O365 Mailbox Audit Logging Bypass", - "sha256": "cac04714049b7a004fe00585d8cc3e351f442896feb07e367f5e3406853f595d", - "type": "query", - "version": 106 - } - }, "rule_name": "O365 Mailbox Audit Logging Bypass", "sha256": "a61d567175526ad5bc735b093f276d0725a0ca9784d8b72754091e0b9abf70bb", "type": "query", @@ -4057,7 +3105,7 @@ "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Attempt to Revoke Okta API Token", "sha256": "f58a59fe0d9f317a1998e97634f691d5f4b4b0dc6b79fc874df5f7b9185a9f93", @@ -4077,7 +3125,6 @@ "version": 100 }, "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": { - "min_stack_version": "8.3", "rule_name": "High Number of Process Terminations", "sha256": "d3bd89f023aef73df6cbe19662e02ef77275c87754f04ca44279e2d30f28c5b3", "type": "threshold", @@ -4090,23 +3137,12 @@ "version": 100 }, "6839c821-011d-43bd-bd5b-acff00257226": { - "min_stack_version": "8.3", "rule_name": "Image File Execution Options Injection", "sha256": "413e961dc4797bf3701be20c749258009705733592d081c9b030aed6a7b8e75c", "type": "eql", "version": 107 }, "684554fc-0777-47ce-8c9b-3d01f198d7f8": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "New or Modified Federation Domain", - "sha256": "c12b7d94ddd9ac7a54891cd86831775b8622d2c0681fcaf612e2842bed646cf6", - "type": "query", - "version": 106 - } - }, "rule_name": "New or Modified Federation Domain", "sha256": "0fad0589541a8950f5f88b2a261cb0045389b6c80956518f1a66aad4d72394a8", "type": "query", @@ -4115,7 +3151,7 @@ "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 204, "rule_name": "Okta ThreatInsight Threat Suspected Promotion", "sha256": "44208f997fe40e0ec5625789243073bee7f66e3d2be2ed117e69e6f9b6907a21", @@ -4129,252 +3165,162 @@ "version": 205 }, "68921d85-d0dc-48b3-865f-43291ca2c4f2": { - "min_stack_version": "8.3", "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", "sha256": "ca27a9f60eec10c769a8b530ccb040f0a6c4218b6af386a6daa5e6ffb6ca381f", "type": "eql", "version": 110 }, "68994a6c-c7ba-4e82-b476-26a26877adf6": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 203, - "rule_name": "Google Workspace Admin Role Assigned to a User", - "sha256": "a8a7d4e956c4cd2733f3d5e26871a367b937a0944420b3eaaca82370b8246a55", - "type": "query", - "version": 105 - } - }, "rule_name": "Google Workspace Admin Role Assigned to a User", "sha256": "6efdcc0936767be2538639bc2b7dfc028b4f7d02b590bbfac757314fcec9ce2a", "type": "query", "version": 206 }, "689b9d57-e4d5-4357-ad17-9c334609d79a": { - "min_stack_version": "8.3", "rule_name": "Scheduled Task Created by a Windows Script", "sha256": "9e2d92b09b248d78181d6b8283ed595c2560ea046d17365515a8e57f6cb1679c", "type": "eql", "version": 107 }, "68a7a5a5-a2fc-4a76-ba9f-26849de881b4": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "AWS CloudWatch Log Group Deletion", - "sha256": "2e8fdc6b595399328a680fc066469a0edae5a41684f4190a837deaa8adf32ae4", - "type": "query", - "version": 108 - } - }, "rule_name": "AWS CloudWatch Log Group Deletion", "sha256": "9cb4442436198c82ac0e0fefebd6627d23a5dcb0db8fc9088a51ab31fc9ea399", "type": "query", "version": 209 }, "68ad737b-f90a-4fe5-bda6-a68fa460044e": { - "min_stack_version": "8.3", "rule_name": "Suspicious Access to LDAP Attributes", "sha256": "307219345f44551ce020e8edcdc4a77f54cae4a0431f6fdd2dd7b9553c93519d", "type": "eql", "version": 1 }, "68d56fdc-7ffa-4419-8e95-81641bd6f845": { - "min_stack_version": "8.3", "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", "sha256": "0e58274266004591d50a31dccda8579c2e48897fecb54d3ff9aa6153e1b2f459", "type": "eql", "version": 109 }, "6951f15e-533c-4a60-8014-a3c3ab851a1b": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 104, - "rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", - "sha256": "1bcb655a06d0561e1f4f6e9466d148178ddf1edc310aa5b738f246db479c1afd", - "type": "query", - "version": 5 - } - }, "rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", "sha256": "6c3939d29a97cd2645ecc292c9f864da41ba0b3d159eec992c7ef6dec115d08e", "type": "query", "version": 106 }, "699e9fdb-b77c-4c01-995c-1c15019b9c43": { - "min_stack_version": "8.5", - "previous": { - "8.3": { - "max_allowable_version": 203, - "rule_name": "Threat Intel Filebeat Module (v8.x) Indicator Match", - "sha256": "32f01788e2000cbf97dfe76446aa173db05e8a73eac467ec634aec29072ba7e8", - "type": "threat_match", - "version": 105 - } - }, "rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match", "sha256": "323f4b02dcebb3ae76b6d959c325eb0da4b02ab1cf6d98b0437795dbcdd6eb85", "type": "threat_match", "version": 204 }, "69c251fb-a5d6-4035-b5ec-40438bd829ff": { - "min_stack_version": "8.3", "rule_name": "Modification of Boot Configuration", "sha256": "500524cf359e95ea7b5677b35a1d166b011fa0b33628d49b9e0ca3dcb7531525", "type": "eql", "version": 109 }, "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS IAM Password Recovery Requested", - "sha256": "d16a1105cf83086a436f452d32fd1564076c4a7425498c922ca33cdcd2246c17", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS IAM Password Recovery Requested", "sha256": "a1e54060fd73ea81b4a91323553b6cdec9bd5fb0b973ef8201983c73b45ac3df", "type": "query", "version": 206 }, "6a309864-fc3f-11ee-b8cc-f661ea17fbce": { - "min_stack_version": "8.9", "rule_name": "EC2 AMI Shared with Another Account", "sha256": "269a6ce9b13aedfce015a85a679e1a55ebf3974fdd7cb9b3c9f84411ed85cafc", "type": "query", "version": 1 }, "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": { - "min_stack_version": "8.3", "rule_name": "Unusual Service Host Child Process - Childless Service", "sha256": "0cbf30f69775dd636ba9c9be86e859682567566370db71ea6b1ebb0b4d69b38d", "type": "eql", "version": 110 }, "6aace640-e631-4870-ba8e-5fdda09325db": { - "min_stack_version": "8.3", "rule_name": "Exporting Exchange Mailbox via PowerShell", "sha256": "6fd173fa6170609a487f81b30491b79df555d458fe2738216aa9cd26b1bbc98f", "type": "eql", "version": 111 }, "6ace94ba-f02c-4d55-9f53-87d99b6f9af4": { - "min_stack_version": "8.3", "rule_name": "Suspicious Utility Launched via ProxyChains", "sha256": "d905f66dbe947bfcc9537eb0ce37abd9f10bf4effcffc43e454399feec107fb2", "type": "eql", "version": 7 }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Sensitive Files Compression", - "sha256": "271c0de47099ee8a5e049d68bf4d49801b884b81f673df03edceab970daebe19", - "type": "query", - "version": 106 - } - }, "rule_name": "Sensitive Files Compression", "sha256": "a50308d629258169646a68897f01fed70056c172b984b4d7b643f78da9835e50", "type": "new_terms", "version": 208 }, "6bed021a-0afb-461c-acbe-ffdb9574d3f3": { - "min_stack_version": "8.3", "rule_name": "Remote Computer Account DnsHostName Update", "sha256": "4a3308713c74898d9a52d894105c3a41556786008f169b725436c4dbc018ee99", "type": "eql", "version": 107 }, "6c6bb7ea-0636-44ca-b541-201478ef6b50": { - "min_stack_version": "8.8", "rule_name": "Container Management Utility Run Inside A Container", "sha256": "34ba8d894c34042f9a4c326daee9871fc209a1e209058b9f6a0f8ad30eeec04d", "type": "eql", "version": 2 }, "6cd1779c-560f-4b68-a8f1-11009b27fe63": { - "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", "sha256": "304d7c35a3c501afafb6d576d39db8a71ffa761de1d2e4ea5cf2ef4937b103ca", "type": "eql", "version": 108 }, "6cea88e4-6ce2-4238-9981-a54c140d6336": { - "min_stack_version": "8.3", "rule_name": "GitHub Repo Created", "sha256": "51c2e55a0721646f1d729d916086c9574f76dff3a8c826d5d3295432d0ed3b09", "type": "eql", "version": 1 }, "6d448b96-c922-4adb-b51c-b767f1ea5b76": { - "min_stack_version": "8.3", "rule_name": "Unusual Process For a Windows Host", "sha256": "f65a12afc06498c72c6fe35834ef48f2c6cee057748963b300cae83e7a411f78", "type": "machine_learning", "version": 107 }, "6d8685a1-94fa-4ef7-83de-59302e7c4ca8": { - "min_stack_version": "8.6", "rule_name": "Potential Privilege Escalation via CVE-2023-4911", "sha256": "43e59c39d821bf39fd6c407a1be82ae2dc2413f7e5cdf21020ca39f4579609c0", "type": "eql", "version": 4 }, "6e1a2cc4-d260-11ed-8829-f661ea17fbcc": { - "min_stack_version": "8.4", "rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution", "sha256": "296e88e08cfeb38dd5bfe7c3719ed7ce80f41022b51190abddbedacc66220afa", "type": "new_terms", "version": 5 }, "6e40d56f-5c0e-4ac6-aece-bee96645b172": { - "min_stack_version": "8.3", "rule_name": "Anomalous Process For a Windows Population", "sha256": "797cf8fc982536b11a0679348b4eca584db853de77646320ff0c146465196bcd", "type": "machine_learning", "version": 105 }, "6e9130a5-9be6-48e5-943a-9628bfc74b18": { - "min_stack_version": "8.3", "rule_name": "AdminSDHolder Backdoor", "sha256": "53f33d98ecca40d46328a7ff7593743ac0f62aefad6854a203355d59f240ece1", "type": "query", "version": 106 }, "6e9b351e-a531-4bdc-b73e-7034d6eed7ff": { - "min_stack_version": "8.7", - "previous": { - "8.3": { - "max_allowable_version": 206, - "rule_name": "Enumeration of Users or Groups via Built-in Commands", - "sha256": "6b4e00cd0749f89148010473d62893477290a0438ab07894e38b445ce10c7b3e", - "type": "eql", - "version": 107 - } - }, "rule_name": "Enumeration of Users or Groups via Built-in Commands", "sha256": "3eb0d320290f508310e7c0efbd51d6f2caa9acc4ca1879e192e0cc53658e62bd", "type": "eql", "version": 207 }, "6ea41894-66c3-4df7-ad6b-2c5074eb3df8": { - "min_stack_version": "8.3", "rule_name": "Potential Windows Error Manager Masquerading", "sha256": "f66c92e627ba4aabff1fb546ee38cbdf15e88ad11a4e5fc9059ba9be41db31f3", "type": "eql", "version": 108 }, "6ea55c81-e2ba-42f2-a134-bccf857ba922": { - "min_stack_version": "8.3", "rule_name": "Security Software Discovery using WMIC", "sha256": "191d08e949cb9f57e2853a307b82f336896da072f4dea0054f301ee50bebfd89", "type": "eql", @@ -4387,7 +3333,6 @@ "version": 100 }, "6ee947e9-de7e-4281-a55d-09289bdf947e": { - "min_stack_version": "8.3", "rule_name": "Potential Linux Tunneling and/or Port Forwarding", "sha256": "e7974fdba41cd2ce4d8ff22447cfab64cec739f3dd5bc0ab0749e92fc578bcf8", "type": "eql", @@ -4407,16 +3352,6 @@ "version": 1 }, "6f435062-b7fc-4af9-acea-5b1ead65c5a5": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 202, - "rule_name": "Google Workspace Role Modified", - "sha256": "8917dd169608ea491ef3f4c15d53b08aa6747b200e3b62a4bc22da3afb71fc9a", - "type": "query", - "version": 104 - } - }, "rule_name": "Google Workspace Role Modified", "sha256": "cc27c5d907038ca85c5d0c991e541013163f6fccc0bf95c84ac0b4ed62175081", "type": "query", @@ -4429,113 +3364,66 @@ "version": 100 }, "7024e2a0-315d-4334-bb1a-441c593e16ab": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "AWS CloudTrail Log Deleted", - "sha256": "e4aa3aadf0d7e757977d5c02a31cae6d4ece731bc3478fec172e92a10c8f3ee1", - "type": "query", - "version": 108 - } - }, "rule_name": "AWS CloudTrail Log Deleted", "sha256": "f23d0872d802001bbc030b70a5f6be00760eb331e2c1ea06a5e57d15d2e336c9", "type": "query", "version": 209 }, "7024e2a0-315d-4334-bb1a-552d604f27bc": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "AWS Config Resource Deletion", - "sha256": "e3f3358d38d5992c002d140012811e59a1ff80898107891dfbb67758d36adfc0", - "type": "query", - "version": 108 - } - }, "rule_name": "AWS Config Resource Deletion", "sha256": "9e3a32ce84c33e0a345a34c6f398fb54f346bd1d0683e6a1dc87f8957b4b140f", "type": "query", "version": 209 }, "708c9d92-22a3-4fe0-b6b9-1f861c55502d": { - "min_stack_version": "8.3", "rule_name": "Suspicious Execution via MSIEXEC", "sha256": "2b0a113e37d67649e6f11b5bf035ca1a3a6649ad4996a27b1e788651ae11b846", "type": "eql", "version": 2 }, "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": { - "min_stack_version": "8.3", "rule_name": "Persistence via WMI Standard Registry Provider", "sha256": "db796cbae0d063b4f1a54079e8f00e82b333a78701059a9a9962630dd48cc857", "type": "eql", "version": 108 }, "70fa1af4-27fd-4f26-bd03-50b6af6b9e24": { - "min_stack_version": "8.3", "rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", "sha256": "0ac39c7e21a70ea619a342065d004f5c51d563df631af84fa09a327437843b47", "type": "query", "version": 106 }, "7164081a-3930-11ed-a261-0242ac120002": { - "min_stack_version": "8.4", "rule_name": "Kubernetes Container Created with Excessive Linux Capabilities", "sha256": "86bf8bc61640a49c610c81cef5cb6bd417d85a5160637971eb56c908af7a3bec", "type": "query", "version": 4 }, "717f82c2-7741-4f9b-85b8-d06aeb853f4f": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 206, - "rule_name": "Modification of Dynamic Linker Preload Shared Object", - "sha256": "dc67793718c16d2d90d8be38bf310b0ce87c25f4e9c56a66f7a231b80d9922f0", - "type": "query", - "version": 107 - } - }, "rule_name": "Modification of Dynamic Linker Preload Shared Object", "sha256": "593012691955c843d367110658df0c195a220829f73a237e8fadc2d4b0ce1b40", "type": "new_terms", "version": 209 }, "71bccb61-e19b-452f-b104-79a60e546a95": { - "min_stack_version": "8.3", "rule_name": "Unusual File Creation - Alternate Data Stream", "sha256": "a3fdba9254d6e0decace5b3bbe34f7365bdb09fb0ab62ce49b0058dc63af0cbc", "type": "eql", "version": 114 }, "71c5cb27-eca5-4151-bb47-64bc3f883270": { - "min_stack_version": "8.3", "rule_name": "Suspicious RDP ActiveX Client Loaded", "sha256": "e9a9062beb0713d366bd638f7cf733c19ec8aed20b8603b3b0d460618a78aaa2", "type": "eql", "version": 109 }, "71d6a53d-abbd-40df-afee-c21fff6aafb0": { - "min_stack_version": "8.3", "rule_name": "Suspicious Passwd File Event Action", "sha256": "e030929c0ce21a679a3931586b3e70cecc18c849100b3ae52bc4374ca17cbcb2", "type": "eql", "version": 3 }, "721999d0-7ab2-44bf-b328-6e63367b9b29": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Potential ransomware activity", - "sha256": "065cd0cc51b5457baa9bc37901045907810e07d074eef16982399654fae10302", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Potential ransomware activity", "sha256": "c4aa9e181be0c938309c1841f3a5de34116bfe2a8a734e1a92fd928af5ef644f", "type": "query", @@ -4544,7 +3432,7 @@ "729aa18d-06a6-41c7-b175-b65b739b1181": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", "sha256": "c60bc906d469f3485ac3f4e2694f2ad9335dd69d76776d4a7604221cdc4bd77c", @@ -4564,21 +3452,18 @@ "version": 100 }, "72ed9140-fe9d-4a34-a026-75b50e484b17": { - "min_stack_version": "8.6", "rule_name": "Unusual Discovery Signal Alert with Unusual Process Executable", "sha256": "b904f25bf5bb414b7b11d0a216395926f40e0ee77abebc5f9b7d19b0e35837d9", "type": "new_terms", "version": 2 }, "730ed57d-ae0f-444f-af50-78708b57edd5": { - "min_stack_version": "8.3", "rule_name": "Suspicious JetBrains TeamCity Child Process", "sha256": "c9e084cfb0ca88c2cc8bfdeaeae122e26763a683878236cd17307ce5cabfe578", "type": "eql", "version": 1 }, "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { - "min_stack_version": "8.3", "rule_name": "Potential Modification of Accessibility Binaries", "sha256": "65d25ee5fe0482453ec857754eb6d2d3273c48bcef76cea6d9c3843f555d19eb", "type": "eql", @@ -4587,7 +3472,7 @@ "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": { "min_stack_version": "8.11", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Modification of Environment Variable via Launchctl", "sha256": "baaab449ef5b78ab10fc6dec249fb8d0f5ba0a06cd5c58df962d3b5c0683adeb", @@ -4601,232 +3486,168 @@ "version": 206 }, "745b0119-0560-43ba-860a-7235dd8cee8d": { - "min_stack_version": "8.3", "rule_name": "Unusual Hour for a User to Logon", "sha256": "8c8f1df8c5b78cb30de44700004958516615a323691d707eee2ed79b9a00424c", "type": "machine_learning", "version": 104 }, "746edc4c-c54c-49c6-97a1-651223819448": { - "min_stack_version": "8.3", "rule_name": "Unusual DNS Activity", "sha256": "b9ea779f9594e53247551940577acd651bc9971f972c085f9476e736de350577", "type": "machine_learning", "version": 103 }, "7592c127-89fb-4209-a8f6-f9944dfd7e02": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 102, - "rule_name": "Suspicious Sysctl File Event", - "sha256": "dc62f12237c63e7f170343cc5fcf2587a078f5af5e823d46e6545f8b11a01b90", - "type": "eql", - "version": 4 - } - }, "rule_name": "Suspicious Sysctl File Event", "sha256": "a98b507603e191d5d7b9018614f89020e94baf48aa9ab69666128517e8a282c8", "type": "new_terms", "version": 107 }, "75dcb176-a575-4e33-a020-4a52aaa1b593": { - "min_stack_version": "8.3", "rule_name": "Service Disabled via Registry Modification", "sha256": "3f012ac4ed80b6095b899a9a86d030257bd07875599655fa1d5ee4bb8297020a", "type": "eql", "version": 3 }, "75ee75d8-c180-481c-ba88-ee50129a6aef": { - "min_stack_version": "8.3", "rule_name": "Web Application Suspicious Activity: Unauthorized Method", "sha256": "6888bde4c516f00a56257eb9f46531d38dbadb83d316387c5e20af3390580961", "type": "query", "version": 102 }, "76152ca1-71d0-4003-9e37-0983e12832da": { - "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Sudoers File Modification", "sha256": "6dfec898ca5b57352a078ff6ea65a0452985eeac88bb6ca491399544d57be902", "type": "query", "version": 103 }, "764c8437-a581-4537-8060-1fdb0e92c92d": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 199, - "rule_name": "Kubernetes Pod Created With HostIPC", - "sha256": "88a76082a0b05f8b848047174d1517f7746506e91ed2bb2d203255a52f38a8e2", - "type": "query", - "version": 101 - } - }, "rule_name": "Kubernetes Pod Created With HostIPC", "sha256": "beed3f7f4d2a86f155bd96e2903ded43fe8eb75d27f85650778e44bdf7e50982", "type": "query", "version": 203 }, "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": { - "min_stack_version": "8.3", "rule_name": "Access to a Sensitive LDAP Attribute", "sha256": "1ae31d3cb536669955d44bdf92b5c53dfd9868ad3ff5813fe8acee8502eecc41", "type": "eql", "version": 10 }, "766d3f91-3f12-448c-b65f-20123e9e9e8c": { - "min_stack_version": "8.3", "rule_name": "Creation of Hidden Shared Object File", "sha256": "a747be0c57d2283c6230586562f1c075efb7f2962fafced613f3b2c9fb64b8fa", "type": "eql", "version": 110 }, "76ddb638-abf7-42d5-be22-4a70b0bf7241": { - "min_stack_version": "8.3", "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", "sha256": "77deaf0de198677613cb4ea5ded34296802b16789afb9856cbe3114220f9e4fb", "type": "eql", "version": 106 }, "76e4d92b-61c1-4a95-ab61-5fd94179a1ee": { - "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Suspicious Child Process", "sha256": "6ac453ec6132c64b8a4ca261bc2a4effcf46f9bae6fcc34c97984064110e2953", "type": "eql", "version": 9 }, "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { - "min_stack_version": "8.3", "rule_name": "Potential Remote Desktop Tunneling Detected", "sha256": "7aa6802a0f3b68b47c51cf9c2bf2173bd894ec4c8c10b615109d165e50bdfb33", "type": "eql", "version": 110 }, "770e0c4d-b998-41e5-a62e-c7901fd7f470": { - "min_stack_version": "8.3", "rule_name": "Enumeration Command Spawned via WMIPrvSE", "sha256": "8ad7865bb2ea255f74f4010cbc3df77b3480c3878500abf1c5ebf0b7c924a7cf", "type": "eql", "version": 111 }, "774f5e28-7b75-4a58-b94e-41bf060fdd86": { - "min_stack_version": "8.3", "rule_name": "User Added as Owner for Azure Application", "sha256": "b88d2f1b89f2bbf51454db3706d1461b08147f31841aea42ee15726e4632fa26", "type": "query", "version": 102 }, "7787362c-90ff-4b1a-b313-8808b1020e64": { - "min_stack_version": "8.6", "rule_name": "UID Elevation from Previously Unknown Executable", "sha256": "2b60afa9037795b630f1d33a76fcd68f49f3c1ccf9b0da8445765575a2508534", "type": "new_terms", "version": 2 }, "77a3c3df-8ec4-4da4-b758-878f551dee69": { - "min_stack_version": "8.3", "rule_name": "Adversary Behavior - Detected - Elastic Endgame", "sha256": "0ec924f52296fef94948482d51b8d533eee0455bd3bce573fa522ee3d1c9997d", "type": "query", "version": 104 }, "781f8746-2180-4691-890c-4c96d11ca91d": { - "min_stack_version": "8.3", "rule_name": "Potential Network Sweep Detected", "sha256": "a076fa96b47fb15ed66e6f90750fdc91ac7f7cf9e496f47150eba1253dcbc6db", "type": "threshold", "version": 5 }, "785a404b-75aa-4ffd-8be5-3334a5a544dd": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 202, - "rule_name": "Application Added to Google Workspace Domain", - "sha256": "7fa64b656ada94baa0a8d76c00231f99bfd63f0925722bdfeb6528ff90cdef76", - "type": "query", - "version": 104 - } - }, "rule_name": "Application Added to Google Workspace Domain", "sha256": "ad5d0246eae8608a0868956eb3e4b6b36c94a4180a1194ca35da083d3264ecb6", "type": "query", "version": 205 }, "7882cebf-6cf1-4de3-9662-213aa13e8b80": { - "min_stack_version": "8.3", "rule_name": "Azure Privilege Identity Management Role Modified", "sha256": "26c5f67d4d0a686a2580c9991b656cf39bca2ec927dd297487125907f961585e", "type": "query", "version": 105 }, "78d3d8d9-b476-451d-a9e0-7a5addd70670": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "Spike in AWS Error Messages", - "sha256": "333cdaf4a1706f9d4a7935d233bb7a28147712b8edf36e3500c61433a2cbee57", - "type": "machine_learning", - "version": 108 - } - }, "rule_name": "Spike in AWS Error Messages", "sha256": "b9c3990fedf14024b1c9c83464350edfd9ebd517c53d2aacebbb3a848d9740f2", "type": "machine_learning", "version": 208 }, "78de1aeb-5225-4067-b8cc-f4a1de8a8546": { - "min_stack_version": "8.3", "rule_name": "Suspicious ScreenConnect Client Child Process", "sha256": "3a5b48b246dc6b94292ab3d37f29c9ee4894804983a6c4e75b67a8c520f24ef0", "type": "eql", "version": 1 }, "78e9b5d5-7c07-40a7-a591-3dbbf464c386": { - "min_stack_version": "8.3", "rule_name": "Suspicious File Renamed via SMB", "sha256": "fc6be263784c700668a9eb4f67231f1786f1750bc929af29d6655989375915c0", "type": "eql", "version": 1 }, "78ef0c95-9dc2-40ac-a8da-5deb6293a14e": { - "min_stack_version": "8.4", "rule_name": "Unsigned DLL Loaded by Svchost", "sha256": "693613eaf1e2584a9bc56d598ff28225091c888aa886521384faf26f2cc43a45", "type": "eql", "version": 6 }, "79124edf-30a8-4d48-95c4-11522cad94b1": { - "min_stack_version": "8.3", "rule_name": "File Compressed or Archived into Common Format", "sha256": "75b814ddab9122b2dde8034d1daadc9731ff977dce815207b7565aad49cda555", "type": "eql", "version": 4 }, "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": { - "min_stack_version": "8.3", "rule_name": "Azure Key Vault Modified", "sha256": "79a68677542c96b2d8a804e552e8de37560ab6f599a24f9b828d0b1dbbee1a87", "type": "query", "version": 103 }, "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": { - "min_stack_version": "8.3", "rule_name": "Potential Masquerading as System32 Executable", "sha256": "a613c9495f4b8b1cd51df4eac684c578f26aceaa65e6d20faa875e280f3a0912", "type": "eql", "version": 4 }, "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": { - "min_stack_version": "8.3", "rule_name": "Potential File Transfer via Certreq", "sha256": "45f8eda9995222bc895d40fc9bab8fea41954def40702271c8a6b7af7bd09eef", "type": "eql", "version": 8 }, "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { - "min_stack_version": "8.3", "rule_name": "Potential Shadow Credentials added to AD Object", "sha256": "696545e871e59971a9c77d60fb7f5cb25cbbec8a62cdf6fd167b9ec939efa675", "type": "query", @@ -4839,14 +3660,12 @@ "version": 100 }, "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": { - "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation through Writable Docker Socket", "sha256": "59ad5257e309d3192fd55374ef9be4e2d1d4ce96fe0c5e6c568e86d22e05f9a2", "type": "eql", "version": 5 }, "7afc6cc9-8800-4c7f-be6b-b688d2dea248": { - "min_stack_version": "8.3", "rule_name": "Potential Execution via XZBackdoor", "sha256": "3b5e1d6fe931166937ac8b2540f9f001897d52336750147eef0f13925a5f0c39", "type": "eql", @@ -4859,69 +3678,36 @@ "version": 100 }, "7b3da11a-60a2-412e-8aa7-011e1eb9ed47": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS ElastiCache Security Group Created", - "sha256": "388613f453ad59a0b5a1346925a88c2ea72963b1a7a4ba77f510bdb527a655a4", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS ElastiCache Security Group Created", "sha256": "eef0353fa501c11cf2bcd5a6676496b4500dd9131341d9cf1578d8a9d51234f4", "type": "query", "version": 206 }, "7b8bfc26-81d2-435e-965c-d722ee397ef1": { - "min_stack_version": "8.3", "rule_name": "Windows Network Enumeration", "sha256": "76d42ebe68f574a31fb590b3d96321d2e8d048306a8159b2f0b36be83255e855", "type": "eql", "version": 111 }, "7ba58110-ae13-439b-8192-357b0fcfa9d7": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Suspicious LSASS Access via MalSecLogon", - "sha256": "cfb5125f0705e215f8dc00f7a38fe7454cf24077181b6b9c70068c7e46fbadb6", - "type": "eql", - "version": 106 - } - }, "rule_name": "Suspicious LSASS Access via MalSecLogon", "sha256": "fa0f15538180301dcc99fb3677d8ac7ad2d789d612e23c816f0908956028b3c1", "type": "eql", "version": 208 }, "7bcbb3ac-e533-41ad-a612-d6c3bf666aba": { - "min_stack_version": "8.3", "rule_name": "Tampering of Shell Command-Line History", "sha256": "106aa939e4c87db6570ee327ed6ca3e7f889aca17a71e09044b0b8dc3bed815c", "type": "eql", "version": 105 }, "7caa8e60-2df0-11ed-b814-f661ea17fbce": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 103, - "rule_name": "Google Workspace Bitlocker Setting Disabled", - "sha256": "b7f72377e6e5c62220a4932b83c0343a304f9e32c6f8df1a2320f97dc666d857", - "type": "query", - "version": 5 - } - }, "rule_name": "Google Workspace Bitlocker Setting Disabled", "sha256": "d876e552704f399012a35ef8ccd37653e6278d558e9904d895f023110f987c55", "type": "query", "version": 106 }, "7ceb2216-47dd-4e64-9433-cddc99727623": { - "min_stack_version": "8.3", "rule_name": "GCP Service Account Creation", "sha256": "0c8a23dace5a96a836f6a55bbc9dc2e64550d584c98257f3b7dbbaaf0d79805c", "type": "query", @@ -4934,104 +3720,66 @@ "version": 100 }, "7dfaaa17-425c-4fe7-bd36-83705fde7c2b": { - "min_stack_version": "8.3", "rule_name": "Suspicious Kworker UID Elevation", "sha256": "1073dde211174d3099a9b8a21931bf6531d2343d6b44d98c0ceabeecc3f29e8a", "type": "eql", "version": 2 }, "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { - "min_stack_version": "8.3", "rule_name": "Suspicious WMIC XSL Script Execution", "sha256": "d375afba7884212b8fe34d5179603d5a9a7a16f14ec76a18f89032b8ca01d5e2", "type": "eql", "version": 109 }, "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 100, - "rule_name": "Discovery of Internet Capabilities via Built-in Tools", - "sha256": "a411322e3fd22e1fe67ca9c54dd4c5ecb965751365aebb4c0c9d7b4e3aa67a66", - "type": "eql", - "version": 1 - } - }, "rule_name": "Discovery of Internet Capabilities via Built-in Tools", "sha256": "94bb175873a51e3ec94a3d92aec15accba931a59b2ccbcf01c9317f8a3d571ee", "type": "new_terms", "version": 102 }, "7fb500fa-8e24-4bd1-9480-2a819352602c": { - "min_stack_version": "8.6", "rule_name": "New Systemd Timer Created", "sha256": "c5bf7a856bf289f0687f5916c01098906650541047b786e7a120cd6ec3fbb948", "type": "new_terms", "version": 9 }, "80084fa9-8677-4453-8680-b891d3c0c778": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 102, - "rule_name": "Enumeration of Kernel Modules via Proc", - "sha256": "e8cbeafae45cf6592034b68de6f2166705890d49c7a6e5821b387dfa6c535dc9", - "type": "eql", - "version": 4 - } - }, "rule_name": "Enumeration of Kernel Modules via Proc", "sha256": "a673dd1c8988721179c42b0b788a1b229fce05298dfe5664b54ca535750e4587", "type": "new_terms", "version": 106 }, "800e01be-a7a4-46d0-8de9-69f3c9582b44": { - "min_stack_version": "8.3", "rule_name": "Unusual Process Extension", "sha256": "f2022485ae73360b81a2da1364f674781461b179fb259d9734ada6dbe226720a", "type": "eql", "version": 4 }, "808291d3-e918-4a3a-86cd-73052a0c9bdc": { - "min_stack_version": "8.3", "rule_name": "Suspicious Troubleshooting Pack Cabinet Execution", "sha256": "237bea63ac52782481baf16b92d59c08e0e799105d378bec92197c4ad8fad8b4", "type": "eql", "version": 2 }, "809b70d3-e2c3-455e-af1b-2626a5a1a276": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "Unusual City For an AWS Command", - "sha256": "51f5b37af37f1f4ec180b1de7aac38ca7d77afc0e1f44dfe6122eb8605e3adab", - "type": "machine_learning", - "version": 108 - } - }, "rule_name": "Unusual City For an AWS Command", "sha256": "d6cbad92730cf10d62df532e09bfef35bca6439b7ff5b0f34337bdda6ab38199", "type": "machine_learning", "version": 208 }, "80c52164-c82a-402c-9964-852533d58be1": { - "min_stack_version": "8.3", "rule_name": "Process Injection - Detected - Elastic Endgame", "sha256": "42f01902665c666c45de8cafd9cc39c80ab4e28cf87c1e13caab844668cb70be", "type": "query", "version": 103 }, "814d96c7-2068-42aa-ba8e-fe0ddd565e2e": { - "min_stack_version": "8.9", "rule_name": "Unusual Remote File Extension", "sha256": "e5eeb038f9aa39433fcea8c9410b24a6a1337512da397d2818fc96f5698f767b", "type": "machine_learning", "version": 3 }, "818e23e6-2094-4f0e-8c01-22d30f3506c6": { - "min_stack_version": "8.3", "rule_name": "PowerShell Script Block Logging Disabled", "sha256": "93f0d3a27ec93093c91f59d6a1bcd1a34b1f007ff0304b857a730c1c6c35f186", "type": "eql", @@ -5046,7 +3794,7 @@ "81fe9dc6-a2d7-4192-a2d8-eed98afc766a": { "min_stack_version": "8.12", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 210, "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", "sha256": "b37f48d5442be42df0d2783a9a8c3a2aa4e791636a90f115ebc567ee730ba2de", @@ -5060,7 +3808,6 @@ "version": 211 }, "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": { - "min_stack_version": "8.3", "rule_name": "Temporarily Scheduled Task Creation", "sha256": "b9eb095355ecc02a827ca56e41a3ccd5fd5fff3c57c2f1a1e16e0f32082bcd46", "type": "eql", @@ -5069,7 +3816,7 @@ "827f8d8f-4117-4ae4-b551-f56d54b9da6b": { "min_stack_version": "8.11", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 206, "rule_name": "Apple Scripting Execution with Administrator Privileges", "sha256": "c86e89c5415c3f38817090bc99e25901d75e58b5f7387022f61bd609df89272a", @@ -5083,14 +3830,12 @@ "version": 207 }, "835c0622-114e-40b5-a346-f843ea5d01f1": { - "min_stack_version": "8.3", "rule_name": "Potential Linux Local Account Brute Force Detected", "sha256": "7951c32071a4f27cf235f88d6d4af14655a24aca293681878a970dc3e3973c1f", "type": "eql", "version": 6 }, "83a1931d-8136-46fc-b7b9-2db4f639e014": { - "min_stack_version": "8.3", "rule_name": "Azure Kubernetes Pods Deleted", "sha256": "8c0f9a8ac544e84262204d80e667c90f7e1a0be582cea5152e2d44926f4e72a9", "type": "query", @@ -5103,143 +3848,84 @@ "version": 100 }, "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": { - "min_stack_version": "8.3", "rule_name": "Attempt to Disable IPTables or Firewall", "sha256": "1814e77d691d41da88a1ba4c922ef445c031e653b86b5dd166f99cba587157f1", "type": "eql", "version": 7 }, "8446517c-f789-11ee-8ad0-f661ea17fbce": { - "min_stack_version": "8.3", "rule_name": "AWS EC2 Admin Credential Fetch via Assumed Role", "sha256": "ca0cdbc0af36d4bf4a78a1a5f82fca391580b9507566dd67dd281c61cd510c7a", "type": "new_terms", "version": 2 }, "846fe13f-6772-4c83-bd39-9d16d4ad1a81": { - "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Transport Agent Install Script", "sha256": "6c50456e5c405b545f31c8c93d71b2f1614b64bd732ca548127db4db6230c412", "type": "query", "version": 5 }, "84d1f8db-207f-45ab-a578-921d91c23eb2": { - "min_stack_version": "8.3", "rule_name": "Potential Upgrade of Non-interactive Shell", "sha256": "c13baf680022d32581c0780e31d4ade6009c93d1be12624a3d30060da764f759", "type": "eql", "version": 3 }, "84da2554-e12a-11ec-b896-f661ea17fbcd": { - "min_stack_version": "8.3", "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", "sha256": "7a9ce57d7b2a5c723facc456a26c549cb5acacc09fe4844360c1af34366c0744", "type": "eql", "version": 110 }, "850d901a-2a3c-46c6-8b22-55398a01aad8": { - "min_stack_version": "8.3", "rule_name": "Potential Remote Credential Access via Registry", "sha256": "a0cd73a2f83a6c1f8fe970bb6a7fab8656fe9e3d8c51d5a9dda9efb1db69ba32", "type": "eql", "version": 111 }, "852c1f19-68e8-43a6-9dce-340771fe1be3": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "Suspicious PowerShell Engine ImageLoad", - "sha256": "765d2c6702b22d625ca9fac30e74684428f6d6a852dd200dff84851fe76dda47", - "type": "eql", - "version": 108 - } - }, "rule_name": "Suspicious PowerShell Engine ImageLoad", "sha256": "8fb4c5a6040d9edf0a32b6e6fd809d366eea096495438e323e148d684c871404", "type": "new_terms", "version": 210 }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS EC2 Network Access Control List Deletion", - "sha256": "196c1626443f797df1670e37fe56629d8da2a1b61087cac2f3fab49bd64b5113", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS EC2 Network Access Control List Deletion", "sha256": "4f9d972be95e23e9ad2c127a00b66165c3f6c1105dcfef9a0e85a70d2d22b006", "type": "query", "version": 206 }, "863cdf31-7fd3-41cf-a185-681237ea277b": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS RDS Security Group Deletion", - "sha256": "f46878044473b51688032f8944026be841032d83fbab53ebccb6f3bd1056f1a7", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS RDS Security Group Deletion", "sha256": "3815b7cf0e4aeef5cd0350a18c0f8a1f751b8c21d728875a7268a075a70e2ad9", "type": "query", "version": 206 }, "867616ec-41e5-4edc-ada2-ab13ab45de8a": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS IAM Group Deletion", - "sha256": "950ae30d904242ba798eb1658f1e238720d404743585e155f030dda45d0e05f6", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS IAM Group Deletion", "sha256": "b52937ff4f6af1e5ccf8b52bf8d378468fdac5dfd53a8b3217833c005c5fa781", "type": "query", "version": 206 }, "86c3157c-a951-4a4f-989b-2f0d0f1f9518": { - "min_stack_version": "8.3", "rule_name": "Potential Linux Reverse Connection through Port Knocking", "sha256": "b4f46ff74a8794d66683aa38de698de5e35a091b48d03ffa0d9181a578899ddc", "type": "eql", "version": 1 }, "870aecc0-cea4-4110-af3f-e02e9b373655": { - "min_stack_version": "8.3", "rule_name": "Security Software Discovery via Grep", "sha256": "de3ae123fbc7d0cb0596b3c5cc6467fdf51f545053665c4f5afdeb758983bc76", "type": "eql", "version": 109 }, "871ea072-1b71-4def-b016-6278b505138d": { - "min_stack_version": "8.3", "rule_name": "Enumeration of Administrator Accounts", "sha256": "6a87be3b93e4a75c3dbfeba82b7aaa420dd43f042ec1bc9641d5649f8f6850b5", "type": "eql", "version": 112 }, "87594192-4539-4bc4-8543-23bc3d5bd2b4": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS EventBridge Rule Disabled or Deleted", - "sha256": "81d56536a960fa83385df001b8186c6a129128d000278be5586476a6d4b9e19b", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS EventBridge Rule Disabled or Deleted", "sha256": "2a49cf8319bd2a5a16d2286014217d41ffe4680b5e7a367b131ebf7124853339", "type": "query", @@ -5252,53 +3938,30 @@ "version": 100 }, "884e87cc-c67b-4c90-a4ed-e1e24a940c82": { - "min_stack_version": "8.6", "rule_name": "Potential Suspicious Clipboard Activity Detected", "sha256": "0177e89bdd890b3651f0d3bc7bb08aa7a71cc97d95e6f965d2131a132599a839", "type": "new_terms", "version": 4 }, "88671231-6626-4e1b-abb7-6e361a171fbb": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Global Administrator Role Assigned", - "sha256": "bb6703bc49a5b12297b62e2aa1b7a9e5f01ce6108eabbd1d541ec655dd35ac50", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Global Administrator Role Assigned", "sha256": "1bc2ee513c9a3702d258107ccaa36ce6f728f37804a83afe41ec0386f3386f66", "type": "query", "version": 206 }, "88817a33-60d3-411f-ba79-7c905d865b2a": { - "min_stack_version": "8.3", "rule_name": "Sublime Plugin or Application Script Modification", "sha256": "e1e70345125002f7b837c9c87a54b449497d0b8a5d4f32f30e24b28185445925", "type": "eql", "version": 107 }, "88fdcb8c-60e5-46ee-9206-2663adf1b1ce": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 102, - "rule_name": "Potential Sudo Hijacking Detected", - "sha256": "28eba13edb2d9454c08d86938d6bf41ed614c2c32879ec8719cd571c0c9cbef5", - "type": "eql", - "version": 3 - } - }, "rule_name": "Potential Sudo Hijacking Detected", "sha256": "3d49290bdfa2269196ce840768887b0c20588d07f406eef1f33e10c6117246e0", "type": "new_terms", "version": 105 }, "891cb88e-441a-4c3e-be2d-120d99fe7b0d": { - "min_stack_version": "8.3", "rule_name": "Suspicious WMI Image Load from MS Office", "sha256": "ce3fa8639f8be47fdbd516d085eb1359d5c76c41cc11e38b92a58495b3340443", "type": "eql", @@ -5311,28 +3974,24 @@ "version": 100 }, "897dc6b5-b39f-432a-8d75-d3730d50c782": { - "min_stack_version": "8.3", "rule_name": "Kerberos Traffic from Unusual Process", "sha256": "2013e3e6c582953aa80b60a4839fd4a71480f61227c7c5eea6a58e6835031b50", "type": "eql", "version": 110 }, "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { - "min_stack_version": "8.3", "rule_name": "Command Prompt Network Connection", "sha256": "85227491b3d44bf45d31d60e2dd5bfe543b04cc13549ad5abd43164d69fbe271", "type": "eql", "version": 108 }, "89fa6cb7-6b53-4de2-b604-648488841ab8": { - "min_stack_version": "8.3", "rule_name": "Persistence via DirectoryService Plugin Modification", "sha256": "7e7bfe7e3320055b9e14c1193bb2f5ecf812a4611d29fb12f0f07137bb6dd03b", "type": "query", "version": 106 }, "8a024633-c444-45c0-a4fe-78128d8c1ab6": { - "min_stack_version": "8.3", "rule_name": "Suspicious Symbolic Link Created", "sha256": "6041852ef2da176bb02a69879e30441c9842802e2b5e06678aaca5653322cf32", "type": "eql", @@ -5346,21 +4005,18 @@ "version": 3 }, "8a0fd93a-7df8-410d-8808-4cc5e340f2b9": { - "min_stack_version": "8.3", "rule_name": "GitHub PAT Access Revoked", "sha256": "2da8385cb4225c3a080f85def407322ed423d41cdeaec25622ddcced2bad28a4", "type": "eql", "version": 1 }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { - "min_stack_version": "8.3", "rule_name": "Setuid / Setgid Bit Set via chmod", "sha256": "9c15ba48b9d09639823c4d9695769a98190668b5a82f91664552b3a1d00134d5", "type": "query", "version": 103 }, "8a1d4831-3ce6-4859-9891-28931fa6101d": { - "min_stack_version": "8.3", "rule_name": "Suspicious Execution from a Mounted Device", "sha256": "78673e3f95e690470a888733b99665c1ceb566b839d08ffa96c74f670db2afb3", "type": "eql", @@ -5369,7 +4025,7 @@ "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Attempt to Deactivate an Okta Network Zone", "sha256": "f01b127b08601cf43cda877946ee97bf4bc51e4cff8f27b3e3dc4a809a3bf009", @@ -5383,149 +4039,120 @@ "version": 206 }, "8acb7614-1d92-4359-bfcf-478b6d9de150": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "Suspicious JAVA Child Process", - "sha256": "c0f26a306606e4329dc19352d7f927e70467ccc86747f18345aefcf194110e16", - "type": "eql", - "version": 105 - } - }, "rule_name": "Suspicious JAVA Child Process", "sha256": "c73d3fa21849f702bf7a08d4182ce1e62bbf2096eef54418fd5faf94e042da75", "type": "new_terms", "version": 208 }, "8af5b42f-8d74-48c8-a8d0-6d14b4197288": { - "min_stack_version": "8.3", "rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287", "sha256": "9f1d8eb4a1676be7fbf66706cbd1e8a9eec262049a93bfc3e771c3d33033f140", "type": "eql", "version": 4 }, "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { - "min_stack_version": "8.3", "rule_name": "Executable File Creation with Multiple Extensions", "sha256": "bccda8eb5129b06f4f741772f5096f1be5c8365b976b07a61c32e442f9138298", "type": "eql", "version": 108 }, "8b4f0816-6a65-4630-86a6-c21c179c0d09": { - "min_stack_version": "8.3", "rule_name": "Enable Host Network Discovery via Netsh", "sha256": "78eb240c8eeeb4d9df8d9454ba4f91306bbffcdf8b395c3a62c87009f89504de", "type": "eql", "version": 109 }, "8b64d36a-1307-4b2e-a77b-a0027e4d27c8": { - "min_stack_version": "8.3", "rule_name": "Azure Kubernetes Events Deleted", "sha256": "8a4def186433798cec337c4f9e6b8b1ac62a38ad3789dd570670d22444e74fb9", "type": "query", "version": 102 }, "8c1bdde8-4204-45c0-9e0c-c85ca3902488": { - "min_stack_version": "8.3", "rule_name": "RDP (Remote Desktop Protocol) from the Internet", "sha256": "97a0561922556e3ced27828faed777dc5a0ab1da7843bfef7c19929702a26f4b", "type": "query", "version": 103 }, "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": { - "min_stack_version": "8.3", "rule_name": "Unusual Child Process of dns.exe", "sha256": "a6ecf9a561d41bac0bb75fbf33f868dc71ed4fc5e07f914780fd73c29dcdb1ba", "type": "eql", "version": 110 }, "8c81e506-6e82-4884-9b9a-75d3d252f967": { - "min_stack_version": "8.3", "rule_name": "Potential SharpRDP Behavior", "sha256": "133e1acd35b1b06ce036bf672f04203863a4f2e1c535cc722321f198d71bffda", "type": "eql", "version": 106 }, "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": { - "min_stack_version": "8.3", "rule_name": "Ransomware - Detected - Elastic Endgame", "sha256": "b84c5e839efdbf68fe7169726ffe8ce015b356dfe0ea25b276db55b22b85d8f2", "type": "query", "version": 103 }, "8cb84371-d053-4f4f-bce0-c74990e28f28": { - "min_stack_version": "8.3", "rule_name": "Potential Successful SSH Brute Force Attack", "sha256": "eb0397acce03ec5fcb5a10ba7467e1b55e0f73f4a401dfe97878133f487f4483", "type": "eql", "version": 11 }, "8d366588-cbd6-43ba-95b4-0971c3f906e5": { - "min_stack_version": "8.3", "rule_name": "File with Suspicious Extension Downloaded", "sha256": "c9d44fd0d41abacd96c54ff4dc4f7a22c34b77b8c64245a7856f8ea12ed3d0b0", "type": "eql", "version": 3 }, "8d3d0794-c776-476b-8674-ee2e685f6470": { - "min_stack_version": "8.8", "rule_name": "Suspicious Interactive Shell Spawned From Inside A Container", "sha256": "98d9856fbf5ecafe5dad0a89fd9c9d5281e1c02fee5b91a84b352c727f87441e", "type": "eql", "version": 2 }, "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": { - "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via PKEXEC", "sha256": "a9c592609916001eeb489115d3ab416659f25485e68e33061d9b0e8903972698", "type": "eql", "version": 108 }, "8ddab73b-3d15-4e5d-9413-47f05553c1d7": { - "min_stack_version": "8.3", "rule_name": "Azure Automation Runbook Deleted", "sha256": "6c88b863fccfcdd4aa41e1c790530f97914dc652a10e9121e26a28194746179c", "type": "query", "version": 102 }, "8e39f54e-910b-4adb-a87e-494fbba5fb65": { - "min_stack_version": "8.3", "rule_name": "Potential Outgoing RDP Connection by Unusual Process", "sha256": "e724d32f7d8923ac1608a48ba78404bda59c6db4b1475a392ad766f4e0853459", "type": "eql", "version": 3 }, "8eec4df1-4b4b-4502-b6c3-c788714604c9": { - "min_stack_version": "8.3", "rule_name": "Bitsadmin Activity", "sha256": "39ca4c3ed7500f428501bf32d7b5361c687e94b712b9d7742406bb4c804bb53b", "type": "eql", "version": 2 }, "8f242ffb-b191-4803-90ec-0f19942e17fd": { - "min_stack_version": "8.3", "rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation", "sha256": "60451d80b47ef91bfe8095934b32b4899ae705a33e3df155894a58dc67c97ce6", "type": "eql", "version": 1 }, "8f3e91c7-d791-4704-80a1-42c160d7aa27": { - "min_stack_version": "8.3", "rule_name": "Potential Port Monitor or Print Processor Registration Abuse", "sha256": "bb44b0120653077a52d8fbfb935aa73998db23fe25b3c188024f3a96b09b8e4c", "type": "eql", "version": 106 }, "8f919d4b-a5af-47ca-a594-6be59cd924a4": { - "min_stack_version": "8.3", "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", "sha256": "feec1ce2bdf4dbddf251d9f16a07f5123eb30116c1ee43415fafe3390499db68", "type": "eql", "version": 107 }, "8fb75dda-c47a-4e34-8ecd-34facf7aad13": { - "min_stack_version": "8.3", "rule_name": "GCP Service Account Deletion", "sha256": "3c8184358856969e1362e374b7c72a678a3df1dc9ae082111b0ba80d01a44dcb", "type": "query", @@ -5538,37 +4165,24 @@ "version": 100 }, "90169566-2260-4824-b8e4-8615c3b4ed52": { - "min_stack_version": "8.3", "rule_name": "Hping Process Activity", "sha256": "59016f24c9fb4a9e0120058222b3dccfbc94b5d0316a6762207a6eb3fc312a0c", "type": "eql", "version": 108 }, "9055ece6-2689-4224-a0e0-b04881e1f8ad": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS Deletion of RDS Instance or Cluster", - "sha256": "637b97f8e4d2c60b80d6427cd89d111d077543e2103cb3a96f9e35e577bd9caa", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS Deletion of RDS Instance or Cluster", "sha256": "123109fe70f635c2d9a5bae3df07789309b38a6d09b1d892aa2df1bdba5ad241", "type": "query", "version": 206 }, "9092cd6c-650f-4fa3-8a8a-28256c7489c9": { - "min_stack_version": "8.3", "rule_name": "Keychain Password Retrieval via Command Line", "sha256": "d0daaa99eff7d2f0f8a96916e7c4220209cc9015faebc9be56268cf601ac36b3", "type": "eql", "version": 108 }, "90babaa8-5216-4568-992d-d4a01a105d98": { - "min_stack_version": "8.3", "rule_name": "InstallUtil Activity", "sha256": "b3e654521bd77a07433f951786a8b37f3f4bb9ef9459f8cbfd080af927ebf5f9", "type": "eql", @@ -5581,51 +4195,36 @@ "version": 100 }, "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": { - "min_stack_version": "8.3", "rule_name": "GCP Virtual Private Cloud Route Creation", "sha256": "ef3f13ea53f5eeca327dcdcd4a456b5375942dc90208cc6bced56c5c208eeb79", "type": "query", "version": 104 }, "91d04cd4-47a9-4334-ab14-084abe274d49": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS WAF Access Control List Deletion", - "sha256": "4d59ddb17973a139d9be0a601ce33dda6071ea802724f0bd0333d7db8722280c", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS WAF Access Control List Deletion", "sha256": "7bcb7719e201f748986a026ff97c52bfce72b11730f1c15a39516be29c7fe7a1", "type": "query", "version": 206 }, "91f02f01-969f-4167-8d77-07827ac4cee0": { - "min_stack_version": "8.3", "rule_name": "Unusual Web User Agent", "sha256": "085e5fd9bc868b88d70882d6ff9ad8cd88277bde6a5536d032d204050b191347", "type": "machine_learning", "version": 103 }, "91f02f01-969f-4167-8f55-07827ac3acc9": { - "min_stack_version": "8.3", "rule_name": "Unusual Web Request", "sha256": "ca0f4d650120d7af5f5c1b882104229c33beac3e20991c9c22403a8a79b89ae1", "type": "machine_learning", "version": 103 }, "91f02f01-969f-4167-8f66-07827ac3bdd9": { - "min_stack_version": "8.3", "rule_name": "DNS Tunneling", "sha256": "30ea79771106d5283bb2b93e9376e9b56ebb99c37ef021f485fdc2ea17c783ea", "type": "machine_learning", "version": 103 }, "929223b4-fba3-4a1c-a943-ec4716ad23ec": { - "min_stack_version": "8.3", "rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account", "sha256": "dfae7535f5caafed8358bc16a68a6a501122ec05eae29c1f291da2416cad5ca9", "type": "threshold", @@ -5634,7 +4233,7 @@ "92984446-aefb-4d5e-ad12-598042ca80ba": { "min_stack_version": "8.12", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 107, "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", "sha256": "2f82ee830e43259016d4adf959d1c08b65e5c44f66accebde1c7a3aece556548", @@ -5648,173 +4247,102 @@ "version": 108 }, "92a6faf5-78ec-4e25-bea1-73bacc9b59d9": { - "min_stack_version": "8.3", "rule_name": "A scheduled task was created", "sha256": "d54ac464d0549dec4468d4706dfce032e2e8bed176f5ece56f3c6430378aff76", "type": "eql", "version": 8 }, "92d3a04e-6487-4b62-892d-70e640a590dc": { - "min_stack_version": "8.3", "rule_name": "Potential Evasion via Windows Filtering Platform", "sha256": "1985305e54165a73be2bdfd8d6de615ed21edde213a17f11911f0a25cdd28c0c", "type": "eql", "version": 3 }, "93075852-b0f5-4b8b-89c3-a226efae5726": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS Security Token Service (STS) AssumeRole Usage", - "sha256": "2e6053408cd8709eca1ec8f67f1435cba0deae2486a175e0943f710e9ee4e2b3", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS Security Token Service (STS) AssumeRole Usage", "sha256": "b0f5b4e396353924df242d69030559c5fd2dab01d092d3573750a4611ce59860", "type": "query", "version": 206 }, "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 202, - "rule_name": "Sudoers File Modification", - "sha256": "61b18d5eee007e352b11ee5d0b8cd560ef127b7ca4a6704381e1b1f0bfe6e1ef", - "type": "query", - "version": 103 - } - }, "rule_name": "Sudoers File Modification", "sha256": "f4d948d4c06ecb8fae9ce5be98bc19d8200ccb0e271913c4b2c41c01a45233b2", "type": "new_terms", "version": 204 }, "9395fd2c-9947-4472-86ef-4aceb2f7e872": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "AWS VPC Flow Logs Deletion", - "sha256": "f3c39ae72c93e6c08f938d780fc70f56119ce17eb3ef31cf7645331efed700c3", - "type": "query", - "version": 108 - } - }, "rule_name": "AWS VPC Flow Logs Deletion", "sha256": "25e4d08e828c9f763d9f42004a1d8bb865f62993bd8f235e95fc5513208e03a6", "type": "query", "version": 209 }, "93b22c0a-06a0-4131-b830-b10d5e166ff4": { - "min_stack_version": "8.3", "rule_name": "Suspicious SolarWinds Child Process", "sha256": "6f65d57f4b54ada16ae7a6bf781a64d84a83409df693cadbcf9a736633154606", "type": "eql", "version": 110 }, "93c1ce76-494c-4f01-8167-35edfb52f7b1": { - "min_stack_version": "8.3", "rule_name": "Encoded Executable Stored in the Registry", "sha256": "d3a171c7ed51757d8f3f02d63a51e5a37f3a6d639b0766a24c42f22c01c87851", "type": "eql", "version": 107 }, "93e63c3e-4154-4fc6-9f86-b411e0987bbf": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 202, - "rule_name": "Google Workspace Admin Role Deletion", - "sha256": "723578f77b081beb3b8a8da703208e1279aa15eba410de837d67b390c4334bbe", - "type": "query", - "version": 104 - } - }, "rule_name": "Google Workspace Admin Role Deletion", "sha256": "cab219f6e8b4ccaf91b7f6190f1d098c08ddc5b898d2e1566965ba6039a72657", "type": "query", "version": 205 }, "93f47b6f-5728-4004-ba00-625083b3dcb0": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 203, - "rule_name": "Modification of Standard Authentication Module or Configuration", - "sha256": "db86c17797a8d52db5ea04999393ce5c37395cc6a46b34ec1cd0da3f02d0435f", - "type": "query", - "version": 104 - } - }, "rule_name": "Modification of Standard Authentication Module or Configuration", "sha256": "1e01d9186d48db4667fa030761b3f63e12f70737f7fb423eb05d385ad1e6db30", "type": "new_terms", "version": 204 }, "947827c6-9ed6-4dec-903e-c856c86e72f3": { - "min_stack_version": "8.3", "rule_name": "Creation of Kernel Module", "sha256": "567ba4167bba7fcade95c2541b715738b5656e11712923c258d65bf3dc1dd533", "type": "eql", "version": 3 }, "94a401ba-4fa2-455c-b7ae-b6e037afc0b7": { - "min_stack_version": "8.3", "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", "sha256": "31677cdb4cb00d90106a66e1b086ad61ada306117acf7b0af9e17d13a96b91f0", "type": "eql", "version": 8 }, "9510add4-3392-11ed-bd01-f661ea17fbce": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 103, - "rule_name": "Google Workspace Custom Gmail Route Created or Modified", - "sha256": "0c7bcbc73caec8df64f6e5d9c2430357baaef7371ef1f47b25b5f5bd7f6edf7f", - "type": "query", - "version": 5 - } - }, "rule_name": "Google Workspace Custom Gmail Route Created or Modified", "sha256": "13c2c8915478dad932a8b2375537e1960622c8dde7a6ac83375802a12c539fe1", "type": "query", "version": 106 }, "951779c2-82ad-4a6c-82b8-296c1f691449": { - "min_stack_version": "8.3", "rule_name": "Potential PowerShell Pass-the-Hash/Relay Script", "sha256": "7675d578e4dd24bc57bd2bbf670bfc9415f87ba8a2f3ddf8e8a7c00d3641d5f6", "type": "query", "version": 1 }, "954ee7c8-5437-49ae-b2d6-2960883898e9": { - "min_stack_version": "8.3", "rule_name": "Remote Scheduled Task Creation", "sha256": "efc5bf9425039882bd50862795a48859ffe194bee570ae43e2268a9fbea9fe80", "type": "eql", "version": 108 }, "959a7353-1129-4aa7-9084-30746b256a70": { - "min_stack_version": "8.3", "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", "sha256": "ec182387ccb79ee33c05281674fdc60fea9112866634a0782d814363c238711c", "type": "query", "version": 108 }, "9661ed8b-001c-40dc-a777-0983b7b0c91a": { - "min_stack_version": "8.8", "rule_name": "Sensitive Keys Or Passwords Searched For Inside A Container", "sha256": "54b3d3c9b093b147b2a9544592815de34c26f37b971ca155743f92fafcd674b9", "type": "eql", "version": 2 }, "968ccab9-da51-4a87-9ce2-d3c9782fd759": { - "min_stack_version": "8.3", "rule_name": "File made Immutable by Chattr", "sha256": "c2d2cfe2f74f7c4a8901ab56d95245ba900ce8e18c828bf0a2ad894b6260731e", "type": "eql", @@ -5823,7 +4351,7 @@ "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 204, "rule_name": "Attempt to Create Okta API Token", "sha256": "14b3f9e9b5e605ca66fa3d7115e312ba72ced80772e0d51928496be9202b6353", @@ -5837,53 +4365,30 @@ "version": 205 }, "96d11d31-9a79-480f-8401-da28b194608f": { - "min_stack_version": "8.6", "rule_name": "Potential Persistence Through MOTD File Creation Detected", "sha256": "bc9916d1a1cd785c77d6f24073b3b607cdcefc196480e1f09e5e734866ac7fb1", "type": "new_terms", "version": 9 }, "96e90768-c3b7-4df6-b5d9-6237f8bc36a8": { - "min_stack_version": "8.7", - "previous": { - "8.3": { - "max_allowable_version": 206, - "rule_name": "Access to Keychain Credentials Directories", - "sha256": "2860753d4532b37b174d6b8e3e1314b0a7a0b3f54b74a7899205e53bacbae0de", - "type": "eql", - "version": 107 - } - }, "rule_name": "Access to Keychain Credentials Directories", "sha256": "a4bde834d3628dca2daee592ed3741c7ccd55a25840f58603fdccb98e7368d63", "type": "eql", "version": 207 }, "97020e61-e591-4191-8a3b-2861a2b887cd": { - "min_stack_version": "8.3", "rule_name": "SeDebugPrivilege Enabled by a Suspicious Process", "sha256": "a3cff32c0bdbd78533b034070c4a270116087312c08ff8511d9bfd520be44f36", "type": "eql", "version": 7 }, "97314185-2568-4561-ae81-f3e480e5e695": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification", - "sha256": "5e3900d8aa0de4868a0980ccd44983433b4f857bddf099cf73275a57e5145c8f", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification", "sha256": "9c1981f0822634de6f020d5301b100c703d19724dd486e288398596ff23b18e6", "type": "query", "version": 206 }, "97359fd8-757d-4b1d-9af1-ef29e4a8680e": { - "min_stack_version": "8.3", "rule_name": "GCP Storage Bucket Configuration Modification", "sha256": "8898fb2725e12947da9bb2c12a300e9093f6eef9c309b3ff30af48d018501dd6", "type": "query", @@ -5897,16 +4402,6 @@ "version": 1 }, "979729e7-0c52-4c4c-b71e-88103304a79f": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS SAML Activity", - "sha256": "5ccb2e9205c690a15eeb580f91fbced1746f6a12cd487ec983e1bdb8b5f7b33d", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS SAML Activity", "sha256": "37af41b152c5085758547bee67d9f0387f5f07fcba690c925338905f100cc43d", "type": "query", @@ -5915,7 +4410,7 @@ "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 206, "rule_name": "Potential Abuse of Repeated MFA Push Notifications", "sha256": "c65175629b87978771837a807d4ff8b51d3ae081548603d49475754979b246b4", @@ -5929,7 +4424,6 @@ "version": 209 }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { - "min_stack_version": "8.3", "rule_name": "Suspicious Zoom Child Process", "sha256": "5cefb7cdb856211a9d1070aa4ef9637c41633768b6b8b4d92c520b3d0544b976", "type": "eql", @@ -5942,7 +4436,6 @@ "version": 100 }, "97db8b42-69d8-4bf3-9fd4-c69a1d895d68": { - "min_stack_version": "8.5", "rule_name": "Suspicious Renaming of ESXI Files", "sha256": "134cc7f77ddd008b061f698e64cd7b3c5fc67db9adca8e3ecc35436d6136bc39", "type": "eql", @@ -5955,169 +4448,108 @@ "version": 100 }, "97fc44d3-8dae-4019-ae83-298c3015600f": { - "min_stack_version": "8.3", "rule_name": "Startup or Run Key Registry Modification", "sha256": "361fc9bece9212d2816e83198a13e6951dc8e63c878162f552778218c8711684", "type": "eql", "version": 111 }, "980b70a0-c820-11ed-8799-f661ea17fbcc": { - "min_stack_version": "8.4", "rule_name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User", "sha256": "bca34a9cc93d913e9dd7b38378787f84bffb714c7a1ff0e76fe33c0b81cce627", "type": "eql", "version": 3 }, "98843d35-645e-4e66-9d6a-5049acd96ce1": { - "min_stack_version": "8.3", "rule_name": "Indirect Command Execution via Forfiles/Pcalua", "sha256": "1a205cf65c5d3958f5a75ef9944f9e7c7f8edc9dce54de95c5cc236303ed1416", "type": "eql", "version": 2 }, "9890ee61-d061-403d-9bf6-64934c51f638": { - "min_stack_version": "8.3", "rule_name": "GCP IAM Service Account Key Deletion", "sha256": "f6e73ab78ecb9bdcafce24cf4de95c3ad91c3b9f84ebde53d8a1184c1145cbff", "type": "query", "version": 104 }, "98995807-5b09-4e37-8a54-5cae5dc932d7": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Exchange Management Group Role Assignment", - "sha256": "a8d4e67d87194878313ca642bb0cfef0c9fc3750c6cf26a8b74eeac52d8a0c9e", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Exchange Management Group Role Assignment", "sha256": "e5669429abd5547d912048bcc97739ccf3bfa45d4d74e324d1ab2bfd2076322c", "type": "query", "version": 206 }, "98fd7407-0bd5-5817-cda0-3fcc33113a56": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "AWS EC2 Snapshot Activity", - "sha256": "ed1f4e4296f79824714df9f3010887d3ecd69c44ffbf728bed8d47197ea5e08e", - "type": "query", - "version": 108 - } - }, "rule_name": "AWS EC2 Snapshot Activity", "sha256": "0bcbd76d8bc2c0abdaa12111fbc563952e549b58223fb5c1376a1f268453a2c1", "type": "query", "version": 209 }, "990838aa-a953-4f3e-b3cb-6ddf7584de9e": { - "min_stack_version": "8.3", "rule_name": "Process Injection - Prevented - Elastic Endgame", "sha256": "a02da9b5d7a30fe8e11ecdc06e8302ca4077986141d830dffc5a3ea2af2180fa", "type": "query", "version": 103 }, "99239e7d-b0d4-46e3-8609-acafcf99f68c": { - "min_stack_version": "8.3", "rule_name": "MacOS Installer Package Spawns Network Event", "sha256": "a13a4be8fd4f869d6387397192b1e56e6ff008c345ae84e5fafd4a4d28697584", "type": "eql", "version": 107 }, "994e40aa-8c85-43de-825e-15f665375ee8": { - "min_stack_version": "8.9", "rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", "sha256": "482926261657f74d6e44dd1fcdcd25df11184139e079a28e9558d172a94bc94f", "type": "eql", "version": 4 }, "9960432d-9b26-409f-972b-839a959e79e2": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Potential Credential Access via LSASS Memory Dump", - "sha256": "51227a6967396d84ff70c0b13a8a92fe16f45b0f6824b1cafb1b648ea5d5fddd", - "type": "eql", - "version": 106 - } - }, "rule_name": "Potential Credential Access via LSASS Memory Dump", "sha256": "2a6ab34b2777b1c0c5811839d0fb72b2778f887ef1ff8f877e8c2a1d8158a292", "type": "eql", "version": 209 }, "99dcf974-6587-4f65-9252-d866a3fdfd9c": { - "min_stack_version": "8.3", "rule_name": "Spike in Failed Logon Events", "sha256": "1a2c14a7384dc942a3ff18edf7acc8a80867ba7213895616cb80e917fa985a6f", "type": "machine_learning", "version": 104 }, "9a1a2dae-0b5f-4c3d-8305-a268d404c306": { - "min_stack_version": "8.3", "rule_name": "Endpoint Security", "sha256": "3ae0acbbd3b1f49e9a79f6db57b01b04ec80eb8493223e6baa3db0f545a5512d", "type": "query", "version": 103 }, "9a3884d0-282d-45ea-86ce-b9c81100f026": { - "min_stack_version": "8.3", "rule_name": "Unsigned BITS Service Client Process", "sha256": "6c6b0a4cca70f6f55c5b73ca65607b2b546521f99bef8c3eeec5a873a4cebdcf", "type": "eql", "version": 2 }, "9a3a3689-8ed1-4cdb-83fb-9506db54c61f": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 104, - "rule_name": "Potential Shadow File Read via Command Line Utilities", - "sha256": "956ccfb72b0b0545eedcac7869c1de45bcdc05490d5bf7c07da51f94442f4cf8", - "type": "eql", - "version": 6 - }, - "8.4": { - "max_allowable_version": 207, - "rule_name": "Potential Shadow File Read via Command Line Utilities", - "sha256": "25484718086d5b02486408a92befb4c3f5ad9114ca059168686f84ada6efb1c0", - "type": "new_terms", - "version": 108 - } - }, "rule_name": "Potential Shadow File Read via Command Line Utilities", "sha256": "6d3b04cf53c9662f1a011b9b8d0b412aa1fb0f3bfe1771f6a1807b4bf76c1780", "type": "new_terms", "version": 208 }, "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": { - "min_stack_version": "8.3", "rule_name": "Suspicious Explorer Child Process", "sha256": "73643376218cb6a9dc9c17dcbc0e1e2a68c19dba4b20e180663b4a7c2a5953b7", "type": "eql", "version": 109 }, "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { - "min_stack_version": "8.3", "rule_name": "Scheduled Tasks AT Command Enabled", "sha256": "70c14e4efec28255020d7227acf60ade921f89c6f4f6f20df7eefe9f083993ce", "type": "eql", "version": 109 }, "9b343b62-d173-4cfd-bd8b-e6379f964ca4": { - "min_stack_version": "8.3", "rule_name": "GitHub Owner Role Granted To User", "sha256": "a4b8ee93d7e52d2b59d4df47a27d69a9e5fba2c405d327006dddd367e0aedf2c", "type": "eql", "version": 3 }, "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { - "min_stack_version": "8.3", "rule_name": "Persistence via WMI Event Subscription", "sha256": "36be7f5bc34d95f4e0db0866f200db91e20c57104c47535e70c0579f42c47d7c", "type": "eql", @@ -6131,44 +4563,30 @@ "version": 2 }, "9c260313-c811-4ec8-ab89-8f6530e0246c": { - "min_stack_version": "8.3", "rule_name": "Hosts File Modified", "sha256": "9857acc6de8b05c65a249bb32fb2aa5bb50283f5ac6aa34dfc4285a8a1abb5e2", "type": "eql", "version": 108 }, "9c865691-5599-447a-bac9-b3f2df5f9a9d": { - "min_stack_version": "8.3", "rule_name": "Remote Scheduled Task Creation via RPC", "sha256": "0f64c28a181949a1efa09b4f30225af7c831dc379510fde5484cb91ebbe9059e", "type": "eql", "version": 8 }, "9c951837-7d13-4b0c-be7a-f346623c8795": { - "min_stack_version": "8.3", "rule_name": "Potential Enumeration via Active Directory Web Service", "sha256": "8e3c38ce419b110b9a63f544e1faf01b054304e08d40cb4e20a08b87e0ef44c1", "type": "eql", "version": 2 }, "9ccf3ce0-0057-440a-91f5-870c6ad39093": { - "min_stack_version": "8.3", "rule_name": "Command Shell Activity Started via RunDLL32", "sha256": "c9b88b1d61f94153253dffb64b83381cc6f37396d6969056f29e0e983d7f0057", "type": "eql", "version": 110 }, "9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 103, - "rule_name": "Google Workspace User Group Access Modified to Allow External Access", - "sha256": "4ca64be8b81634872abafdfb31ec9ad8ac4825ceb19369bc47a5f59f0cd15968", - "type": "query", - "version": 5 - } - }, "rule_name": "Google Workspace User Group Access Modified to Allow External Access", "sha256": "3de5e59006729a058c18b93a17cacead586bbf1a2893756ce0951d59aa5bfdfd", "type": "query", @@ -6181,248 +4599,168 @@ "version": 100 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "Microsoft Build Engine Started by a Script Process", - "sha256": "a7dda34610cf31fe8bd552ca7b1be438b979f718bba2f25c1bfbe2dcf6e399c2", - "type": "eql", - "version": 105 - } - }, "rule_name": "Microsoft Build Engine Started by a Script Process", "sha256": "927ea94b2491233b45213f4d45a252a511d8929778022d54b8ce9c55b572508c", "type": "new_terms", "version": 209 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { - "min_stack_version": "8.3", "rule_name": "Microsoft Build Engine Started by a System Process", "sha256": "c485e1358f4158ae03a14255b6d46e7c55467c0fadf17bb618b1ea57366ef1e1", "type": "eql", "version": 110 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { - "min_stack_version": "8.3", "rule_name": "Microsoft Build Engine Using an Alternate Name", "sha256": "9821305b0eebf7cd0540a8a4af112f0cb88abf4dc3bbbe323ade7a203ccf4b08", "type": "eql", "version": 112 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { - "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Trusted Developer Utility", "sha256": "b1e378c91ed40734538a8f0ef48435f4f5e8446ac71e923e12737fe89f84b8c5", "type": "eql", "version": 110 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft Build Engine Started an Unusual Process", - "sha256": "a31248c2a77ee248c66bc397338932837d26cb27e8d0fe2ecc59cb2fd6705d5d", - "type": "eql", - "version": 106 - } - }, "rule_name": "Microsoft Build Engine Started an Unusual Process", "sha256": "88f6d6c995a534b5becc1676681e9c43a25e4a30332448f195ec5ae641b8b870", "type": "new_terms", "version": 211 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { - "min_stack_version": "8.3", "rule_name": "Process Injection by the Microsoft Build Engine", "sha256": "91a18c0e34d966e4822caade08e77bf1677f953f76672f72c51ed95c86968438", "type": "query", "version": 106 }, "9d19ece6-c20e-481a-90c5-ccca596537de": { - "min_stack_version": "8.3", "rule_name": "LaunchDaemon Creation or Modification and Immediate Loading", "sha256": "7320bfb081717b130f02dbd9cf9b41a6d9df14eeb6eadaa18a986b64c7a798f8", "type": "eql", "version": 106 }, "9d302377-d226-4e12-b54c-1906b5aec4f6": { - "min_stack_version": "8.3", "rule_name": "Unusual Linux Process Calling the Metadata Service", "sha256": "a8ec37b93c67426decc04bb1828dece6c21599efba58c2bcbdba4de0db24d7e5", "type": "machine_learning", "version": 103 }, "9f1c4ca3-44b5-481d-ba42-32dc215a2769": { - "min_stack_version": "8.3", "rule_name": "Potential Protocol Tunneling via EarthWorm", "sha256": "0acdc01e1894806e1b2e1a96df91a299f0324172f6e08fa06b75cb6244675079", "type": "eql", "version": 110 }, "9f962927-1a4f-45f3-a57b-287f2c7029c1": { - "min_stack_version": "8.3", "rule_name": "Potential Credential Access via DCSync", "sha256": "d4d6d4838b5cf551986e8f7b4335f15eb0910a85ed8f40f695e52e1141147407", "type": "eql", "version": 113 }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "File Permission Modification in Writable Directory", - "sha256": "6c93604ac3f7c4e56ba67f913a4b594887a31706b87f87c25ce6fe48e9608fc3", - "type": "eql", - "version": 106 - } - }, "rule_name": "File Permission Modification in Writable Directory", "sha256": "bb48a554acead2212b1c7f843dc9352b7f546a24999c026f249e82bfb88acd46", "type": "new_terms", "version": 210 - }, - "a00681e3-9ed6-447c-ab2c-be648821c622": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS Access Secret in Secrets Manager", - "sha256": "8a809b35c09aae82a1f066892fa5746325703203ff96d57019f0c0566dc602fe", - "type": "query", - "version": 106 - }, - "8.6": { - "max_allowable_version": 307, - "rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", - "sha256": "a470900ff108beb4fc2bd4b7b585eab94d9c4069ec2fdc41e3d7b241c6fd4263", - "type": "new_terms", - "version": 208 - } - }, + }, + "a00681e3-9ed6-447c-ab2c-be648821c622": { "rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", "sha256": "378a46774155bf6146f1d357c4e693e994e2122c127ec368b79c9186c4eea17e", "type": "new_terms", "version": 310 }, "a02cb68e-7c93-48d1-93b2-2c39023308eb": { - "min_stack_version": "8.3", "rule_name": "A scheduled task was updated", "sha256": "f72866c48ccae69c487c9485afbf8ca05fc67403d5bda38d738920206c830645", "type": "eql", "version": 8 }, "a0ddb77b-0318-41f0-91e4-8c1b5528834f": { - "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Python cap_setuid", "sha256": "9771d73d6839772917b03b85707c361b758e7dd2ca3ae4daa997d9f3494564a3", "type": "eql", "version": 3 }, "a10d3d9d-0f65-48f1-8b25-af175e2594f5": { - "min_stack_version": "8.3", "rule_name": "GCP Pub/Sub Topic Creation", "sha256": "d1f3342fcfc31b466666d2653d511406c8d7118d669a1c5a031be8300152cc93", "type": "query", "version": 105 }, "a13167f1-eec2-4015-9631-1fee60406dcf": { - "min_stack_version": "8.3", "rule_name": "InstallUtil Process Making Network Connections", "sha256": "f8829b614b96a55bdf35e84d28329b3efdbd1d18224ab1987b6e6dc5aabea65f", "type": "eql", "version": 107 }, "a1329140-8de3-4445-9f87-908fb6d824f4": { - "min_stack_version": "8.3", "rule_name": "File Deletion via Shred", "sha256": "7cceb36ddd019047252c9fdd913eef7af8d679620d610af2da4243906b976b48", "type": "eql", "version": 109 }, "a16612dd-b30e-4d41-86a0-ebe70974ec00": { - "min_stack_version": "8.3", "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", "sha256": "90670896181f2ae7afdbd86f7ba48b393d39687df3d9ff84a3061265a8c90486", "type": "eql", "version": 106 }, "a1699af0-8e1e-4ed0-8ec1-89783538a061": { - "min_stack_version": "8.3", "rule_name": "Windows Subsystem for Linux Distribution Installed", "sha256": "45960ca284b367be8f1699088f866e56e2c72c2a5205c1c1ac4a309354ab6119", "type": "eql", "version": 7 }, "a17bcc91-297b-459b-b5ce-bc7460d8f82a": { - "min_stack_version": "8.3", "rule_name": "GCP Virtual Private Cloud Route Deletion", "sha256": "5830a379ffe8c72546a1ff07b39d70c6d196815e08f8e584828c81640426aa99", "type": "query", "version": 104 }, "a198fbbd-9413-45ec-a269-47ae4ccf59ce": { - "min_stack_version": "8.7", "rule_name": "My First Rule", "sha256": "0357b6b5d11fb9734295241301e64ac5a4ad73f8fe8919c4fc846366ddc3aa29", "type": "threshold", "version": 3 }, "a1a0375f-22c2-48c0-81a4-7c2d11cc6856": { - "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell Activity via Terminal", "sha256": "abc7a656bb0d4f63a1a6e01241d5070bd79d95767ddf50a96416c4cb1e21c0ea", "type": "eql", "version": 108 }, "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": { - "min_stack_version": "8.3", "rule_name": "Linux Group Creation", "sha256": "7fc88cc105fb44e6b06fe74f60102105a5d43b6174d0e52f9dafb31eda5b1bb7", "type": "eql", "version": 5 }, "a22a09c2-2162-4df0-a356-9aacbeb56a04": { - "min_stack_version": "8.3", "rule_name": "DNS-over-HTTPS Enabled via Registry", "sha256": "6c0ebc416f6fb4c7549a97d6a862ad6d780640637db60c907841fa20c7c70d8a", "type": "eql", "version": 109 }, "a2795334-2499-11ed-9e1a-f661ea17fbce": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 103, - "rule_name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App", - "sha256": "337d1765f1495c27d1a5daf28740c34409d3a57bbf7be559211000d47dd66469", - "type": "query", - "version": 5 - } - }, "rule_name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App", "sha256": "89b0c47b77b31a2b7c84dfe6195e371e6678e7153a116dd44c14e22eae50b16c", "type": "query", "version": 106 }, "a2d04374-187c-4fd9-b513-3ad4e7fdd67a": { - "min_stack_version": "8.3", "rule_name": "PowerShell Mailbox Collection Script", "sha256": "9da52a8d28edcb2f709109145e35bbb279d16227c6d4836c727a6764e3fffd58", "type": "query", "version": 7 }, "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { - "min_stack_version": "8.3", "rule_name": "Execution via local SxS Shared Module", "sha256": "68739f82fe835d6e8e546e396bd6b7166cab6ffb7af01ccc3d402c7b23ab1525", "type": "eql", "version": 108 }, "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": { - "min_stack_version": "8.3", "rule_name": "Windows Registry File Creation in SMB Share", "sha256": "e99c94faaac0789d4c0eb4168bdc6ce7813ec01a2cecbf150147733d63850942", "type": "eql", @@ -6435,7 +4773,6 @@ "version": 100 }, "a52a9439-d52c-401c-be37-2785235c6547": { - "min_stack_version": "8.8", "rule_name": "Netcat Listener Established Inside A Container", "sha256": "8f9886fc92a4c69f14005790f8fdaab0b79bfd94930a6aaadc156c7b8a78e146", "type": "eql", @@ -6449,100 +4786,78 @@ "version": 2 }, "a5eb21b7-13cc-4b94-9fe2-29bb2914e037": { - "min_stack_version": "8.6", "rule_name": "Potential Reverse Shell via UDP", "sha256": "1576ee101633693a68c7a223bc0bf033bf243cde11d3831ca0ba638c6761c681", "type": "eql", "version": 6 }, "a5f0d057-d540-44f5-924d-c6a2ae92f045": { - "min_stack_version": "8.3", "rule_name": "Potential SSH Brute Force Detected on Privileged Account", "sha256": "38d14b033e79ccc9d9cf97555e15e5132aaa6d8ca72e05d65885ee7bcc2feb22", "type": "eql", "version": 5 }, "a60326d7-dca7-4fb7-93eb-1ca03a1febbd": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "AWS IAM Assume Role Policy Update", - "sha256": "76387a6bb7b623af513d1e3379567e01c3efd70a0fbf651fb1361a6a3fb63075", - "type": "query", - "version": 108 - } - }, "rule_name": "AWS IAM Assume Role Policy Update", "sha256": "232deeb70c03fe09805ae4aedeb77133435af63645bd9833c8d0b945b1f950df", "type": "query", "version": 209 }, "a605c51a-73ad-406d-bf3a-f24cc41d5c97": { - "min_stack_version": "8.3", "rule_name": "Azure Active Directory PowerShell Sign-in", "sha256": "d50d23ae4c7359047320934418d1041ff10666e02a6ed8bc287366745ae74372", "type": "query", "version": 105 }, "a61809f3-fb5b-465c-8bff-23a8a068ac60": { - "min_stack_version": "8.5", "rule_name": "Threat Intel Windows Registry Indicator Match", "sha256": "498e400e2ab211c23df18b38f3485b255be2cf09808ae8221fc1f70ecfd680b6", "type": "threat_match", "version": 6 }, "a624863f-a70d-417f-a7d2-7a404638d47f": { - "min_stack_version": "8.3", "rule_name": "Suspicious MS Office Child Process", "sha256": "255c381e83fba4080d9c7a3ab7f1997d7a8cb5d664c64a8cd19f0be970ca8ae4", "type": "eql", "version": 112 }, "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": { - "min_stack_version": "8.3", "rule_name": "Emond Rules Creation or Modification", "sha256": "279439946377684a1551b3d271e82b7225b1323b970f0e63c7a12fc2ba805287", "type": "eql", "version": 107 }, "a74c60cb-70ee-4629-a127-608ead14ebf1": { - "min_stack_version": "8.9", "rule_name": "High Mean of RDP Session Duration", "sha256": "22baca917bf8d8852f30384b7d4813aa7a370126e0338be3886963d94f2e6b8a", "type": "machine_learning", "version": 3 }, "a7ccae7b-9d2c-44b2-a061-98e5946971fa": { - "min_stack_version": "8.3", "rule_name": "Suspicious Print Spooler SPL File Created", "sha256": "ee29d9d05c756fbec35c09510be9ed92564671e5159b5e4afe4d9c4ff65d31ef", "type": "eql", "version": 111 }, "a7e7bfa3-088e-4f13-b29e-3986e0e756b8": { - "min_stack_version": "8.3", "rule_name": "Credential Acquisition via Registry Hive Dumping", "sha256": "09276f9e697db4a2e29daddbecd34ad8fae5dcd59a2a81e1f5ef2bcfe9c3ba02", "type": "eql", "version": 110 }, "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": { - "min_stack_version": "8.3", "rule_name": "Web Application Suspicious Activity: POST Request Declined", "sha256": "ebfc9e780da093a1ff6bd51cae7eafadee5cf30f6044a85add7779f17d924a88", "type": "query", "version": 102 }, "a8afdce2-0ec1-11ee-b843-f661ea17fbcd": { - "min_stack_version": "8.3", "rule_name": "Suspicious File Downloaded from Google Drive", "sha256": "3d43bb8629f6abf3044732ac8445f0e4aff8492b8f21845bf1d349e73ab15295", "type": "eql", "version": 3 }, "a8d35ca0-ad8d-48a9-9f6c-553622dca61a": { - "min_stack_version": "8.9", "rule_name": "High Variance in RDP Session Duration", "sha256": "0c85e6c7047aef4143e8ed835f2d0fcafad301de7eb334082e04ff5a498e5539", "type": "machine_learning", @@ -6555,183 +4870,126 @@ "version": 100 }, "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled", - "sha256": "6414cc66c7c80d4240492b269f8c591d61734d2cec368c51642c367fcb0a0fda", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled", "sha256": "3d299427823ca14b62de2ac6ceb1e378df0601897aea618d82aaf2ac27a5b9e2", "type": "query", "version": 206 }, "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 202, - "rule_name": "Google Workspace Password Policy Modified", - "sha256": "6b7426c4610c0d99417b08152597279e42d5e7fb9b2a510913b106dddafe7abb", - "type": "query", - "version": 104 - } - }, "rule_name": "Google Workspace Password Policy Modified", "sha256": "de0ced40cd29bb489ca1a27d785bb3d66ba4d0711f5d8d42268c9f8cab7c7df9", "type": "query", "version": 205 }, "a9b05c3b-b304-4bf9-970d-acdfaef2944c": { - "min_stack_version": "8.3", "rule_name": "Persistence via Hidden Run Key Detected", "sha256": "269e37223d35d504bd02023f1fc605e200979bbabb0ee082953950adaf35c4fd", "type": "eql", "version": 108 }, "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": { - "min_stack_version": "8.3", "rule_name": "IPSEC NAT Traversal Port Activity", "sha256": "8dcd8a517f60e962d4ebf18984358abb4a22823f7b32a4e918d1aa3645fa0fee", "type": "query", "version": 104 }, "aa8007f0-d1df-49ef-8520-407857594827": { - "min_stack_version": "8.3", "rule_name": "GCP IAM Custom Role Creation", "sha256": "46fafcee6069a185beb2d0fc77d3f39e53b9ec3412f9afdef0e7b642b48e296f", "type": "query", "version": 104 }, "aa895aea-b69c-4411-b110-8d7599634b30": { - "min_stack_version": "8.3", "rule_name": "System Log File Deletion", "sha256": "88dcf75e81a5a91c9684e0298310a93c5b5106d24091836c69728729c85e6246", "type": "eql", "version": 110 }, "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { - "min_stack_version": "8.3", "rule_name": "Remotely Started Services via RPC", "sha256": "e72234fda58c725e6bbfb3c02d000a1276fc1ff4868a63532863b43b2780d3f8", "type": "eql", "version": 112 }, "aaab30ec-b004-4191-95e1-4a14387ef6a6": { - "min_stack_version": "8.3", "rule_name": "Veeam Backup Library Loaded by Unusual Process", "sha256": "fae7ffc9ed0b702935ff7bccd87d6ddec3d54d21ce22d4aedb1cbb41d4e584c3", "type": "eql", "version": 2 }, "aab184d3-72b3-4639-b242-6597c99d8bca": { - "min_stack_version": "8.5", "rule_name": "Threat Intel Hash Indicator Match", "sha256": "fabef06c8a2e4298330aaf2e04e9c55737a516954c890d808e5d4a901aace9fe", "type": "threat_match", "version": 7 }, "ab75c24b-2502-43a0-bf7c-e60e662c811e": { - "min_stack_version": "8.3", "rule_name": "Remote Execution via File Shares", "sha256": "8f4c528243e4b7fe54e84e7f66324d47f06fa299e52a0069c9f5d1cdea337050", "type": "eql", "version": 111 }, "abae61a8-c560-4dbd-acca-1e1438bff36b": { - "min_stack_version": "8.3", "rule_name": "Unusual Windows Process Calling the Metadata Service", "sha256": "ac1ddf7a6cff4d90ca970314e03ccc69c8b2c416130ed735e10bbaf12458ff51", "type": "machine_learning", "version": 103 }, "ac412404-57a5-476f-858f-4e8fbb4f48d8": { - "min_stack_version": "8.3", "rule_name": "Potential Persistence via Login Hook", "sha256": "c757a8d19345f645690ffb8634527ad84b35d0195fe82d9ca81ccf57eaf2eef9", "type": "query", "version": 108 }, "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { - "min_stack_version": "8.3", "rule_name": "Suspicious WerFault Child Process", "sha256": "f629cc7dcdd6c44a3cfdd1ee14a69394676bb2d7612c1cf102e2378dc225e2bf", "type": "eql", "version": 112 }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "Unusual AWS Command for a User", - "sha256": "9f57306030e5ba60d653be67aa9384950045aa7df06b096ce123ae72771cd11a", - "type": "machine_learning", - "version": 108 - } - }, "rule_name": "Unusual AWS Command for a User", "sha256": "17d74013b573ef431a61391d055df4a9ab5851741a17e466a651c3a1f13efb49", "type": "machine_learning", "version": 208 }, "ac8805f6-1e08-406c-962e-3937057fa86f": { - "min_stack_version": "8.3", "rule_name": "Potential Protocol Tunneling via Chisel Server", "sha256": "be005130100c74d62f0ae093ffaceedaf8ea816f88d721e2dd68dbaca2bd46c9", "type": "eql", "version": 6 }, "ac96ceb8-4399-4191-af1d-4feeac1f1f46": { - "min_stack_version": "8.3", "rule_name": "Potential Invoke-Mimikatz PowerShell Script", "sha256": "e7b750985f6d8f290b5b3c9331448fc6c0e52c65dfa753ddf117fd70bd624e21", "type": "query", "version": 108 }, "acbc8bb9-2486-49a8-8779-45fb5f9a93ee": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 202, - "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", - "sha256": "9977bfb82687f6ee557f2f9474b1cac3eb4b8c16af795908ef9b4a20ab600653", - "type": "query", - "version": 104 - } - }, "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", "sha256": "dff7c67640bd01423d897e090d914f6661f2ccbd00d363315a58d011cac71b65", "type": "query", "version": 205 }, "acd611f3-2b93-47b3-a0a3-7723bcc46f6d": { - "min_stack_version": "8.3", "rule_name": "Potential Command and Control via Internet Explorer", "sha256": "4e05c9f350a2bf4380ddc180a068d6803b859a53e35e93b341397855f28c5924", "type": "eql", "version": 106 }, "ace1e989-a541-44df-93a8-a8b0591b63c0": { - "min_stack_version": "8.3", "rule_name": "Potential macOS SSH Brute Force Detected", "sha256": "95cd29a163e6b0b1ffbed68a23beef7033446cdbce973aa1bac75d9a31a944d9", "type": "threshold", "version": 108 }, "acf738b5-b5b2-4acc-bad9-1e18ee234f40": { - "min_stack_version": "8.3", "rule_name": "Suspicious Managed Code Hosting Process", "sha256": "fe186a9faacc6e9e3e6491c59ba7d7f453f702cf162e0e4ae49354149e80326a", "type": "eql", "version": 108 }, "ad0d2742-9a49-11ec-8d6b-acde48001122": { - "min_stack_version": "8.3", "rule_name": "Signed Proxy Execution via MS Work Folders", "sha256": "692d68785822926e449adf234c3a45035f0a8e73dd87386acac77931c9491543", "type": "eql", @@ -6744,121 +5002,96 @@ "version": 100 }, "ad3f2807-2b3e-47d7-b282-f84acbbe14be": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 202, - "rule_name": "Google Workspace Custom Admin Role Created", - "sha256": "e28b9f491eae0c8a606f9d315389ac4a117e5d30674f8e4f4e1d3be16bc8d9c4", - "type": "query", - "version": 104 - } - }, "rule_name": "Google Workspace Custom Admin Role Created", "sha256": "d1699c4738c1bd1387584e6a38c367c2f869b0045f7b6e2c635535f2dded6307", "type": "query", "version": 205 }, "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { - "min_stack_version": "8.3", "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", "sha256": "d2271c15f1bcae13cb2632e4449638ff23a1e373ff5e0cd32c8722354646975d", "type": "query", "version": 110 }, "ad88231f-e2ab-491c-8fc6-64746da26cfe": { - "min_stack_version": "8.3", "rule_name": "Kerberos Cached Credentials Dumping", "sha256": "b487d846e3b3cce77ab546dffaa06a50544f53ec03293a3bf6ef529123497ae6", "type": "query", "version": 106 }, "ad959eeb-2b7b-4722-ba08-a45f6622f005": { - "min_stack_version": "8.3", "rule_name": "Suspicious APT Package Manager Execution", "sha256": "9cbc1daea47fb821c72c3e512bbb09b857e9a4b44454631dfe45b495c8adc9fa", "type": "eql", "version": 2 }, "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { - "min_stack_version": "8.3", "rule_name": "File Transfer or Listener Established via Netcat", "sha256": "f27e0f720407692607f6eb75d893c29b6331360fec5838edbff6739eea960584", "type": "eql", "version": 110 }, "adbfa3ee-777e-4747-b6b0-7bd645f30880": { - "min_stack_version": "8.3", "rule_name": "Suspicious Communication App Child Process", "sha256": "da78216a16bc023bec70850e08c999466fb372bf4f11fd44445aaed67089a16c", "type": "eql", "version": 4 }, "ae343298-97bc-47bc-9ea2-5f2ad831c16e": { - "min_stack_version": "8.3", "rule_name": "Suspicious File Creation via Kworker", "sha256": "80da89056385e4d385d191289e923d9442a852f1c96b7aeb235b36a9e4a0ca35", "type": "eql", "version": 3 }, "ae8a142c-6a1d-4918-bea7-0b617e99ecfa": { - "min_stack_version": "8.3", "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", "sha256": "6fce50e87a921fa949cd422fb8a0d0e0232051f30329df181dbebb37b5e5a184", "type": "eql", "version": 5 }, "aebaa51f-2a91-4f6a-850b-b601db2293f4": { - "min_stack_version": "8.6", "rule_name": "Shared Object Created or Changed by Previously Unknown Process", "sha256": "d43a905984d229cdcd4e06eb6b7f44f165c335ebfb4840dde015f22b680c1f92", "type": "new_terms", "version": 7 }, "afa135c0-a365-43ab-aa35-fd86df314a47": { - "min_stack_version": "8.3", "rule_name": "Unusual User Privilege Enumeration via id", "sha256": "bd4da735535155bf2aaee82b58ad81ff85b1d638c319cf8afe1df6d4bd616123", "type": "eql", "version": 4 }, "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { - "min_stack_version": "8.3", "rule_name": "Local Scheduled Task Creation", "sha256": "5291c4a420b199ea0cda7c00ad93a5114d95d9fcd73a07e12060d164eb0601e6", "type": "eql", "version": 107 }, "afd04601-12fc-4149-9b78-9c3f8fe45d39": { - "min_stack_version": "8.3", "rule_name": "Network Activity Detected via cat", "sha256": "61ed9cf042140481d4d3863f69481333d94ea25e480a8ddd95a5e38cd2fcacb6", "type": "eql", "version": 6 }, "afe6b0eb-dd9d-4922-b08a-1910124d524d": { - "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Container Misconfiguration", "sha256": "934babb371893cc423e2cc180a7b9c4e145c3477e29880463dee746c5b419b19", "type": "eql", "version": 5 }, "b0046934-486e-462f-9487-0d4cf9e429c6": { - "min_stack_version": "8.3", "rule_name": "Timestomping using Touch Command", "sha256": "b076ae4e19a317fab6eb05472220dd936a4a3ea6852be8a783f28615c9f21de4", "type": "eql", "version": 106 }, "b00bcd89-000c-4425-b94c-716ef67762f6": { - "min_stack_version": "8.3", "rule_name": "TCC Bypass via Mounted APFS Snapshot Access", "sha256": "5a871527957ab53227a0f5f906053deded0b332d6195c3e6cfbe9622601b646f", "type": "query", "version": 106 }, "b0638186-4f12-48ac-83d2-47e686d08e82": { - "min_stack_version": "8.3", "rule_name": "Netsh Helper DLL", "sha256": "5019bcc4c8001cf98d0d6df1626edce949e6bd8d7c18fbbc38b2a53cf847a5a9", "type": "eql", @@ -6878,95 +5111,66 @@ "version": 100 }, "b2318c71-5959-469a-a3ce-3a0768e63b9c": { - "min_stack_version": "8.3", "rule_name": "Potential Network Share Discovery", "sha256": "fda7288ed57e11d03d2af7b74755b704d96c32f3c69abe245de1378438bd144f", "type": "eql", "version": 3 }, "b240bfb8-26b7-4e5e-924e-218144a3fa71": { - "min_stack_version": "8.3", "rule_name": "Spike in Network Traffic", "sha256": "36d61f7dbb342836f5db53ce1a06141cecfee9ba6d09cbb69983df79202257e6", "type": "machine_learning", "version": 103 }, "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": { - "min_stack_version": "8.3", "rule_name": "Remote File Copy via TeamViewer", "sha256": "f9c74dae522f96b99ef91c8690d3294d5bb57ed3568290e9c6c2b4877c99bbd4", "type": "eql", "version": 111 }, "b2951150-658f-4a60-832f-a00d1e6c6745": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Unusual Volume of File Deletion", - "sha256": "0e2607bb68d167a217bd28be737c707eb6729cb8c449efd2f3c45064ba35fb07", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Unusual Volume of File Deletion", "sha256": "1dbef7993a821421fc2fa12a51dab4936081be0382afeb3ebd8f36b93c07bdcf", "type": "query", "version": 206 }, "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { - "min_stack_version": "8.3", "rule_name": "Network Connection via Compiled HTML File", "sha256": "0c4011e34ae723b0d5fbd00bd1e354badeb76adb69e7c4a44dd7e7cb1acc480b", "type": "eql", "version": 108 }, "b347b919-665f-4aac-b9e8-68369bf2340c": { - "min_stack_version": "8.3", "rule_name": "Unusual Linux Username", "sha256": "fe769843cd4082749444ae077951c9a8e2bfe4d74ba57fd091eacee470975016", "type": "machine_learning", "version": 103 }, "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { - "min_stack_version": "8.3", "rule_name": "Suspicious Endpoint Security Parent Process", "sha256": "01e8d9f7974e3c66e2916edad7f04fe3fbd842ed064a7ac1067df9d6d61ecadf", "type": "eql", "version": 111 }, "b43570de-a908-4f7f-8bdb-b2df6ffd8c80": { - "min_stack_version": "8.3", "rule_name": "Code Signing Policy Modification Through Built-in tools", "sha256": "204caab60a2c4641de7b31aaedca2147bb76d02c5e8bae82907f04607536563e", "type": "eql", "version": 7 }, "b4449455-f986-4b5a-82ed-e36b129331f7": { - "min_stack_version": "8.3", "rule_name": "Potential Persistence via Atom Init Script Modification", "sha256": "c504a9e2929d88a06087ed97f63cef00dc04803abda6cfbe448c6c7c5a3d9900", "type": "query", "version": 106 }, "b45ab1d2-712f-4f01-a751-df3826969807": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS STS GetSessionToken Abuse", - "sha256": "270622c32893a7ed8bb7c39017bb09133147e3b8af1c8844d93f0150447134ba", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS STS GetSessionToken Abuse", "sha256": "8d815943419b48862fd4b4d8bf7e7415b72bff58fb7dc7299a2548453ffd2670", "type": "query", "version": 206 }, "b483365c-98a8-40c0-92d8-0458ca25058a": { - "min_stack_version": "8.3", "rule_name": "At.exe Command Lateral Movement", "sha256": "041e17a0cd55085d79466cf06aaa8ca81ef2b30a9e42291395534ce27ba0062a", "type": "eql", @@ -6975,7 +5179,7 @@ "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Attempt to Delete an Okta Policy", "sha256": "c3fda77e2d67870f675065527fb363156e723e6bc1090d9bdda28d930d7f3d04", @@ -6989,49 +5193,42 @@ "version": 206 }, "b51dbc92-84e2-4af1-ba47-65183fcd0c57": { - "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via OverlayFS", "sha256": "58bcb45f4849adaa8d78a19d8a371830c27498740c55f3af585b223cd3043f93", "type": "eql", "version": 5 }, "b5877334-677f-4fb9-86d5-a9721274223b": { - "min_stack_version": "8.3", "rule_name": "Clearing Windows Console History", "sha256": "0d87128fdfdcb58febe6605148de68b8ab413e129191227eca12360248a76681", "type": "eql", "version": 111 }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { - "min_stack_version": "8.3", "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", "sha256": "7a7554033f500cdd7964ffd328c581dfbdd9b26c040569d42581504a70e468d3", "type": "eql", "version": 111 }, "b627cd12-dac4-11ec-9582-f661ea17fbcd": { - "min_stack_version": "8.3", "rule_name": "Elastic Agent Service Terminated", "sha256": "8abfc44bc5f8a00effd8c97c81a841dcc2cbe6cd3e2da51a5b277f96c2baf671", "type": "eql", "version": 106 }, "b64b183e-1a76-422d-9179-7b389513e74d": { - "min_stack_version": "8.3", "rule_name": "Windows Script Interpreter Executing Process via WMI", "sha256": "1e8be0b94b78d86bb0d30e6a4e6d28c81c9c5bdf2b9494ac9c0d7fb465491bae", "type": "eql", "version": 109 }, "b661f86d-1c23-4ce7-a59e-2edbdba28247": { - "min_stack_version": "8.3", "rule_name": "Potential Veeam Credential Access Command", "sha256": "e589053c5a7013b3bb2c3d76d1617fcdda617b6aa8dbfa31adf5e34b95f095d2", "type": "eql", "version": 1 }, "b6dce542-2b75-4ffb-b7d6-38787298ba9d": { - "min_stack_version": "8.3", "rule_name": "Azure Event Hub Authorization Rule Created or Updated", "sha256": "a4d9380d9e964e50c7845854fa02ca808976bf2d52c4cb73dd90ed4e9439ae09", "type": "query", @@ -7040,7 +5237,7 @@ "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Attempt to Deactivate an Okta Policy", "sha256": "48e769c5aedb715bdbc0f990b68ced02323c1eef17b02595550b368f66a3c9c8", @@ -7054,7 +5251,6 @@ "version": 206 }, "b7c05aaf-78c2-4558-b069-87fa25973489": { - "min_stack_version": "8.3", "rule_name": "Potential Buffer Overflow Attack Detected", "sha256": "3e26fdf6574102a4aa2b239c1e4420684c6f3527b1aca67cf62cc4b42858a6f4", "type": "threshold", @@ -7063,7 +5259,7 @@ "b8075894-0b62-46e5-977c-31275da34419": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 204, "rule_name": "Administrator Privileges Assigned to an Okta Group", "sha256": "8d9fe19feb7f250c14755465615f7a3fb4f831e20ba19b6ba0eeec6637d056e3", @@ -7077,190 +5273,132 @@ "version": 205 }, "b81bd314-db5b-4d97-82e8-88e3e5fc9de5": { - "min_stack_version": "8.3", "rule_name": "Linux System Information Discovery", "sha256": "25a7750edeab372fb60402e82e49e3e259e8b0b077e85b3ecc8af17ef77deb61", "type": "eql", "version": 3 }, "b8386923-b02c-4b94-986a-d223d9b01f88": { - "min_stack_version": "8.3", "rule_name": "PowerShell Invoke-NinjaCopy script", "sha256": "40c977b1f7dad3726a8f0c97749e00256994f75580fd498135538a04857e663d", "type": "query", "version": 5 }, "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { - "min_stack_version": "8.3", "rule_name": "Creation or Modification of Domain Backup DPAPI private key", "sha256": "e7c8ba3a35c054655d550038f664cb613343ad804cc463f1d4b90aa0a0d23d93", "type": "eql", "version": 108 }, "b86afe07-0d98-4738-b15d-8d7465f95ff5": { - "min_stack_version": "8.3", "rule_name": "Network Connection via MsXsl", "sha256": "97661aa1f38ec86767f0b0059ad5aab142c0f1dfcfe79c093165e0dcd8ef1266", "type": "eql", "version": 106 }, "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": { - "min_stack_version": "8.3", "rule_name": "Kirbi File Creation", "sha256": "d4daec4cc60bd33718968bd73ffc21fabf7d837ae866f7a7fcabf5d7d039655f", "type": "eql", "version": 5 }, "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { - "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", "sha256": "06cd8a9c2cc711c339f9e9c86a0b0e31950b1620f3c927162433104d644a4a8d", "type": "eql", "version": 109 }, "b910f25a-2d44-47f2-a873-aabdc0d355e6": { - "min_stack_version": "8.3", "rule_name": "Chkconfig Service Add", "sha256": "762949859141699af6a491db1a4f5b059db590cbadd27aa2267653760c23d23d", "type": "eql", "version": 111 }, "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": { - "min_stack_version": "8.3", "rule_name": "Discovery of Domain Groups", "sha256": "6858329aa178170f3a6900b8d4233573f6741d68814c2b5ac702c5d76e3ee677", "type": "eql", "version": 2 }, "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": { - "min_stack_version": "8.3", "rule_name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host", "sha256": "b83cfd125f81b6526b23aac2a53cc883827934288f3bb4ae9a000c705c69cd7c", "type": "threshold", "version": 4 }, "b9554892-5e0e-424b-83a0-5aef95aa43bf": { - "min_stack_version": "8.3", "rule_name": "Group Policy Abuse for Privilege Addition", "sha256": "7e1d07811eee139eca2af001c453e529a605e642fafc1cadfeac9817862c3f0c", "type": "query", "version": 109 }, "b9666521-4742-49ce-9ddc-b8e84c35acae": { - "min_stack_version": "8.3", "rule_name": "Creation of Hidden Files and Directories via CommandLine", "sha256": "bbdba9f735a270571a5a0f1df636cdd573417d76ebf91c3ee006046ae88f685d", "type": "eql", "version": 110 }, "b9960fef-82c6-4816-befa-44745030e917": { - "min_stack_version": "8.3", "rule_name": "SolarWinds Process Disabling Services via Registry", "sha256": "6cf76bf28c6818bd0c1e9cacc68a44909ca3c50f197b96e96bd34ffd2f935ec8", "type": "eql", "version": 109 }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { - "min_stack_version": "8.3", "rule_name": "Unusual Windows Network Activity", "sha256": "061e957d07cb102889f0ff1a1f4fa80b4f22eeefc5aad74fd2544ccf0852d5ad", "type": "machine_learning", "version": 103 }, "ba81c182-4287-489d-af4d-8ae834b06040": { - "min_stack_version": "8.3", "rule_name": "Kernel Driver Load by non-root User", "sha256": "8c938c1fdbabd146fcde85cf8129c9bd1bcf1dd989aaf68650cd11bf09181844", "type": "eql", "version": 3 }, "baa5d22c-5e1c-4f33-bfc9-efa73bb53022": { - "min_stack_version": "8.3", "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", "sha256": "e224bdce56aa39ba7fca19f483ee4080daea489a943e6211cb1ec88aa1754671", "type": "eql", "version": 109 }, "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": { - "min_stack_version": "8.3", "rule_name": "Azure Resource Group Deletion", "sha256": "d6e81ca3325b8461c497b7a0edcb7ba2a438aaadc2af98f490696891126c3576", "type": "query", "version": 102 }, "bb9b13b2-1700-48a8-a750-b43b0a72ab69": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS EC2 Encryption Disabled", - "sha256": "2e9848fe420de87afde4a086d63bb5d02bb91f3da348bd0eed54b6f7993a85cd", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS EC2 Encryption Disabled", "sha256": "8d31ea9768807181a7d1aca8eb47a8f3c015b3412c46ccf6963c5e06b676e834", "type": "query", "version": 206 }, "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "OneDrive Malware File Upload", - "sha256": "4f273dae13ee4bb9564a60c6771439fc10cd7f3357de2aa65839ff10d4cde814", - "type": "query", - "version": 106 - } - }, "rule_name": "OneDrive Malware File Upload", "sha256": "b2abdce89d919f7eaeb571349e52d6d14eac86020237f33d935576d9f83954aa", "type": "query", "version": 206 }, "bbaa96b9-f36c-4898-ace2-581acb00a409": { - "min_stack_version": "8.3", "rule_name": "Potential SYN-Based Network Scan Detected", "sha256": "8413e204b3d4d4145ea9cfe859daf5ecaf39fd776bf87f7090a82205de0b5b52", "type": "threshold", "version": 5 }, "bbd1a775-8267-41fa-9232-20e5582596ac": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 206, - "rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed", - "sha256": "f4f0da241f45040111a47879928011d3b90da922010348154b5cb1c44d2f24ee", - "type": "query", - "version": 107 - } - }, "rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed", "sha256": "bfeee6d64b53fd5857ae139679a0455df0d0127f55134eadfdf8053869f558f3", "type": "query", "version": 207 }, "bc0c6f0d-dab0-47a3-b135-0925f0a333bc": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "AWS Root Login Without MFA", - "sha256": "40f1b53ce3bb3464e8d8bbad167820d4d5b70e24358eef7c18c72fcdaf161f26", - "type": "query", - "version": 108 - } - }, "rule_name": "AWS Root Login Without MFA", "sha256": "82c85c3ffc9f5335daf17ae1f400177234e73823fc5f5c563c9c6285a03f1157", "type": "query", "version": 209 }, "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": { - "min_stack_version": "8.3", "rule_name": "GCP Storage Bucket Deletion", "sha256": "56e79003e4ad65163eb8f9aaf96239590b6a756222a60be2d8115a39b4c1a54d", "type": "query", @@ -7274,223 +5412,168 @@ "version": 2 }, "bc1eeacf-2972-434f-b782-3a532b100d67": { - "min_stack_version": "8.3", "rule_name": "Attempt to Install Root Certificate", "sha256": "903b93770a64c71465333adf2e585d4931a592eccfe4eb954cadab052441c972", "type": "query", "version": 106 }, "bc48bba7-4a23-4232-b551-eca3ca1e3f20": { - "min_stack_version": "8.3", "rule_name": "Azure Conditional Access Policy Modified", "sha256": "cfacc3ddc30a65458618914bcd492cf9fbb25d104b2271afdb3ff3fef7bf0c0c", "type": "query", "version": 102 }, "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": { - "min_stack_version": "8.3", "rule_name": "Potential Non-Standard Port SSH connection", "sha256": "68365d0090a647d05f3396ace9d86f2c79f607bef610741ce9c4240ccfa0de26", "type": "eql", "version": 5 }, "bc9e4f5a-e263-4213-a2ac-1edf9b417ada": { - "min_stack_version": "8.3", "rule_name": "File and Directory Permissions Modification", "sha256": "7952e5bdcb6bd4b0314d08e1b8ab86c34ce066c95e0bbe8a056527df93794139", "type": "eql", "version": 2 }, "bca7d28e-4a48-47b1-adb7-5074310e9a61": { - "min_stack_version": "8.3", "rule_name": "GCP Service Account Disabled", "sha256": "10252c6946a904bb799ac153943817d274319179587022f10240f3e65af79ace", "type": "query", "version": 104 }, "bcaa15ce-2d41-44d7-a322-918f9db77766": { - "min_stack_version": "8.9", "rule_name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain", "sha256": "37e01c0b463876a5acee70bb565d205c8a2e8c5a7b3d99a24e16939f97360a9f", "type": "query", "version": 3 }, "bd2c86a0-8b61-4457-ab38-96943984e889": { - "min_stack_version": "8.3", "rule_name": "PowerShell Keylogging Script", "sha256": "92008de004bfec5733b4d1f7cd48ddbe75ac79f7f3c92d54d71bd7f5447d260d", "type": "query", "version": 112 }, "bd3d058d-5405-4cee-b890-337f09366ba2": { - "min_stack_version": "8.3", "rule_name": "Potential Defense Evasion via CMSTP.exe", "sha256": "f9a5163bfb60ec1ac26ac681518a193a85b03a87dac342a3579a7b2ae3628e0b", "type": "eql", "version": 2 }, "bd7eefee-f671-494e-98df-f01daf9e5f17": { - "min_stack_version": "8.3", "rule_name": "Suspicious Print Spooler Point and Print DLL", "sha256": "6214fb2abc887c66d7d514ccfc914faf98cb9befe4cb35f2f58a0e300787eb5c", "type": "eql", "version": 106 }, "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": { - "min_stack_version": "8.3", "rule_name": "Potential Pspy Process Monitoring Detected", "sha256": "3ebba1b3c0653e611e5c1abc4e917c868371220b6fb55954eafa7a8d7c6cf5fe", "type": "eql", "version": 7 }, "bdcf646b-08d4-492c-870a-6c04e3700034": { - "min_stack_version": "8.3", "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", "sha256": "c437d0e4938701b867702b775bb69d57f44e45a03be5d63d90f0dcde14ccbf39", "type": "eql", "version": 108 }, "bdfebe11-e169-42e3-b344-c5d2015533d3": { - "min_stack_version": "8.9", "rule_name": "Suspicious Windows Process Cluster Spawned by a Host", "sha256": "84baf4890842c179a0724a3835388a16dedfe1046dfd94a9b617aa56b37a7a2f", "type": "machine_learning", "version": 4 }, "be4c5aed-90f5-4221-8bd5-7ab3a4334751": { - "min_stack_version": "8.9", "rule_name": "Unusual Remote File Directory", "sha256": "f6b1ce1e97f8a9dd95bb99809d5d9a7bab6a0922fb0861afadc24970477e3b3f", "type": "machine_learning", "version": 3 }, "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { - "min_stack_version": "8.3", "rule_name": "Searching for Saved Credentials via VaultCmd", "sha256": "a22b02dc207eed11a68b3bf9569d0f06d0bfcc3b14a71b32fc505ee86b53aed4", "type": "eql", "version": 109 }, "bf1073bf-ce26-4607-b405-ba1ed8e9e204": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS RDS Snapshot Restored", - "sha256": "aa3da4102533524658662c93b127d4c25ca56ed19c01be2a8904cd695347b3d6", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS RDS Snapshot Restored", "sha256": "867302d2c993c7e6bb06acb3bb9784e8de51117e6d0fdd1a5a8e040e24fab59f", "type": "query", "version": 206 }, "bf8c007c-7dee-4842-8e9a-ee534c09d205": { - "min_stack_version": "8.3", "rule_name": "System Owner/User Discovery Linux", "sha256": "b8fb8512af046215fe23d076d16414d669430c692eb57d16eba03ea13e2e03df", "type": "eql", "version": 3 }, "bfba5158-1fd6-4937-a205-77d96213b341": { - "min_stack_version": "8.9", "rule_name": "Potential Data Exfiltration Activity to an Unusual Region", "sha256": "385716bc0770d6b023580d5b0a92a34581e351560a3bd43bd4ce2b3b01ef84c1", "type": "machine_learning", "version": 3 }, "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { - "min_stack_version": "8.3", "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", "sha256": "630b95897e137de2d3ff315926d388d39ed6ad5c19948a8fe0cb4c564d32b99e", "type": "eql", "version": 111 }, "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { - "min_stack_version": "8.3", "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", "sha256": "5443c5577d436ff7ea5d9802accfe2fff6ea50813a238c85ff0b60dc1a102579", "type": "eql", "version": 107 }, "c0429aa8-9974-42da-bfb6-53a0a515a145": { - "min_stack_version": "8.3", "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", "sha256": "8020f015d723e31af612bbc7e570f0f7a2bf57c3cc13447eb5bccd3e39385ca8", "type": "eql", "version": 109 }, "c0b9dc99-c696-4779-b086-0d37dc2b3778": { - "min_stack_version": "8.3", "rule_name": "Memory Dump File with Unusual Extension", "sha256": "647f3ad965f3c8ae1c09160f3cfab647649612e66c8bb2dd746309e241322f1c", "type": "eql", "version": 2 }, "c0be5f31-e180-48ed-aa08-96b36899d48f": { - "min_stack_version": "8.3", "rule_name": "Credential Manipulation - Detected - Elastic Endgame", "sha256": "5bcb1915b28b6a1282d3b512b13b559f6d0256da8db229d9210b4a03f2fe6af3", "type": "query", "version": 103 }, "c125e48f-6783-41f0-b100-c3bf1b114d16": { - "min_stack_version": "8.5", "rule_name": "Suspicious Renaming of ESXI index.html File", "sha256": "5e8b6b9370d7f11367a4da3f7d0911702117a24814ab84a0bf12ae972ff4c2aa", "type": "eql", "version": 6 }, "c1812764-0788-470f-8e74-eb4a14d47573": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS EC2 Full Network Packet Capture Detected", - "sha256": "c8fb1a9316a7bc5541a685e19440d21f4c158350903c4e21b6225360fee8258d", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS EC2 Full Network Packet Capture Detected", "sha256": "c3267472104e0888d5c9e55574ae19d07c39c00e8c6a76a01fc766fbb0689f63", "type": "query", "version": 206 }, "c20cd758-07b1-46a1-b03f-fa66158258b8": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 100, - "rule_name": "Unsigned DLL Loaded by a Trusted Process", - "sha256": "bb5c65b28dc087548516c6b186539ffc5f02db3440942a539777c49bd9e1e878", - "type": "eql", - "version": 1 - } - }, "rule_name": "Unsigned DLL Loaded by a Trusted Process", "sha256": "0b870b52c44ffcdcdcf7c0775290f7446486c04dc8890ea633df8c1ba33f8a43", "type": "eql", "version": 102 }, "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { - "min_stack_version": "8.3", "rule_name": "Microsoft IIS Connection Strings Decryption", "sha256": "03334e1d43f8d53c06b92628435b5af954f2211ff41ff4ed7467bf8a8065cdef", "type": "eql", "version": 110 }, "c28c4d8c-f014-40ef-88b6-79a1d67cd499": { - "min_stack_version": "8.3", "rule_name": "Unusual Linux Network Connection Discovery", "sha256": "197e0ebe16417250c895c6ab8ef0894bdebdd8535da44dc8426106a4eb63b02d", "type": "machine_learning", "version": 103 }, "c292fa52-4115-408a-b897-e14f684b3cb7": { - "min_stack_version": "8.3", "rule_name": "Persistence via Folder Action Script", "sha256": "8249dd1544fa4a71d15bdd5d893422c51458d358b8c77ac350b3d7b9ad0d2cfa", "type": "eql", @@ -7504,112 +5587,96 @@ "version": 2 }, "c2d90150-0133-451c-a783-533e736c12d7": { - "min_stack_version": "8.3", "rule_name": "Mshta Making Network Connections", "sha256": "7b3bec275d247d0cc1c4772be5f41fcfca282df6146f830777ed87b4c663f7e5", "type": "eql", "version": 107 }, "c3167e1b-f73c-41be-b60b-87f4df707fe3": { - "min_stack_version": "8.3", "rule_name": "Permission Theft - Detected - Elastic Endgame", "sha256": "bc09245f3bf048bc8d9e4f1ca381711fc8fa9d71f6533673b7f573f84061f6d5", "type": "query", "version": 103 }, "c3b915e0-22f3-4bf7-991d-b643513c722f": { - "min_stack_version": "8.3", "rule_name": "Persistence via BITS Job Notify Cmdline", "sha256": "54084b270ff6d62016cb72d63b981f4db5bac2d188dd59aa5079986bd918e156", "type": "eql", "version": 107 }, "c3f5e1d8-910e-43b4-8d44-d748e498ca86": { - "min_stack_version": "8.3", "rule_name": "Potential JAVA/JNDI Exploitation Attempt", "sha256": "0776cc8251cdbd9e2e2060a17b2300834a0ed4a49489a105abb3c0dd75b19cc8", "type": "eql", "version": 104 }, "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": { - "min_stack_version": "8.3", "rule_name": "Mounting Hidden or WebDav Remote Shares", "sha256": "a814b9dc474566b81d9b80f83a1fbb21d506490be5d1a791c6a040402576193e", "type": "eql", "version": 109 }, "c4818812-d44f-47be-aaef-4cfb2f9cc799": { - "min_stack_version": "8.3", "rule_name": "Suspicious Print Spooler File Deletion", "sha256": "6764db9d99a9d2a1bce0efae356412f7b62f66204dfe3496cf5d8e142aa916ff", "type": "eql", "version": 107 }, "c4e9ed3e-55a2-4309-a012-bc3c78dad10a": { - "min_stack_version": "8.3", "rule_name": "Windows System Network Connections Discovery", "sha256": "9f1ea7adcf3b05426387f5598da3b596e34f4fc1553a4ed33b48ec687a455ed4", "type": "eql", "version": 4 }, "c55badd3-3e61-4292-836f-56209dc8a601": { - "min_stack_version": "8.3", "rule_name": "Attempted Private Key Access", "sha256": "92447cf8bb6de4a626ecd420b9c64922484cb49f216d13292e833c1abdb4786c", "type": "eql", "version": 3 }, "c5677997-f75b-4cda-b830-a75920514096": { - "min_stack_version": "8.3", "rule_name": "Service Path Modification via sc.exe", "sha256": "6d70ac346b080bca5ad2083c56ff66bd01f63204483b047353855e7898b39862", "type": "eql", "version": 3 }, "c57f8579-e2a5-4804-847f-f2732edc5156": { - "min_stack_version": "8.3", "rule_name": "Potential Remote Desktop Shadowing Activity", "sha256": "2d3a93d4e613dace19446854539467cead96901968f44270796ce546beeb940a", "type": "eql", "version": 109 }, "c58c3081-2e1d-4497-8491-e73a45d1a6d6": { - "min_stack_version": "8.3", "rule_name": "GCP Virtual Private Cloud Network Deletion", "sha256": "7f47bc00b67f2997890fd47eff9350e23e6effea54914edcbb180c321a553276", "type": "query", "version": 104 }, "c5c9f591-d111-4cf8-baec-c26a39bc31ef": { - "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", "sha256": "bd759b2a552a5ce6a16e041b6708cf7215821c978d6c820100f29ff8567b357f", "type": "eql", "version": 108 }, "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { - "min_stack_version": "8.3", "rule_name": "Installation of Custom Shim Databases", "sha256": "7ea702b1b6d7a8309d8d11e16505cb9ca2a3b1c906e7aeadacdefea24d0397b6", "type": "eql", "version": 108 }, "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { - "min_stack_version": "8.3", "rule_name": "Microsoft Build Engine Started by an Office Application", "sha256": "a8e1a000f912f5f42f3894fdca0458d10666994f165781a4fbd5db031f5a6712", "type": "eql", "version": 110 }, "c5f81243-56e0-47f9-b5bb-55a5ed89ba57": { - "min_stack_version": "8.3", "rule_name": "CyberArk Privileged Access Security Recommended Monitor", "sha256": "13f4c23dbe61be7af51b9b4e4a27b192c9305f1caa67119f4ea89ac89792737f", "type": "query", "version": 102 }, "c6453e73-90eb-4fe7-a98c-cde7bbfc504a": { - "min_stack_version": "8.3", "rule_name": "Remote File Download via MpCmdRun", "sha256": "3338fefccfc7c7d86404c1a054f09f2b43fdbeadba93b27dcfe7c04d6994303f", "type": "eql", @@ -7624,7 +5691,7 @@ "c749e367-a069-4a73-b1f2-43a3798153ad": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Attempt to Delete an Okta Network Zone", "sha256": "fdb6f5c18f3893647e63e19723c1ad7c3f352be39e233b1273d08b6cd09edd5a", @@ -7640,7 +5707,7 @@ "c74fd275-ab2c-4d49-8890-e2943fa65c09": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 204, "rule_name": "Attempt to Modify an Okta Application", "sha256": "d467d49b83c884e4c1d43dc2f0e1dc879ceda77762f45968124a97e4fbacd2b0", @@ -7654,65 +5721,48 @@ "version": 205 }, "c7894234-7814-44c2-92a9-f7d851ea246a": { - "min_stack_version": "8.3", "rule_name": "Unusual Network Connection via DllHost", "sha256": "5bffb108e728d78c04b4974f087af87b6352942f82977a580fcc749a742fffc6", "type": "eql", "version": 107 }, "c7908cac-337a-4f38-b50d-5eeb78bdb531": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 199, - "rule_name": "Kubernetes Privileged Pod Created", - "sha256": "e431240326e0ddb66017b695a15db0269ad7b4e5bde7cf37b10f01159fb9da19", - "type": "query", - "version": 101 - } - }, "rule_name": "Kubernetes Privileged Pod Created", "sha256": "276c33d57b4e3046ff3bf3eab838110627d9f8d9214a01036a62561084c6073a", "type": "query", "version": 203 }, "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { - "min_stack_version": "8.3", "rule_name": "Unusual File Modification by dns.exe", "sha256": "b865aba340d622e5f6840586849e814be1e565d1c59e1fcba5509683315c91cf", "type": "eql", "version": 110 }, "c7db5533-ca2a-41f6-a8b0-ee98abe0f573": { - "min_stack_version": "8.3", "rule_name": "Spike in Network Traffic To a Country", "sha256": "93087ad72f05b99dd3bc9858cd5edfd5ed9d21a4afa6e01d0d798e78b4e9ab61", "type": "machine_learning", "version": 104 }, "c81cefcb-82b9-4408-a533-3c3df549e62d": { - "min_stack_version": "8.3", "rule_name": "Persistence via Docker Shortcut Modification", "sha256": "8e087bd16e3f663e5c0dd49d81cd2d8d302ffeabec5dc9bc31693752e7e6ed37", "type": "query", "version": 107 }, "c82b2bd8-d701-420c-ba43-f11a155b681a": { - "min_stack_version": "8.3", "rule_name": "SMB (Windows File Sharing) Activity to the Internet", "sha256": "6420c0fe2bee67b51779e539f2cfe3b480539c36abf148d1d69db79d6f2e8f67", "type": "query", "version": 103 }, "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": { - "min_stack_version": "8.3", "rule_name": "Direct Outbound SMB Connection", "sha256": "a30cf230b1215a2e0fd884167dfbb8fd92e5b63fa7a5cb2c9e9a8a306316de4d", "type": "eql", "version": 110 }, "c85eb82c-d2c8-485c-a36f-534f914b7663": { - "min_stack_version": "8.3", "rule_name": "Virtual Machine Fingerprinting via Grep", "sha256": "a8a7e92874d6888c32575ca236fb263ec128596d8a4d510a265b8fad36cb1827", "type": "eql", @@ -7725,65 +5775,48 @@ "version": 100 }, "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": { - "min_stack_version": "8.3", "rule_name": "Parent Process PID Spoofing", "sha256": "43c26bdd413e7e6c52b50b9c579663b2ab48285b83a1f794fd636727baf21733", "type": "eql", "version": 106 }, "c8935a8b-634a-4449-98f7-bb24d3b2c0af": { - "min_stack_version": "8.3", "rule_name": "Potential Linux Ransomware Note Creation Detected", "sha256": "a6ee22bb7fef22f21c9792186337bc557bd1aaba670d4de8d077fd7892d46ad2", "type": "eql", "version": 8 }, "c8b150f0-0164-475b-a75e-74b47800a9ff": { - "min_stack_version": "8.3", "rule_name": "Suspicious Startup Shell Folder Modification", "sha256": "a3f4ddc31c6570250920dc60269e68ec6344884c88aba870fb9998c5c1fb5319", "type": "eql", "version": 110 }, "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { - "min_stack_version": "8.3", "rule_name": "Disabling Windows Defender Security Settings via PowerShell", "sha256": "2326092f64de27cbf684cdd4130d6f8695d0a42277b02fff7ebcc62350e56411", "type": "eql", "version": 110 }, "c9482bfa-a553-4226-8ea2-4959bd4f7923": { - "min_stack_version": "8.3", "rule_name": "Potential Masquerading as Communication Apps", "sha256": "b8c86e533a37c36a2eaef8f1d48ca8aa5a24b6665dc2328de3b3cc5eb1d2ad51", "type": "eql", "version": 5 }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { - "min_stack_version": "8.3", "rule_name": "Credential Manipulation - Prevented - Elastic Endgame", "sha256": "0c167eb4f05fabb720f52a987923b25796c8f0a3bffbd753aa699a1c8a8e26b3", "type": "query", "version": 103 }, "ca79768e-40e1-4e45-a097-0e5fbc876ac2": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification", - "sha256": "fdddb91dc8eaf01e3cca5626ab5e3b2c4ef51e15a8544385057399574b3d9b3b", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification", "sha256": "35f6d54b3e3c26169e00e55122b6e68ac8018946a2b9dd31d26fdb36faa90d82", "type": "query", "version": 206 }, "ca98c7cf-a56e-4057-a4e8-39603f7f0389": { - "min_stack_version": "8.4", "rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder", "sha256": "6b71d73f704e96ab028ab9aa5fef9a3b487e35fe5cc322c1a118c9102720af9a", "type": "eql", @@ -7796,39 +5829,18 @@ "version": 100 }, "cac91072-d165-11ec-a764-f661ea17fbce": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 206, - "rule_name": "Abnormal Process ID or Lock File Created", - "sha256": "6ab73acfdcd8636a87c0fd8b1342d5e96de8cbd74ed0e4f4dbb689c32a3cbffa", - "type": "eql", - "version": 108 - } - }, "rule_name": "Abnormal Process ID or Lock File Created", "sha256": "b4f2c9fe5dcc43eb113d00600fc6a7ca5091c0957af96c084ee2d9a790aa3a2a", "type": "new_terms", "version": 213 }, "cad4500a-abd7-4ef3-b5d3-95524de7cfe1": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Google Workspace MFA Enforcement Disabled", - "sha256": "a8e10bb292478990aa0c82694fcd3621b81383a8058b87a25449238641d59e3b", - "type": "query", - "version": 107 - } - }, "rule_name": "Google Workspace MFA Enforcement Disabled", "sha256": "8a1f92b90737453373b48d24dd4dfd6e29615794a9ccaf5df7ba1a0ecf5d5e2a", "type": "query", "version": 207 }, "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": { - "min_stack_version": "8.3", "rule_name": "Suspicious Calendar File Modification", "sha256": "662489a94a180344e4b3e1c2aa679d4fe1ec51f91387a216835b0e11a14db9da", "type": "query", @@ -7841,7 +5853,6 @@ "version": 100 }, "cc2fd2d0-ba3a-4939-b87f-2901764ed036": { - "min_stack_version": "8.3", "rule_name": "Attempt to Enable the Root Account", "sha256": "c2c3f92e6fb953e4f0338ffe25751df1ae713c9f7e8460ce2addfd9d8bf8e59d", "type": "query", @@ -7855,30 +5866,18 @@ "version": 2 }, "cc653d77-ddd2-45b1-9197-c75ad19df66c": { - "min_stack_version": "8.9", "rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address", "sha256": "fe1015d6d9d15270cdedd676b577c3057d2552db4ce585e3c82437e7999cc037", "type": "machine_learning", "version": 3 }, "cc6a8a20-2df2-11ed-8378-f661ea17fbce": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 103, - "rule_name": "Google Workspace User Organizational Unit Changed", - "sha256": "50eab7a58d52dc1eb0e8d8af2d5ca140762dfdf60970d1e7d5fcbf80aff362f4", - "type": "query", - "version": 5 - } - }, "rule_name": "Google Workspace User Organizational Unit Changed", "sha256": "98638b8378e232c3d8a54f3b4ec12fa3eae908ba56a658c7557b22c25766b823", "type": "query", "version": 106 }, "cc89312d-6f47-48e4-a87c-4977bd4633c3": { - "min_stack_version": "8.3", "rule_name": "GCP Pub/Sub Subscription Deletion", "sha256": "be76246406041025864af7eeea3c9600ab406bf778763b00a6ea6e6489240408", "type": "query", @@ -7887,7 +5886,7 @@ "cc92c835-da92-45c9-9f29-b4992ad621a0": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 206, "rule_name": "Attempt to Deactivate an Okta Policy Rule", "sha256": "ed2062f991db0a0dce267846fe8363883628421221166f8246b4924828f02999", @@ -7901,7 +5900,6 @@ "version": 207 }, "ccc55af4-9882-4c67-87b4-449a7ae8079c": { - "min_stack_version": "8.3", "rule_name": "Potential Process Herpaderping Attempt", "sha256": "7358d900c0332bbc2ea6bd00db02a9d7ce7199fcbd5ffea5cce60caf11cc99c2", "type": "eql", @@ -7910,7 +5908,7 @@ "cd16fb10-0261-46e8-9932-a0336278cdbe": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", "sha256": "32c09cb649d10eb0d58645624f6534db9c40073e42552b0381f5b414e9c58bb6", @@ -7930,21 +5928,18 @@ "version": 100 }, "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": { - "min_stack_version": "8.3", "rule_name": "Anomalous Linux Compiler Activity", "sha256": "ac7fe1661692762ebf3969e3980d674808ea8cf32e188619fd6e08de268af793", "type": "machine_learning", "version": 103 }, "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { - "min_stack_version": "8.3", "rule_name": "Kernel Module Removal", "sha256": "8e7fd75b780b1265825a7a783ea3000b983acf3ce3100a49edb797139b01e31f", "type": "eql", "version": 109 }, "cd82e3d6-1346-4afd-8f22-38388bbf34cb": { - "min_stack_version": "8.3", "rule_name": "Downloaded URL Files", "sha256": "1a31489f793c58d433963910d8327747a3e7824bf11685358836a38183e8aca0", "type": "eql", @@ -7953,7 +5948,7 @@ "cd89602e-9db0-48e3-9391-ae3bf241acd8": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Attempt to Deactivate MFA for an Okta User Account", "sha256": "173487533fb84ffd2bbd8598bf0ac4f518f295cc6715c381743a3fe6d0f14ec7", @@ -7969,7 +5964,7 @@ "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 206, "rule_name": "Okta User Session Impersonation", "sha256": "36a5fb5b929045a84f302c057459e3b5e6eb50cb409fc5a9edf6cdcd47f30ee5", @@ -7985,7 +5980,7 @@ "cde1bafa-9f01-4f43-a872-605b678968b0": { "min_stack_version": "8.12", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 110, "rule_name": "Potential PowerShell HackTool Script by Function Names", "sha256": "e4ac68b4b9ff58cc55eedd8f6d7ef11a2ddc48c4f339955ad2f2ecf0e531e8aa", @@ -7999,107 +5994,84 @@ "version": 111 }, "ce08b55a-f67d-4804-92b5-617b0fe5a5b5": { - "min_stack_version": "8.8", "rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)", "sha256": "557be18d473f0dab21314e36e19724bf288eed2289446960d75923b23429b4ca", "type": "new_terms", "version": 1 }, "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { - "min_stack_version": "8.3", "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", "sha256": "38c701cbddca58faa29370862beddbbc9839ee8f8ef4985c006e2f03acecfdb7", "type": "eql", "version": 109 }, "cf53f532-9cc9-445a-9ae7-fced307ec53c": { - "min_stack_version": "8.3", "rule_name": "Cobalt Strike Command and Control Beacon", "sha256": "ddb4b9d7e2f95d26c85ab37fb9696c58aa1f937e5f4788214b8711b988206967", "type": "query", "version": 105 }, "cf549724-c577-4fd6-8f9b-d1b8ec519ec0": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 202, - "rule_name": "Domain Added to Google Workspace Trusted Domains", - "sha256": "c773965d1c83361d3745d38a93d9ac9380056a79a5f3d4ebff542d94a9a369ce", - "type": "query", - "version": 104 - } - }, "rule_name": "Domain Added to Google Workspace Trusted Domains", "sha256": "15e692b56a4792a0434440ea85ef264cbfb31e1ebd9bdc618a03987f928a53a1", "type": "query", "version": 205 }, "cf575427-0839-4c69-a9e6-99fde02606f3": { - "min_stack_version": "8.6", "rule_name": "Unusual Discovery Activity by User", "sha256": "2dec950ffa14b4863a879f391b045196709a774f032c8bc35d8f61ba20e2bfff", "type": "new_terms", "version": 1 }, "cf6995ec-32a9-4b2d-9340-f8e61acf3f4e": { - "min_stack_version": "8.3", "rule_name": "Trap Signals Execution", "sha256": "1a696ba4be544120eb0807e5df6957584e991663b97f6a7176337094b9cd85b4", "type": "eql", "version": 2 }, "cff92c41-2225-4763-b4ce-6f71e5bda5e6": { - "min_stack_version": "8.3", "rule_name": "Execution from Unusual Directory - Command Line", "sha256": "1e5d776df1e502f5d444b1a1e6cdcfc3de4ad784a603e7e0f23aaed9eae2f766", "type": "eql", "version": 112 }, "cffbaf47-9391-4e09-a83c-1f27d7474826": { - "min_stack_version": "8.3", "rule_name": "Archive File with Unusual Extension", "sha256": "18c93a2cdc51a8d42ddeac46edeabbdc0d991b52e2dd4e74054eba59583adee3", "type": "eql", "version": 2 }, "d00f33e7-b57d-4023-9952-2db91b1767c4": { - "min_stack_version": "8.3", "rule_name": "Namespace Manipulation Using Unshare", "sha256": "258bf65e5da42c0bef720f575c963343ace055871316f6bba6ec31b60869c06e", "type": "eql", "version": 9 }, "d0b0f3ed-0b37-44bf-adee-e8cb7de92767": { - "min_stack_version": "8.8", "rule_name": "AWS Credentials Searched For Inside A Container", "sha256": "27918dd9cf339832d9efc37e0b589ce887eae09959450ae8a4297df5ba0f040e", "type": "eql", "version": 1 }, "d0e159cf-73e9-40d1-a9ed-077e3158a855": { - "min_stack_version": "8.3", "rule_name": "Registry Persistence via AppInit DLL", "sha256": "4ec85ed3f6241a6015c998b91cdbbcf438629be2a40cdbfce1a173ebabd7c292", "type": "eql", "version": 110 }, "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { - "min_stack_version": "8.3", "rule_name": "Symbolic Link to Shadow Copy Created", "sha256": "c8d1d7cc4181248cc8906dbc6d37aa62c162ed9bde92f7b4daf42b912e451197", "type": "eql", "version": 111 }, "d12bac54-ab2a-4159-933f-d7bcefa7b61d": { - "min_stack_version": "8.3", "rule_name": "Expired or Revoked Driver Loaded", "sha256": "ea840a544f731bf59d6e9ef5ab6773395bd85b0b68618e2116a391972ab21fa2", "type": "eql", "version": 5 }, "d197478e-39f0-4347-a22f-ba654718b148": { - "min_stack_version": "8.3", "rule_name": "Compression DLL Loaded by Unusual Process", "sha256": "e50bbd58e226d8bbd59de277de10019d3228aabae3308cc310c43c5f89b1c0ce", "type": "eql", @@ -8112,42 +6084,36 @@ "version": 100 }, "d22a85c6-d2ad-4cc4-bf7b-54787473669a": { - "min_stack_version": "8.3", "rule_name": "Potential Microsoft Office Sandbox Evasion", "sha256": "60d547919df01902f6d9894993e128a708f3086fe89e9058b7ff57338d0a5fa2", "type": "query", "version": 106 }, "d31f183a-e5b1-451b-8534-ba62bca0b404": { - "min_stack_version": "8.3", "rule_name": "Disabling User Account Control via Registry Modification", "sha256": "603191c9e9fe22a6f972c18bfb548360ab4f4b1378a58e8a4a24479548e8b1d0", "type": "eql", "version": 110 }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { - "min_stack_version": "8.3", "rule_name": "Clearing Windows Event Logs", "sha256": "1c0780a844be282bd8fdfb0d608fa65473ba2d01d1a5be9e50e2e08039542576", "type": "eql", "version": 112 }, "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": { - "min_stack_version": "8.3", "rule_name": "Remote Windows Service Installed", "sha256": "63102ba4aec4aaab713fffceebe688d706bb41cdf8bcf23d4055467011cb9fb9", "type": "eql", "version": 6 }, "d3551433-782f-4e22-bbea-c816af2d41c6": { - "min_stack_version": "8.3", "rule_name": "WMI WBEMTEST Utility Execution", "sha256": "76b2081709ea9b401fc695d779a14dfa839fbd99eb19c8510b2ea6c5f7e7b4f4", "type": "eql", "version": 2 }, "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { - "min_stack_version": "8.3", "rule_name": "Shell Execution via Apple Scripting", "sha256": "71aae69ea3a3fbd1d8e627c5d0fd9b6f7a01313216ddf8c23df060835c0864fd", "type": "eql", @@ -8156,7 +6122,7 @@ "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 204, "rule_name": "Attempt to Delete an Okta Application", "sha256": "ec2d2014d13ce312c51e80554c30af695049e703918b7f1b19da53f58154d6f7", @@ -8170,35 +6136,30 @@ "version": 205 }, "d49cc73f-7a16-4def-89ce-9fc7127d7820": { - "min_stack_version": "8.3", "rule_name": "Web Application Suspicious Activity: sqlmap User Agent", "sha256": "f10cb94a414e6983ebdaa36e5c4a332a76a4d06134043937967fdf2e2faa2cc7", "type": "query", "version": 102 }, "d4af3a06-1e0a-48ec-b96a-faf2309fae46": { - "min_stack_version": "8.3", "rule_name": "Unusual Linux System Information Discovery Activity", "sha256": "1823af90ab9f82af85f6752bb44ce24df6e0ef1e0722d477f91a55675de28c8f", "type": "machine_learning", "version": 103 }, "d4b73fa0-9d43-465e-b8bf-50230da6718b": { - "min_stack_version": "8.3", "rule_name": "Unusual Source IP for a User to Logon from", "sha256": "b9964a7773745de7f347665b66883623fc60d4e0e4a004d0b7e3b5cd79694041", "type": "machine_learning", "version": 103 }, "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": { - "min_stack_version": "8.3", "rule_name": "Linux init (PID 1) Secret Dump via GDB", "sha256": "809e2c52ca587a80879385c7226866c574d86e366a6787b0b1e8df77a8763e06", "type": "eql", "version": 6 }, "d55436a8-719c-445f-92c4-c113ff2f9ba5": { - "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via UID INT_MAX Bug Detected", "sha256": "4408eb01f3714ecf0f5cee312dafd363a2fbbc4a368846ab78b257fdcfef9924", "type": "eql", @@ -8212,7 +6173,6 @@ "version": 3 }, "d563aaba-2e72-462b-8658-3e5ea22db3a6": { - "min_stack_version": "8.3", "rule_name": "Privilege Escalation via Windir Environment Variable", "sha256": "42e3e1682134a7ed8c26d9a5ce2bcf4830d6a7af85268a0d2455a75e23119f6c", "type": "eql", @@ -8221,7 +6181,7 @@ "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Attempt to Delete an Okta Policy Rule", "sha256": "ef00abb177343a787a119303eaa0cb71aef503d40d309b2699d05fe0178157a6", @@ -8235,30 +6195,18 @@ "version": 206 }, "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { - "min_stack_version": "8.3", "rule_name": "Service Command Lateral Movement", "sha256": "a06abd5554d50f0ebc9b99f80159dbf24d97dc6453dab05f27bd09f0e8884f42", "type": "eql", "version": 107 }, "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "AWS CloudWatch Log Stream Deletion", - "sha256": "e7f7445facc4da1f84ee331f6dbbf22337e319df0727349ff958c0f62154fd1f", - "type": "query", - "version": 108 - } - }, "rule_name": "AWS CloudWatch Log Stream Deletion", "sha256": "44a8abff6921cf217c396e51cf30499d8bee7d8f1544fa02f7d9e093e6648578", "type": "query", "version": 209 }, "d62b64a8-a7c9-43e5-aee3-15a725a794e7": { - "min_stack_version": "8.3", "rule_name": "GCP Pub/Sub Subscription Creation", "sha256": "981abcaff8eaa4e947885a8b6e60edb877602e6ec2974994837ffbf18e7085b4", "type": "query", @@ -8271,155 +6219,102 @@ "version": 100 }, "d68e95ad-1c82-4074-a12a-125fe10ac8ba": { - "min_stack_version": "8.3", "rule_name": "System Information Discovery via Windows Command Shell", "sha256": "e564b576c629a29ec8088864b78c7c81c8d46453cc5e038a33fdd24d4a3a2641", "type": "eql", "version": 10 }, "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", - "sha256": "3fa1ccf28083380bbb7d71135b1b5ab0753f90d5fde3ecdeda2cb4ffc6ae81aa", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", "sha256": "e1c61b6847b137835d630c3eba3b8bf7a5da03bf08a0e81a27ca46637b093b91", "type": "query", "version": 206 }, "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": { - "min_stack_version": "8.3", "rule_name": "Modification of WDigest Security Provider", "sha256": "c7b2137213e37ccba915d2c30fa260188c065d8e939c56b72e4fd1f4001d72df", "type": "eql", "version": 109 }, "d72e33fc-6e91-42ff-ac8b-e573268c5a87": { - "min_stack_version": "8.3", "rule_name": "Command Execution via SolarWinds Process", "sha256": "84b33e85f61fe174e8ec6980e6480028773e96980d267505f090cfa2d2460192", "type": "eql", "version": 111 }, "d743ff2a-203e-4a46-a3e3-40512cfe8fbb": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion", - "sha256": "4a8ffe50aa43eaf2654ac6a51517203a86c2951828434a1cb60bb435707c5a6b", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion", "sha256": "8ac44c71af4271eb13db4ef37b755bdfb7b4c9aa8f3ec7041a7a2ec06b98482d", "type": "query", "version": 206 }, "d74d6506-427a-4790-b170-0c2a6ddac799": { - "min_stack_version": "8.3", "rule_name": "Suspicious Memory grep Activity", "sha256": "b142483255de74b46aa32d1dd3a28f2821bb97997be6bae899e84c0d30fa9165", "type": "eql", "version": 2 }, "d75991f2-b989-419d-b797-ac1e54ec2d61": { - "min_stack_version": "8.7", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "SystemKey Access via Command Line", - "sha256": "48b8b3a40209f6422060e3de267b79054f2ad0313fc42c4cef21decadf490f4d", - "type": "query", - "version": 106 - } - }, "rule_name": "SystemKey Access via Command Line", "sha256": "6459c63e59f54f94e12abb17883b4ae2c8a99424f6e2c321c1647d47ce81c091", "type": "query", "version": 206 }, "d76b02ef-fc95-4001-9297-01cb7412232f": { - "min_stack_version": "8.3", "rule_name": "Interactive Terminal Spawned via Python", "sha256": "06fed263415e4ac3e3f062be3c0bc968c640a3632e4588fd2a405dbdac73f541", "type": "eql", "version": 110 }, "d79c4b2a-6134-4edd-86e6-564a92a933f9": { - "min_stack_version": "8.3", "rule_name": "Azure Blob Permissions Modification", "sha256": "4721b8fe47efb148dfe195f28255209d453662590443eac3aeb27c0ef998640f", "type": "query", "version": 103 }, "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": { - "min_stack_version": "8.3", "rule_name": "Spike in Logon Events", "sha256": "d252490036f46e2d8c44e6c0aec56feb27ef9539cd83c5430534df5a0189a203", "type": "machine_learning", "version": 103 }, "d7e62693-aab9-4f66-a21a-3d79ecdd603d": { - "min_stack_version": "8.3", "rule_name": "SMTP on Port 26/TCP", "sha256": "8bf03857acd5416922cae6018a42266418009a83c60f4fa6388d0ac603af5f0b", "type": "query", "version": 104 }, "d8ab1ec1-feeb-48b9-89e7-c12e189448aa": { - "min_stack_version": "8.3", "rule_name": "Untrusted Driver Loaded", "sha256": "9b90c86424390fccfc1959785af10eeade5e654612545617582dca1058cb17b8", "type": "eql", "version": 8 }, "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "AWS IAM Deactivation of MFA Device", - "sha256": "3c501df177ec97cc6f46663425f4c04cb979694688cd3bfad27f03a0d8a2ac53", - "type": "query", - "version": 108 - } - }, "rule_name": "AWS IAM Deactivation of MFA Device", "sha256": "e70bcba5f981ab9bc5d058baf0631ea65c4172e55502ae1f6b6fceeca1035906", "type": "query", "version": 209 }, "d99a037b-c8e2-47a5-97b9-170d076827c4": { - "min_stack_version": "8.3", "rule_name": "Volume Shadow Copy Deletion via PowerShell", "sha256": "32bc4e3bb16d80971b9c8bb068a743e7041477c34017d3fd5a9f1f42ca4873b1", "type": "eql", "version": 111 }, "da7733b1-fe08-487e-b536-0a04c6d8b0cd": { - "min_stack_version": "8.3", "rule_name": "Code Signing Policy Modification Through Registry", "sha256": "9ebf3042fc83b25b6a39a0cc87927cefb341ebb08bcce8749b4e07166ba98d0d", "type": "eql", "version": 9 }, "da7f5803-1cd4-42fd-a890-0173ae80ac69": { - "min_stack_version": "8.9", "rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score", "sha256": "6ede570261a72bdcdf1e10f2f1fa1f9d331da8df7293f982df1b311120e88083", "type": "query", "version": 3 }, "da87eee1-129c-4661-a7aa-57d0b9645fad": { - "min_stack_version": "8.3", "rule_name": "Suspicious Service was Installed in the System", "sha256": "21882fe93edaef610a0b27aef9155e98576d28411bb1deb9914a0163f9f81694", "type": "eql", @@ -8432,42 +6327,36 @@ "version": 100 }, "daafdf96-e7b1-4f14-b494-27e0d24b11f6": { - "min_stack_version": "8.4", "rule_name": "Potential Pass-the-Hash (PtH) Attempt", "sha256": "fb420a72b427d67311f02098a93854b2a6bd5c733b6cbca4275ee920329b9b9e", "type": "new_terms", "version": 3 }, "dafa3235-76dc-40e2-9f71-1773b96d24cf": { - "min_stack_version": "8.3", "rule_name": "Multi-Factor Authentication Disabled for an Azure User", "sha256": "9bec414579dbdeb0c1a10611d7a97fa166af67379b6b69855a360097da1cc0ee", "type": "query", "version": 105 }, "db65f5ba-d1ef-4944-b9e8-7e51060c2b42": { - "min_stack_version": "8.3", "rule_name": "Network-Level Authentication (NLA) Disabled", "sha256": "5ba03fd03c459addbd61462891a2464974c59930a12e77a48efb688584584474", "type": "eql", "version": 3 }, "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": { - "min_stack_version": "8.3", "rule_name": "Execution via Windows Subsystem for Linux", "sha256": "3bcb0230882be5c94ef22fde8ca625bfde5e40e20e1e545cf8a0f68d01c7e8f3", "type": "eql", "version": 6 }, "db8c33a8-03cd-4988-9e2c-d0a4863adb13": { - "min_stack_version": "8.3", "rule_name": "Credential Dumping - Prevented - Elastic Endgame", "sha256": "5de5038a06b13f9d4d0b252316c5fc2a6d92c60d65cf8613bdde5c1514f4bd65", "type": "query", "version": 103 }, "dc0b7782-0df0-47ff-8337-db0d678bdb66": { - "min_stack_version": "8.3", "rule_name": "Suspicious Content Extracted or Decompressed via Funzip", "sha256": "e56d02dd6b3a5cd288516467c111539cbe759ada556ffe40e5d4f26a0e9c6ee0", "type": "eql", @@ -8480,132 +6369,90 @@ "version": 100 }, "dc71c186-9fe4-4437-a4d0-85ebb32b8204": { - "min_stack_version": "8.3", "rule_name": "Potential Hidden Process via Mount Hidepid", "sha256": "abccbf694da0eb306df7f606501df6d3e19475e12fbcd106342e187528d0ecf7", "type": "eql", "version": 8 }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { - "min_stack_version": "8.3", "rule_name": "Volume Shadow Copy Deletion via WMIC", "sha256": "2d9e1771d9606f5f38126860db0e8757d223c30ae4a1b3b93d60ac17b0127a99", "type": "eql", "version": 110 }, "dca28dee-c999-400f-b640-50a081cc0fd1": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "Unusual Country For an AWS Command", - "sha256": "09aabd7cf1fd572c2266143f903d21cbaedb757f619cc17b5f2c78b74e046946", - "type": "machine_learning", - "version": 108 - } - }, "rule_name": "Unusual Country For an AWS Command", "sha256": "e6e99ee2cb2084337de3331bcf945c7714a1fc79df6bc880c40dcb399e87a561", "type": "machine_learning", "version": 208 }, "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": { - "min_stack_version": "8.3", "rule_name": "Suspicious Execution from INET Cache", "sha256": "6b58cc9b14a7fac5ea7f584782e3f3c7161f78158b1ce3fe3c33928ebba3d84d", "type": "eql", "version": 2 }, "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": { - "min_stack_version": "8.3", "rule_name": "Attempt to Install Kali Linux via WSL", "sha256": "51ebf76d12a58d9db10b3a9d16c79ee0ae0672fa77f9fd0682b3796a7520351a", "type": "eql", "version": 7 }, "dd7f1524-643e-11ed-9e35-f661ea17fbcd": { - "min_stack_version": "8.3", "rule_name": "Reverse Shell Created via Named Pipe", "sha256": "d8b4bfe2baa5dc7735769bd51e37b1b139c521ec70d2ce8db325a4d6e409f82c", "type": "eql", "version": 6 }, "ddab1f5f-7089-44f5-9fda-de5b11322e77": { - "min_stack_version": "8.3", "rule_name": "NullSessionPipe Registry Modification", "sha256": "6c3d142ca53ffc037b333b4699eb891e35c11d1ca95aa3ae6347fb173bc33735", "type": "eql", "version": 108 }, "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { - "min_stack_version": "8.3", "rule_name": "Unusual Child Process from a System Virtual Process", "sha256": "0a0a64ff02f4040cf251994361f673fa3c6618edb6d38387c8adf5f5749f4b5a", "type": "eql", "version": 110 }, "debff20a-46bc-4a4d-bae5-5cdd14222795": { - "min_stack_version": "8.3", "rule_name": "Base16 or Base32 Encoding/Decoding Activity", "sha256": "a7f6c2c79e782df9aa8415605d72b36e28ac9b0ab828b6077ede6a98958a6977", "type": "eql", "version": 110 }, "ded09d02-0137-4ccc-8005-c45e617e8d4c": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 101, - "rule_name": "Query Registry using Built-in Tools", - "sha256": "b2ee224e76ea602717f6188bd78728ea09a54c1c694fb5041f9d7f0197db8ebd", - "type": "eql", - "version": 2 - } - }, "rule_name": "Query Registry using Built-in Tools", "sha256": "f96c303f816b1dd2758c8f7dd096711bacc5b826d610127acd0e425a321579cd", "type": "new_terms", "version": 105 }, "df0fd41e-5590-4965-ad5e-cd079ec22fa9": { - "min_stack_version": "8.6", "rule_name": "First Time Seen Driver Loaded", "sha256": "7e66246ea00c9698fbfa57311793c02739cbad96d59bd88bbda9dbc752e4ac58", "type": "new_terms", "version": 7 }, "df197323-72a8-46a9-a08e-3f5b04a4a97a": { - "min_stack_version": "8.3", "rule_name": "Unusual Windows User Calling the Metadata Service", "sha256": "d7b5f6ca8779a491a009ef24fa38c89815905e818546c5671f5dc05bd505e3ce", "type": "machine_learning", "version": 103 }, "df26fd74-1baa-4479-b42e-48da84642330": { - "min_stack_version": "8.3", "rule_name": "Azure Automation Account Created", "sha256": "b82b8d83b12f049d275d3f1d78e61640c6b772c160ca3844d5e09df9cf465669", "type": "query", "version": 102 }, "df6f62d9-caab-4b88-affa-044f4395a1e0": { - "min_stack_version": "8.3", "rule_name": "Dynamic Linker Copy", "sha256": "abf419807a9782b1ea278f1682ee0d5be74e340e248aa42cb3303c3a41892725", "type": "eql", "version": 108 }, "df7fda76-c92b-4943-bc68-04460a5ea5ba": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 199, - "rule_name": "Kubernetes Pod Created With HostPID", - "sha256": "8504c3a7241f7cfb70d23f3d06e6f6c5191c15f0ac37578efdc476c6230b04a6", - "type": "query", - "version": 101 - } - }, "rule_name": "Kubernetes Pod Created With HostPID", "sha256": "b912b62e03d307861dc557cdbfc8fe17d54f7b8a394fee4ec9e46e4539393622", "type": "query", @@ -8618,35 +6465,30 @@ "version": 100 }, "dffbd37c-d4c5-46f8-9181-5afdd9172b4c": { - "min_stack_version": "8.3", "rule_name": "Potential privilege escalation via CVE-2022-38028", "sha256": "6c482e61313171b3dc7b0d4085b1103871e12cb403c6fa1d2048781f9e805253", "type": "eql", "version": 1 }, "e00b8d49-632f-4dc6-94a5-76153a481915": { - "min_stack_version": "8.3", "rule_name": "Delayed Execution via Ping", "sha256": "c6fa799b2b134a4e7c34302b0b8f543c54dd38aaba6bfa93b1933a3374e41c71", "type": "eql", "version": 2 }, "e02bd3ea-72c6-4181-ac2b-0f83d17ad969": { - "min_stack_version": "8.3", "rule_name": "Azure Firewall Policy Deletion", "sha256": "fbf370e089437f900b3701b3d7a7af66a118801719201fe03fbfea44438802c0", "type": "query", "version": 102 }, "e052c845-48d0-4f46-8a13-7d0aba05df82": { - "min_stack_version": "8.3", "rule_name": "KRBTGT Delegation Backdoor", "sha256": "13d64c92f3533756a0657f2f8db2a099ab8cf25d1b5d1722dc5b880ec815bf34", "type": "query", "version": 107 }, "e0881d20-54ac-457f-8733-fe0bc5d44c55": { - "min_stack_version": "8.3", "rule_name": "System Service Discovery through built-in Windows Utilities", "sha256": "c1e96e42705eb2de534b4ce6fa40b16c522e2bb6f8f8a0f0ff6ea140ff22680b", "type": "eql", @@ -8655,7 +6497,7 @@ "e08ccd49-0380-4b2b-8d71-8000377d6e49": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 206, "rule_name": "Attempts to Brute Force an Okta User Account", "sha256": "8e33c2c08ab3335a16db298608f1b8b793646a2abf1362acb2c0f316433293d0", @@ -8669,81 +6511,54 @@ "version": 208 }, "e0cc3807-e108-483c-bf66-5a4fbe0d7e89": { - "min_stack_version": "8.3", "rule_name": "Potentially Suspicious Process Started via tmux or screen", "sha256": "da9fb3e751cf2aca3b76ff6969e48fb1e4f477f4832888b32a57290109f5982a", "type": "eql", "version": 4 }, "e0dacebe-4311-4d50-9387-b17e89c2e7fd": { - "min_stack_version": "7.16", "rule_name": "Whitespace Padding in Process Command Line", "sha256": "2aa8bb1cd50151cb0c68f9f9aaca7894681a205d965326b65eb8c1163e176257", "type": "eql", "version": 100 }, "e0f36de1-0342-453d-95a9-a068b257b053": { - "min_stack_version": "8.3", "rule_name": "Azure Event Hub Deletion", "sha256": "a2ecaf7e5ffeba64be9df560b78b9046a7dd8803d4d3e1f50854456965291dc7", "type": "query", "version": 102 }, "e12c0318-99b1-44f2-830c-3a38a43207ca": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS Route Table Created", - "sha256": "7bc47ab3f6abaaa3ab9719f0b5584578bde76d5e46e45c4f5930b55727fde835", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS Route Table Created", "sha256": "862abfa5c379d1e32f01d1c6199755c9de4bfcd13eaf1b23d019ae40ccde21c5", "type": "query", "version": 207 }, "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS RDS Cluster Creation", - "sha256": "1028d9d315c9b25af760a4d81b28115f4bc2ea1653f08740433bc44c0c49ecbf", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS RDS Cluster Creation", "sha256": "3971b630a9892ede07636cbd4aafedb6e0a66eb9a58e95bca937fd3d473486f6", "type": "query", "version": 206 }, "e19e64ee-130e-4c07-961f-8a339f0b8362": { - "min_stack_version": "8.3", "rule_name": "Connection to External Network via Telnet", "sha256": "aca0eb0c2cc280c1e11e840c13fbdf1d68c10d4842912b4d5f2c41f27ca376c5", "type": "eql", "version": 107 }, "e1db8899-97c1-4851-8993-3a3265353601": { - "min_stack_version": "8.9", "rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code", "sha256": "2dfa5553eab948bb3ad46437fda2847c3d2d98e63aa80c10f1b8a179eb44b650", "type": "machine_learning", "version": 3 }, "e2258f48-ba75-4248-951b-7c885edf18c2": { - "min_stack_version": "8.3", "rule_name": "Suspicious Mining Process Creation Event", "sha256": "e91422636467edf05da152b15ace87fb9f957102bab6ef22a1f413c45c076dc9", "type": "eql", "version": 6 }, "e26aed74-c816-40d3-a810-48d6fbd8b2fd": { - "min_stack_version": "8.3", "rule_name": "Spike in Successful Logon Events from a Source IP", "sha256": "433470a845fb7c68a2d975d0c852935ae2f613397f228fcbc0508dab28be90ff", "type": "machine_learning", @@ -8752,7 +6567,7 @@ "e26f042e-c590-4e82-8e05-41e81bd822ad": { "min_stack_version": "8.12", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 211, "rule_name": "Suspicious .NET Reflection via PowerShell", "sha256": "a85be96f9a8185ce72aee9271706a90a0667bc9dc8340ec37a74fc874c3ba6d9", @@ -8773,95 +6588,66 @@ "version": 2 }, "e2a67480-3b79-403d-96e3-fdd2992c50ef": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "AWS Management Console Root Login", - "sha256": "b9dd3e3ff50478a62eb78a03bd6f15b075d2c8b5205f36afb4bb4c84ec2aea89", - "type": "query", - "version": 108 - } - }, "rule_name": "AWS Management Console Root Login", "sha256": "e92692113a5e54b3929b90730de141b010fbf55f4a52a1d77e548a78cc361ecd", "type": "query", "version": 209 }, "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": { - "min_stack_version": "8.3", "rule_name": "System Network Connections Discovery", "sha256": "e18cba651376cfe6e9941e9849b0b35efb04d877fd885ad2d8e410d9690633d1", "type": "eql", "version": 3 }, "e2e0537d-7d8f-4910-a11d-559bcf61295a": { - "min_stack_version": "8.3", "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", "sha256": "3e63bc85075d9b743e6bf54268defc21c112e95ddb806edfb8a78a3ab78903bc", "type": "eql", "version": 7 }, "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { - "min_stack_version": "8.3", "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", "sha256": "bee7840c66166d2669fe2c9007db541d327d9ea4a3fdfda0b9c233e216e4a37d", "type": "eql", "version": 111 }, "e2fb5b18-e33c-4270-851e-c3d675c9afcd": { - "min_stack_version": "8.3", "rule_name": "GCP IAM Role Deletion", "sha256": "81da5ac170cebd66bcbf89e17268d9b7d3559955c522f1623d651961f6419cbe", "type": "query", "version": 104 }, "e3343ab9-4245-4715-b344-e11c56b0a47f": { - "min_stack_version": "8.3", "rule_name": "Process Activity via Compiled HTML File", "sha256": "6cef2e899c6b4e9645a167a889392bdc93d93b0cdbefafa881495069c49f284e", "type": "eql", "version": 110 }, "e3c27562-709a-42bd-82f2-3ed926cced19": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS Route53 private hosted zone associated with a VPC", - "sha256": "dd9a314d7acf050b51fec079eb2ff4d0667d2954a8fe4eee7a86081d7971db12", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS Route53 private hosted zone associated with a VPC", "sha256": "7ffafc6db354cba90fcf1ace4d763e22cb051ba2f8ad28c7e9f2cd89ef903525", "type": "query", "version": 206 }, "e3c5d5cb-41d5-4206-805c-f30561eae3ac": { - "min_stack_version": "8.3", "rule_name": "Ransomware - Prevented - Elastic Endgame", "sha256": "b7d178b2a838a3cb100c12763f21969b20233d489823c43d10e756e079284462", "type": "query", "version": 103 }, "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": { - "min_stack_version": "8.3", "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", "sha256": "888df58b2f7bdef7997e9bf98f6cefecc8e5dc094ec1c1391fbec5f03fc85d8e", "type": "eql", "version": 107 }, "e3e904b3-0a8e-4e68-86a8-977a163e21d3": { - "min_stack_version": "8.3", "rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification", "sha256": "20a809b0c9d105e502a250b3d41b6934687bf4d74fbbedd98cef83bdf6d2658b", "type": "eql", "version": 110 }, "e468f3f6-7c4c-45bb-846a-053738b3fe5d": { - "min_stack_version": "8.4", "rule_name": "First Time Seen NewCredentials Logon Process", "sha256": "9a219e929d52b9d5fd2593524c043db217318eb6f540793dae2c595418f5dc02", "type": "new_terms", @@ -8870,7 +6656,7 @@ "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Attempt to Modify an Okta Network Zone", "sha256": "5f65ddaac1e8431e60917074c8cb8ead43d51ca2475c63ef74c89e0b558c3456", @@ -8884,30 +6670,18 @@ "version": 206 }, "e4e31051-ee01-4307-a6ee-b21b186958f4": { - "min_stack_version": "8.3", "rule_name": "Service Creation via Local Kerberos Authentication", "sha256": "c47f1f706cc482c626dc8045250f798362338387db47fe387412408b6be3bae1", "type": "eql", "version": 105 }, "e514d8cd-ed15-4011-84e2-d15147e059f1": { - "min_stack_version": "8.3", "rule_name": "Kerberos Pre-authentication Disabled for User", "sha256": "f31d2b25f3d2f895e14eab6c7ec29719c97852d5f2f99b2fa9357b9637c2f510", "type": "query", "version": 110 }, "e555105c-ba6d-481f-82bb-9b633e7b4827": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 202, - "rule_name": "MFA Disabled for Google Workspace Organization", - "sha256": "2c13a6fc437d2115e97e6e81a6d555601f5f93d05f444b9935bf76d94877c049", - "type": "query", - "version": 104 - } - }, "rule_name": "MFA Disabled for Google Workspace Organization", "sha256": "91e053deeef1fbe832a95085ef68f2122ba06d94e64114a2d0e61cf3f1d64d6f", "type": "query", @@ -8920,14 +6694,12 @@ "version": 100 }, "e6c1a552-7776-44ad-ae0f-8746cc07773c": { - "min_stack_version": "8.3", "rule_name": "Bash Shell Profile Modification", "sha256": "bc03a7affdb0db7aca8cb74b550750403c0cc22f1f31640dabbcf506dd04b2b3", "type": "query", "version": 104 }, "e6c98d38-633d-4b3e-9387-42112cd5ac10": { - "min_stack_version": "8.3", "rule_name": "Authorization Plugin Modification", "sha256": "ef208b091fc4ad2aa8c598a1e11c2de761824f498ee049b117285c932936bb8e", "type": "query", @@ -8936,7 +6708,7 @@ "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 204, "rule_name": "Possible Okta DoS Attack", "sha256": "0068f7eda335ee0ee3e6452f9a91166dd50e098862de1791f4e6b6bd0ff4a391", @@ -8950,125 +6722,84 @@ "version": 205 }, "e6e8912f-283f-4d0d-8442-e0dcaf49944b": { - "min_stack_version": "8.3", "rule_name": "Screensaver Plist File Modified by Unexpected Process", "sha256": "226d7ec9a8d7ef8ee5497afe3c062dd60f96978b4e83c4327ab07af37b0e5b51", "type": "eql", "version": 107 }, "e7075e8d-a966-458e-a183-85cd331af255": { - "min_stack_version": "8.3", "rule_name": "Default Cobalt Strike Team Server Certificate", "sha256": "6bbe76d52fd258b99c66bbf69e3f64060fa0a3112a36cd1c55f44d03d2da9d9e", "type": "query", "version": 104 }, "e707a7be-cc52-41ac-8ab3-d34b38c20005": { - "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Memory Dump File Creation", "sha256": "a39d7d4e32b2b06c056764ba041c47a02fd5e39717b5db77d6827117dc870c62", "type": "eql", "version": 3 }, "e7125cea-9fe1-42a5-9a05-b0792cf86f5a": { - "min_stack_version": "8.3", "rule_name": "Execution of Persistent Suspicious Program", "sha256": "bae068bbb951844f6a723136dec199140d6d35b62406b5deddbe6208895a7478", "type": "eql", "version": 107 }, "e72f87d0-a70e-4f8d-8443-a6407bc34643": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 104, - "rule_name": "Suspicious WMI Event Subscription Created", - "sha256": "bee333bfc8d77b96f009283d0b8dc93b5e2e38ef6b27b38b21daccf6fe50833a", - "type": "eql", - "version": 6 - } - }, "rule_name": "Suspicious WMI Event Subscription Created", "sha256": "4f033d8b97bebdd4d3f7dfb51f5465e5283d687187e643b9e5ad76f243122b20", "type": "eql", "version": 106 }, "e7357fec-6e9c-41b9-b93d-6e4fc40c7d47": { - "min_stack_version": "8.3", "rule_name": "Potential Windows Session Hijacking via CcmExec", "sha256": "0bb32a27d1f4286cf963fe0af6c21dba8716c0bc8a3b250af1d0b62993eda76a", "type": "eql", "version": 1 }, "e74d645b-fec6-431e-bf93-ca64a538e0de": { - "min_stack_version": "8.3", "rule_name": "Unusual Process For MSSQL Service Accounts", "sha256": "25ab58cb351438a03b9bae33943b1e2f27038ddab7e44da1138534c0962b40d8", "type": "eql", "version": 4 }, "e760c72b-bb1f-44f0-9f0d-37d51744ee75": { - "min_stack_version": "8.3", "rule_name": "Unusual Execution via Microsoft Common Console File", "sha256": "2d88a1a1afbd362333b27616ad60ef7198d3e854a31723b98ad96fb451d7fb35", "type": "eql", "version": 1 }, "e7cb3cfd-aaa3-4d7b-af18-23b89955062c": { - "min_stack_version": "8.3", "rule_name": "Potential Linux Credential Dumping via Unshadow", "sha256": "9f5e4df959c1865722b929f62227913e0415b091e5be48dc94f3037768b94393", "type": "eql", "version": 8 }, "e7cd5982-17c8-4959-874c-633acde7d426": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS Route Table Modified or Deleted", - "sha256": "aac5e30f0f52cc491d255e93c3f1f83cdb0547f9f20b8fe3376704aee6c6f730", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS Route Table Modified or Deleted", "sha256": "811d4c47d79d5e63a6d39a14a0e8c4c6d8bdc81b09f09705f57ce46905ea4112", "type": "query", "version": 207 }, "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { - "min_stack_version": "8.3", "rule_name": "Service Control Spawned via Script Interpreter", "sha256": "d821998e1160abb47ecede3b1c462e4239e82c189b4c1bb28462bb126a1b7765", "type": "eql", "version": 108 }, "e86da94d-e54b-4fb5-b96c-cecff87e8787": { - "min_stack_version": "8.3", "rule_name": "Installation of Security Support Provider", "sha256": "7bacfc5c36b455bd387840ed3881384dccf76c4613c11307d4d5d00b45b71f4c", "type": "eql", "version": 108 }, "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": { - "min_stack_version": "8.3", "rule_name": "Host Files System Changes via Windows Subsystem for Linux", "sha256": "f650cdefd5366db74cbb8b10fcdc442ca99580255059225a70906d7069dcc006", "type": "eql", "version": 7 }, "e9001ee6-2d00-4d2f-849e-b8b1fb05234c": { - "min_stack_version": "8.6", - "previous": { - "8.4": { - "max_allowable_version": 102, - "rule_name": "Suspicious System Commands Executed by Previously Unknown Executable", - "sha256": "3a05a24c654cdb42c8718f7cf97e55b13d9be01f97cfd17a78db8f616168fa80", - "type": "new_terms", - "version": 3 - } - }, "rule_name": "Suspicious System Commands Executed by Previously Unknown Executable", "sha256": "f180246dbfb2cb7f01f796113f0a1b305d91c244c4989aef63cfc341e4431f35", "type": "new_terms", @@ -9077,7 +6808,7 @@ "e90ee3af-45fc-432e-a850-4a58cf14a457": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 206, "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", "sha256": "36586610b72fd3df43dda1d0bfca8e2b7a439cde98a6b85da439993e98b9978d", @@ -9091,44 +6822,30 @@ "version": 208 }, "e919611d-6b6f-493b-8314-7ed6ac2e413b": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS EC2 VM Export Failure", - "sha256": "f5fbdb6dd8db185f84352432e56a887048b7d1bac9936d1c3a3944b9f5ed4d31", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS EC2 VM Export Failure", "sha256": "ddfa3e022f23c8689c14e4a4abba71826f9ad576159d7e3d70ee93634965dd8c", "type": "query", "version": 206 }, "e92c99b6-c547-4bb6-b244-2f27394bc849": { - "min_stack_version": "8.9", "rule_name": "Spike in Bytes Sent to an External Device via Airdrop", "sha256": "1e89013def66c292205e6328af1471ef4e60e7476f31abb7718f73d3602c3e91", "type": "machine_learning", "version": 3 }, "e94262f2-c1e9-4d3f-a907-aeab16712e1a": { - "min_stack_version": "8.3", "rule_name": "Unusual Executable File Creation by a System Critical Process", "sha256": "039641e8c7b1e6c8242b90a66989c99c2f7e958b18bbb211f172b588af3a6f3f", "type": "eql", "version": 111 }, "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": { - "min_stack_version": "8.3", "rule_name": "Potential LSA Authentication Package Abuse", "sha256": "d0a1dc56879cb56dc2747d8b68642dcb238491d808de81350698a3876b010d1e", "type": "eql", "version": 105 }, "e9b0902b-c515-413b-b80b-a8dcebc81a66": { - "min_stack_version": "8.9", "rule_name": "Spike in Remote File Transfers", "sha256": "c2714b3ba5f14682e3de18a33b34ee32dd30f9b08a177f6d6ff9c79ced3ef5e1", "type": "machine_learning", @@ -9141,7 +6858,6 @@ "version": 100 }, "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": { - "min_stack_version": "8.3", "rule_name": "Azure Automation Webhook Created", "sha256": "064a5bf18acba039757d18c76b42acec87f1e497cf8143bc705af25765204078", "type": "query", @@ -9154,153 +6870,108 @@ "version": 100 }, "ea09ff26-3902-4c53-bb8e-24b7a5d029dd": { - "min_stack_version": "8.9", "rule_name": "Unusual Process Spawned by a Parent Process", "sha256": "d8ff4bf9daa5791d5125e828242e6da12e755fe8e6594f543661711e82994cfd", "type": "machine_learning", "version": 4 }, "ea248a02-bc47-4043-8e94-2885b19b2636": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "AWS IAM Brute Force of Assume Role Policy", - "sha256": "b067b05efba5deb9be05f4eb293d71270aec223640f2d617f1a365f86c41524c", - "type": "threshold", - "version": 109 - } - }, "rule_name": "AWS IAM Brute Force of Assume Role Policy", "sha256": "a85c08a5d1c0cadd8fa55b0fa4148eb871692edcabdc994258fd047949fc51c3", "type": "threshold", "version": 210 }, "eaa77d63-9679-4ce3-be25-3ba8b795e5fa": { - "min_stack_version": "8.3", "rule_name": "Spike in Firewall Denies", "sha256": "2b70a5f6f296ce20ca6fb54b48a52c4bb57dec8c35b7dfc9b661509716a7cc0a", "type": "machine_learning", "version": 103 }, "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c": { - "min_stack_version": "8.3", "rule_name": "Suspicious APT Package Manager Network Connection", "sha256": "e33ef40e6926a8ebb9819b992a678c5cb30b5ca0ec2564ad888d213893eec80c", "type": "eql", "version": 2 }, "eb079c62-4481-4d6e-9643-3ca499df7aaa": { - "min_stack_version": "8.3", "rule_name": "External Alerts", "sha256": "8abb5aaa7b7120ccd0f4b723b4d43ede8ef4179dfd361a78a77fb3e7501947b6", "type": "query", "version": 103 }, "eb44611f-62a8-4036-a5ef-587098be6c43": { - "min_stack_version": "8.3", "rule_name": "PowerShell Script with Webcam Video Capture Capabilities", "sha256": "492442b9a011a2f12dba2f025284191a27457dc32fa61c4cdae57c2efe1bf9ad", "type": "query", "version": 4 }, "eb610e70-f9e6-4949-82b9-f1c5bcd37c39": { - "min_stack_version": "8.3", "rule_name": "PowerShell Kerberos Ticket Request", "sha256": "1eca5c1ab4882b5bcf2dd344dafbd75a680f7fd7cb7bceb1c7c448fe80765bbb", "type": "query", "version": 111 }, "eb6a3790-d52d-11ec-8ce9-f661ea17fbce": { - "min_stack_version": "8.3", "rule_name": "Suspicious Network Connection Attempt by Root", "sha256": "7a02f3f1c3af4c212b9b07f86517b323423c7f03670c51025f5a7ea876473d5e", "type": "eql", "version": 104 }, "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { - "min_stack_version": "8.3", "rule_name": "Potential Disabling of SELinux", "sha256": "40ab8ab43acdf3a9d7783d20ac3658086a45ff61e1871fe984d77c6a1d3984ef", "type": "eql", "version": 110 }, "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { - "min_stack_version": "8.3", "rule_name": "Mimikatz Memssp Log File Detected", "sha256": "1fe569e32abbc334bce0864e3ec5b30c47d3531f6d884186b2b40c52c0230f98", "type": "eql", "version": 109 }, "ebf1adea-ccf2-4943-8b96-7ab11ca173a5": { - "min_stack_version": "8.3", "rule_name": "IIS HTTP Logging Disabled", "sha256": "d83d663dcda70e00a6ab21131eed87f0b8c368ce720e9af6b55cc3ed301826a8", "type": "eql", "version": 110 }, "ebfe1448-7fac-4d59-acea-181bd89b1f7f": { - "min_stack_version": "8.3", "rule_name": "Process Execution from an Unusual Directory", "sha256": "8df3afe86977d9a2b2f2229f4f6d2fb5bb39898849f2d887050d754afba715a2", "type": "eql", "version": 110 }, "ec604672-bed9-43e1-8871-cf591c052550": { - "min_stack_version": "8.8", "rule_name": "File Made Executable via Chmod Inside A Container", "sha256": "20c2ee6633bad709523ecb7a36a5e666212d251d264feca7543facf2bb56ea54", "type": "eql", "version": 2 }, "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Inbox Forwarding Rule Created", - "sha256": "ccb7629ab98a47b76d488ad0234349226bd54d20ba68a72bfa6d504471d57576", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Inbox Forwarding Rule Created", "sha256": "98615f87ce24445df876a6f771b6899cfdecbd5028d5167fb5f060c7d2cb44df", "type": "query", "version": 206 }, "ecd4857b-5bac-455e-a7c9-a88b66e56a9e": { - "min_stack_version": "8.3", "rule_name": "Executable File with Unusual Extension", "sha256": "0dbad6fbc2a61e15df204d363878baabb0a87b3aacc37a8ffc8044d8bb20d509", "type": "eql", "version": 2 }, "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS RDS Instance/Cluster Stoppage", - "sha256": "507678779aec70fd7d8e6f87c97bad4456c69b88fbf5e1ef2ede267b6c6d356b", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS RDS Instance/Cluster Stoppage", "sha256": "597f9aec8295f443a639129b9f673f0e3302a48b8ba1f7a3eab0de937bc34d58", "type": "query", "version": 206 }, "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": { - "min_stack_version": "8.3", "rule_name": "Azure Global Administrator Role Addition to PIM User", "sha256": "05eb2cfe7c6c45d6ae432cf2c83e8d0a56cb0a6c5111004de8625830d13ee06c", "type": "query", "version": 102 }, "eda499b8-a073-4e35-9733-22ec71f57f3a": { - "min_stack_version": "8.3", "rule_name": "AdFind Command Activity", "sha256": "35efc8cf7bf58aeb31117f913287b60e74e904cbdce764bcd90b1a649e6318e1", "type": "eql", @@ -9309,7 +6980,7 @@ "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 205, "rule_name": "Attempt to Deactivate an Okta Application", "sha256": "561500f4153a16fe94b06be9237be4ba8933a3192116af5ef57bdb83da24f973", @@ -9323,14 +6994,12 @@ "version": 206 }, "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { - "min_stack_version": "8.3", "rule_name": "ImageLoad via Windows Update Auto Update Client", "sha256": "6b7b9ccc19477616a522bddc2a00f166753629727474b6494a4460bfc09ec4f6", "type": "eql", "version": 112 }, "edfd5ca9-9d6c-44d9-b615-1e56b920219c": { - "min_stack_version": "8.3", "rule_name": "Linux User Account Creation", "sha256": "95cad73c0f9c90ae0aca50ad6528161624c9d694075e6761ef195da867643c08", "type": "eql", @@ -9339,7 +7008,7 @@ "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 102, "rule_name": "Okta FastPass Phishing Detection", "sha256": "ec087af423a304d3b2f85af7926ba24f67f6207424c00d258a6e350a6721c932", @@ -9353,14 +7022,12 @@ "version": 103 }, "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { - "min_stack_version": "8.3", "rule_name": "Unusual Print Spooler Child Process", "sha256": "3b8d96d08eb433256b4fb0fd5206543e932d32caede2f0296b44a83ccf41868c", "type": "eql", "version": 108 }, "ee53d67a-5f0c-423c-a53c-8084ae562b5c": { - "min_stack_version": "8.3", "rule_name": "Shortcut File Written or Modified on Startup Folder", "sha256": "521aaa3ca230327e4d8a00478e8ca676b40727c00d7a32e0e76210c927f99662", "type": "eql", @@ -9373,56 +7040,48 @@ "version": 100 }, "eea82229-b002-470e-a9e1-00be38b14d32": { - "min_stack_version": "8.3", "rule_name": "Potential Privacy Control Bypass via TCCDB Modification", "sha256": "1650c91ed1f40d868155851c6a47fc4a0d7b9e3acc49ca5a3a94bf02d47454fc", "type": "eql", "version": 107 }, "ef04a476-07ec-48fc-8f3d-5e1742de76d3": { - "min_stack_version": "8.3", "rule_name": "BPF filter applied using TC", "sha256": "1c7ddc592ac0564b1dd00cf9e28b5abb2f8aab7029e47b5267efa0082a5127a2", "type": "eql", "version": 108 }, "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": { - "min_stack_version": "8.3", "rule_name": "Potential Linux Credential Dumping via Proc Filesystem", "sha256": "5fde0d101ad60721c4369e510760dbc8596c6e42f17cccdf2857b69cd04aeeb7", "type": "eql", "version": 7 }, "ef65e82c-d8b4-4895-9824-5f6bc6166804": { - "min_stack_version": "8.8", "rule_name": "Potential Container Escape via Modified notify_on_release File", "sha256": "9bda21518b9733432c642587f1e1a1beb87b1651d0d838fa1cd342d16bbace04", "type": "eql", "version": 1 }, "ef862985-3f13-4262-a686-5f357bbb9bc2": { - "min_stack_version": "8.3", "rule_name": "Whoami Process Activity", "sha256": "31ce332f330bc9a1bccdf8f56d0d422431517beafd6fd72a0263e72bf57f2202", "type": "eql", "version": 111 }, "ef8cc01c-fc49-4954-a175-98569c646740": { - "min_stack_version": "8.9", "rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port", "sha256": "9512995e5dffd053732011c13901b6e07071c98fbf12ad540b632ebf940f2c32", "type": "machine_learning", "version": 3 }, "f036953a-4615-4707-a1ca-dc53bf69dcd5": { - "min_stack_version": "8.3", "rule_name": "Unusual Child Processes of RunDLL32", "sha256": "0713731667d50b24bd145385b0d83cf8936b4173b1eb789f87e15798fb329cbe", "type": "eql", "version": 108 }, "f0493cb4-9b15-43a9-9359-68c23a7f2cf3": { - "min_stack_version": "8.3", "rule_name": "Suspicious HTML File Creation", "sha256": "a8f8624488bd94c12376e0d7098fdf1714698d2df6e877311fded9ab584a043d", "type": "eql", @@ -9431,7 +7090,7 @@ "f06414a6-f2a4-466d-8eba-10f85e8abf71": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 204, "rule_name": "Administrator Role Assigned to an Okta User", "sha256": "333aec880e8bd1653cea01f896e3df2e136839275bf1cffd71197ec4068129ba", @@ -9445,149 +7104,120 @@ "version": 205 }, "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { - "min_stack_version": "8.3", "rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process", "sha256": "5182f386430f01d4b91371a123d7323d6c786af55e661ca361224b7e1abaab5c", "type": "eql", "version": 108 }, "f0bc081a-2346-4744-a6a4-81514817e888": { - "min_stack_version": "8.3", "rule_name": "Azure Alert Suppression Rule Created or Modified", "sha256": "1dce5b8c0bd067b1f048753efed2565f84b6d4c289bed2adbc7a6bf3f8a89270", "type": "query", "version": 102 }, "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": { - "min_stack_version": "8.3", "rule_name": "Execution with Explicit Credentials via Scripting", "sha256": "ac32250e0d57be9cd4a514aa350f9b0b90ef286c6c75fe6f8ab0e6fc775d76cb", "type": "query", "version": 106 }, "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": { - "min_stack_version": "8.3", "rule_name": "Potential Remote Code Execution via Web Server", "sha256": "bea6f0f6ac6a7dcc6cc8784ca4831945d99664237de3f781a9336b2a748346f7", "type": "eql", "version": 7 }, "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": { - "min_stack_version": "8.4", "rule_name": "Forwarded Google Workspace Security Alert", "sha256": "4c73b09f4b3001484895476ebe7fa98e28d4b4ade73a8bc8cae1bf26c22cf8af", "type": "query", "version": 2 }, "f243fe39-83a4-46f3-a3b6-707557a102df": { - "min_stack_version": "8.3", "rule_name": "Service Path Modification", "sha256": "f6488872c8be23ecc9a4e3339d5de39339210c77856be3d05d90c00968a721c9", "type": "eql", "version": 2 }, "f24bcae1-8980-4b30-b5dd-f851b055c9e7": { - "min_stack_version": "8.3", "rule_name": "Creation of Hidden Login Item via Apple Script", "sha256": "1d2b9d1b4fb9b805f30bc47377d70694f4ecd0704dfc2df0c47459605af6d2b3", "type": "eql", "version": 108 }, "f28e2be4-6eca-4349-bdd9-381573730c22": { - "min_stack_version": "8.3", "rule_name": "Potential OpenSSH Backdoor Logging Activity", "sha256": "b10534cda59c460de168c3b9fed3d8899465199770dd6c96f2e2d65358d3cb24", "type": "eql", "version": 109 }, "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { - "min_stack_version": "8.3", "rule_name": "SIP Provider Modification", "sha256": "637b95af638d89775bd2f924af80375c6ff258c63b53785edfb3543db910cbbf", "type": "eql", "version": 107 }, "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { - "min_stack_version": "8.3", "rule_name": "LSASS Memory Dump Creation", "sha256": "f75e7dbe109ab94981359e193e38bc31d50c60ac6258c2e42dd797649989a2f4", "type": "eql", "version": 109 }, "f30f3443-4fbb-4c27-ab89-c3ad49d62315": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS RDS Instance Creation", - "sha256": "1b57c3c8d9066a43e2cf1493eb351327278a05bf30471e51460fc99b3134a1c5", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS RDS Instance Creation", "sha256": "3f5bde898da930f0ca76c88c4f89512b9f7ec40d10c291fc472d909c5ef5a166", "type": "query", "version": 206 }, "f33e68a4-bd19-11ed-b02f-f661ea17fbcc": { - "min_stack_version": "8.4", "rule_name": "Google Workspace Object Copied from External Drive and Access Granted to Custom Application", "sha256": "bf31263ee7b3dd377aad879072d95f3cfa5f487f3db9f91e6d47822700c554c9", "type": "eql", "version": 4 }, "f3403393-1fd9-4686-8f6e-596c58bc00b4": { - "min_stack_version": "8.9", "rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain", "sha256": "2c43c3f3a3eab3066a67fa00b1ecf370bbb5c1a7cc41898dabf2a4553b1630ea", "type": "query", "version": 3 }, "f3475224-b179-4f78-8877-c2bd64c26b88": { - "min_stack_version": "8.3", "rule_name": "WMI Incoming Lateral Movement", "sha256": "109358ad6d085e83bf9097861e3961e3e5afbbbf94504500826ad12ea1e6cf0e", "type": "eql", "version": 110 }, "f37f3054-d40b-49ac-aa9b-a786c74c58b8": { - "min_stack_version": "8.3", "rule_name": "Sudo Heap-Based Buffer Overflow Attempt", "sha256": "631c70d2bd6a2e4b8162193c9ccb972b673d291a842d7006e0a14643ce29341c", "type": "threshold", "version": 104 }, "f3818c85-2207-4b51-8a28-d70fb156ee87": { - "min_stack_version": "8.3", "rule_name": "Suspicious Network Connection via systemd", "sha256": "52931e3500fd41b92dd905637912dc28861b532e3bf11d6ab79f243237f9573c", "type": "eql", "version": 2 }, "f3e22c8b-ea47-45d1-b502-b57b6de950b3": { - "min_stack_version": "8.5", "rule_name": "Threat Intel URL Indicator Match", "sha256": "2e45aadc96febb79204cc0182a5cda5f7b1be5634e47e7c18fc92b429f529471", "type": "threat_match", "version": 6 }, "f41296b4-9975-44d6-9486-514c6f635b2d": { - "min_stack_version": "8.6", "rule_name": "Potential curl CVE-2023-38545 Exploitation", "sha256": "422469c042fbbd783e6f8aca78c507ba139de7e0aa3e364406f12f16db6db808", "type": "eql", "version": 5 }, "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": { - "min_stack_version": "8.3", "rule_name": "Persistence via Microsoft Office AddIns", "sha256": "0a7bcf99db3af18ca1936e60cad4e3c6dcc4b560f8173850784204f8e4a631cc", "type": "eql", "version": 108 }, "f494c678-3c33-43aa-b169-bb3d5198c41d": { - "min_stack_version": "8.3", "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", "sha256": "3d559e86203735f531cbbe7a26f5e361236760068e41b0b421f0f5d59a3c5765", "type": "query", @@ -9607,135 +7237,108 @@ "version": 100 }, "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73": { - "min_stack_version": "8.3", "rule_name": "Suspicious Data Encryption via OpenSSL Utility", "sha256": "bdf4940185721379f94bfd3a1c76f556b73371c2533f71f9d815eb09cebf35bc", "type": "eql", "version": 6 }, "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { - "min_stack_version": "8.3", "rule_name": "Windows Script Executing PowerShell", "sha256": "708503003bcee46e11babb11f8aa31370e2b00f8819ad6b533d88ae777974577", "type": "eql", "version": 111 }, "f5488ac1-099e-4008-a6cb-fb638a0f0828": { - "min_stack_version": "8.8", "rule_name": "SSH Connection Established Inside A Running Container", "sha256": "acfdb1c9d79a1ed5b532921e9010c1184da0de54b516f1c0505265cb48c135b7", "type": "eql", "version": 2 }, "f580bf0a-2d23-43bb-b8e1-17548bb947ec": { - "min_stack_version": "8.3", "rule_name": "Rare SMB Connection to the Internet", "sha256": "a63046d792830722836c024689a5b5e9e1f3ac006e80e1445c1efa17bfbc98e5", "type": "new_terms", "version": 3 }, "f5861570-e39a-4b8a-9259-abd39f84cb97": { - "min_stack_version": "8.3", "rule_name": "WRITEDAC Access on Active Directory Object", "sha256": "e1128eff83337cf8df9523f584e2a5859c85e7d579d9655bb532de4714bd4124", "type": "query", "version": 4 }, "f59668de-caa0-4b84-94c1-3a1549e1e798": { - "min_stack_version": "8.3", "rule_name": "WMIC Remote Command", "sha256": "49fe04b88dc0dc6ee9776c88113935db33ecbc3c955ddb4b201acb6867022d7f", "type": "eql", "version": 4 }, "f5c005d3-4e17-48b0-9cd7-444d48857f97": { - "min_stack_version": "8.3", "rule_name": "Setcap setuid/setgid Capability Set", "sha256": "bec5a046d8ac67ff161d518d2ccf53b9138179dfc67759ad5f9078fdc14810a6", "type": "eql", "version": 5 }, "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": { - "min_stack_version": "8.9", "rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process", "sha256": "d6db5d4e54233628ba05c96ce487387f74b8d57d423cae36a1cfa4602ef0c312", "type": "machine_learning", "version": 4 }, "f5fb4598-4f10-11ed-bdc3-0242ac120002": { - "min_stack_version": "8.3", "rule_name": "Masquerading Space After Filename", "sha256": "0bdfb6f39afe789ae9447ea9f33938a24d746c1017ac0646c9f1776272882e37", "type": "eql", "version": 6 }, "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf": { - "min_stack_version": "8.3", "rule_name": "Account or Group Discovery via Built-In Tools", "sha256": "05cfd191e4f07208be892f795fe81b8a10b3b5b50a3a9ab8f03a0c175ef81135", "type": "eql", "version": 3 }, "f63c8e3c-d396-404f-b2ea-0379d3942d73": { - "min_stack_version": "8.3", "rule_name": "Windows Firewall Disabled via PowerShell", "sha256": "b677759be5d31d2da13e1a1902fc4d9047723a793205cdaf229d6fe6c9ac5088", "type": "eql", "version": 110 }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { - "min_stack_version": "8.3", "rule_name": "Delete Volume USN Journal with Fsutil", "sha256": "6b1d419bf9aa6949ee92ded6a11fd322e88da4c01130617ee0d215449c773841", "type": "eql", "version": 109 }, "f683dcdf-a018-4801-b066-193d4ae6c8e5": { - "min_stack_version": "8.3", "rule_name": "SoftwareUpdate Preferences Modification", "sha256": "23425b32c0a7615768bc200a5112ac8cddf8adf9387d1c01638d9da18edc500b", "type": "query", "version": 106 }, "f75f65cf-ed04-48df-a7ff-b02a8bfe636e": { - "min_stack_version": "8.3", "rule_name": "System Hosts File Access", "sha256": "075b644099d4072660dea321c36b39eba6a6dd8877852416af7f429753d0e571", "type": "eql", "version": 3 }, "f766ffaf-9568-4909-b734-75d19b35cbf4": { - "min_stack_version": "8.3", "rule_name": "Azure Service Principal Credentials Added", "sha256": "93799b4dd788cc7cc2a439cc2a75f129676cafe866903105bfe880aa4a466103", "type": "query", "version": 102 }, "f772ec8a-e182-483c-91d2-72058f76a44c": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 207, - "rule_name": "AWS CloudWatch Alarm Deletion", - "sha256": "c61b6a72d80df0fd58791ed1d3826f037ed108533807e6817a707d013f73e4bd", - "type": "query", - "version": 108 - } - }, "rule_name": "AWS CloudWatch Alarm Deletion", "sha256": "9fd21ffae7e6f9944f5abeb3ea4da9d2397f7f3fd140a1aa45f86cdcfe7a92bc", "type": "query", "version": 209 }, "f7769104-e8f9-4931-94a2-68fc04eadec3": { - "min_stack_version": "8.8", "rule_name": "SSH Authorized Keys File Modified Inside a Container", "sha256": "d08ada3a6198777da68c1ad854b2c989ea3c25a2cd89c68741c538de9a433237", "type": "eql", "version": 2 }, "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { - "min_stack_version": "8.3", "rule_name": "Persistent Scripts in the Startup Directory", "sha256": "a1bc8b73c4533f942aac0721b6a1345272ca6770fde9d130e8f62f115eb42177", "type": "eql", @@ -9749,56 +7352,48 @@ "version": 2 }, "f81ee52c-297e-46d9-9205-07e66931df26": { - "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", "sha256": "7f50567407f055ba5fe3ae2e6d27cdcffac7fd9f9eb3dedda702f6f9a3fb15ec", "type": "eql", "version": 109 }, "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": { - "min_stack_version": "8.3", "rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", "sha256": "7041f9420e055d9a272d6c1c7c3ab02fa9843c80df047af4545b3a625f70fa87", "type": "query", "version": 106 }, "f874315d-5188-4b4a-8521-d1c73093a7e4": { - "min_stack_version": "8.3", "rule_name": "Modification of AmsiEnable Registry Key", "sha256": "78279bb6af6824e60ded36c81c6ef322b9ccaeb26c92549abc2921bf4227941b", "type": "eql", "version": 110 }, "f94e898e-94f1-4545-8923-03e4b2866211": { - "min_stack_version": "8.8", "rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User", "sha256": "3e68a069ea98921ba60e3b258f21b0a94dc7d42b38ee50c7332daad964e6b5d0", "type": "new_terms", "version": 1 }, "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { - "min_stack_version": "8.3", "rule_name": "Unusual Linux Network Configuration Discovery", "sha256": "4dd687fdbb673c91ffcda22bc2630d7ea3e59cd3af2a796d57bd7077684f6042", "type": "machine_learning", "version": 104 }, "f95972d3-c23b-463b-89a8-796b3f369b49": { - "min_stack_version": "8.3", "rule_name": "Ingress Transfer via Windows BITS", "sha256": "5952fcaf652a5286441fc15039faeb8970ad18ef5832358bbc5385c6e09ed734", "type": "eql", "version": 7 }, "f97504ac-1053-498f-aeaa-c6d01e76b379": { - "min_stack_version": "8.3", "rule_name": "Browser Extension Install", "sha256": "8d12e1186966462c8fa942c5ea6e8bb556922c22f3a8426371112487df44ca7a", "type": "eql", "version": 2 }, "f9790abf-bd0c-45f9-8b5f-d0b74015e029": { - "min_stack_version": "8.3", "rule_name": "Privileged Account Brute Force", "sha256": "6b7871e9961be78c2d06f1cb08a639f6b4d3dcb022d16261b56fa3472f8f7d70", "type": "eql", @@ -9807,7 +7402,7 @@ "f994964f-6fce-4d75-8e79-e16ccc412588": { "min_stack_version": "8.10", "previous": { - "8.3": { + "8.9": { "max_allowable_version": 204, "rule_name": "Suspicious Activity Reported by Okta User", "sha256": "f35146f9e2f6aef85cb21013ab2bc3039a0a449e1bf4ed3322496b0dbc449e06", @@ -9821,65 +7416,48 @@ "version": 205 }, "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { - "min_stack_version": "8.3", "rule_name": "Remote File Copy to a Hidden Share", "sha256": "3a766093b0d4f34997e59583bef56fb42b94ebe8b4d5d167f6f5123519f92525", "type": "eql", "version": 109 }, "fa210b61-b627-4e5e-86f4-17e8270656ab": { - "min_stack_version": "8.3", "rule_name": "Potential External Linux SSH Brute Force Detected", "sha256": "6dda8a2bc03a2f1abf5953add4cec3b8260ed538e2600de67de2100cad5ddcda", "type": "eql", "version": 7 }, "fa3a59dc-33c3-43bf-80a9-e8437a922c7f": { - "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Suspicious Binary", "sha256": "9be49e4bfd023d805ed674227d4aa1c27340b638a40b63092a2d82f22f29d52c", "type": "eql", "version": 7 }, "fa488440-04cc-41d7-9279-539387bf2a17": { - "min_stack_version": "8.3", "rule_name": "Suspicious Antimalware Scan Interface DLL", "sha256": "edd75807f5ee2bac491abccd490d597eb1ee40098cfeac22e328318c76943642", "type": "eql", "version": 9 }, "fac52c69-2646-4e79-89c0-fd7653461010": { - "min_stack_version": "8.3", "rule_name": "Potential Disabling of AppArmor", "sha256": "e1fc21035bd0018c82e188c8ebe6241aa878a214edaf3895b806621f5d82d2e3", "type": "eql", "version": 6 }, "fb01d790-9f74-4e76-97dd-b4b0f7bf6435": { - "min_stack_version": "8.4", - "previous": { - "8.3": { - "max_allowable_version": 101, - "rule_name": "Potential Masquerading as System32 DLL", - "sha256": "44de9f686412f5ba599fbbf3c20d3d9a0e941c644469a473712133ff1293bf6d", - "type": "eql", - "version": 2 - } - }, "rule_name": "Potential Masquerading as System32 DLL", "sha256": "1af8edb01a1cfb710c926f5d006909a5e7139b1a95763ed5fbc88147f1eab9bc", "type": "eql", "version": 104 }, "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { - "min_stack_version": "8.3", "rule_name": "Network Connection via Registration Utility", "sha256": "cb733e3ad55b691ce6c736d0ab0c7b2f050a61f7c333533ad68e45882396c78d", "type": "eql", "version": 108 }, "fb0afac5-bbd6-49b0-b4f8-44e5381e1587": { - "min_stack_version": "8.8", "rule_name": "High Number of Cloned GitHub Repos From PAT", "sha256": "3fcf7a11e62e1413f109707eddf5ca8210aa4788b88623b7f1a905fb84193234", "type": "threshold", @@ -9892,37 +7470,24 @@ "version": 100 }, "fbd44836-0d69-4004-a0b4-03c20370c435": { - "min_stack_version": "8.9", - "previous": { - "8.3": { - "max_allowable_version": 204, - "rule_name": "AWS Configuration Recorder Stopped", - "sha256": "624fbf2987e46d010e6f19338b9a13acbd0fc5afb7c2704f7f5d076d82b9ced4", - "type": "query", - "version": 105 - } - }, "rule_name": "AWS Configuration Recorder Stopped", "sha256": "c7844572d3cc0d0be4f3674e5a404de4a1b409abe2c02b40ca56300b06425004", "type": "query", "version": 206 }, "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { - "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", "sha256": "66652b44a53ed252944d30e221056e1a86dd85654176778bffc526603112d74e", "type": "eql", "version": 109 }, "fc909baa-fb34-4c46-9691-be276ef4234c": { - "min_stack_version": "8.8", "rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)", "sha256": "b8f1378c21d3e35e4db3d9cde9f1583494304e86dc8dbb9a39468206794f91bf", "type": "new_terms", "version": 1 }, "fd01b949-81be-46d5-bcf8-284395d5f56d": { - "min_stack_version": "8.3", "rule_name": "GitHub App Deleted", "sha256": "fd7912580b3ee17ae242b79e0c474ed025239a8690cf03c7095cfb0e32458960", "type": "eql", @@ -9935,151 +7500,114 @@ "version": 100 }, "fd4a992d-6130-4802-9ff8-829b89ae801f": { - "min_stack_version": "8.3", "rule_name": "Potential Application Shimming via Sdbinst", "sha256": "c6e0f3ed2de57cd525aed211c660fafb3d244519f29423756b1e01f95a1f7469", "type": "eql", "version": 110 }, "fd70c98a-c410-42dc-a2e3-761c71848acf": { - "min_stack_version": "8.3", "rule_name": "Suspicious CertUtil Commands", "sha256": "1eefd434526b2d048a615ba540bf83da7ee5150eae84ff517f5de3e7668c964b", "type": "eql", "version": 108 }, "fd7a6052-58fa-4397-93c3-4795249ccfa2": { - "min_stack_version": "8.6", - "previous": { - "8.3": { - "max_allowable_version": 206, - "rule_name": "Svchost spawning Cmd", - "sha256": "2be5bf0d0a6fe7332e43fa29c1f0701bd1ddd82b98458eb81fbd031b4190ff04", - "type": "eql", - "version": 107 - } - }, "rule_name": "Svchost spawning Cmd", "sha256": "6d152e1d87343af4204868f6661565208bc41bc7fa3b54d2431de77ade274f91", "type": "new_terms", "version": 212 }, "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": { - "min_stack_version": "8.3", "rule_name": "Image Loaded with Invalid Signature", "sha256": "57f89690d7c597efa662064cafabb2dc9dbb9836e554784d682f094d14e69c2d", "type": "eql", "version": 2 }, "fda1d332-5e08-4f27-8a9b-8c802e3292a6": { - "min_stack_version": "8.3", "rule_name": "System Binary Copied and/or Moved to Suspicious Directory", "sha256": "64a298cfd46dd919d8d6d349126b6a4a90347cf9eb7a23661803b528c1bd2828", "type": "eql", "version": 7 }, "fddff193-48a3-484d-8d35-90bb3d323a56": { - "min_stack_version": "8.3", "rule_name": "PowerShell Kerberos Ticket Dump", "sha256": "1ccbc020df7ccd578a04c6a962cba1a9eb01217fe0325d1ebb52cfcae454276e", "type": "query", "version": 4 }, "fe25d5bc-01fa-494a-95ff-535c29cc4c96": { - "min_stack_version": "8.3", "rule_name": "PowerShell Script with Password Policy Discovery Capabilities", "sha256": "549dac6c269368c82ba41a9b89a211dab398c0448459487fd6c8c7d2b19c4cf9", "type": "query", "version": 5 }, "fe794edd-487f-4a90-b285-3ee54f2af2d3": { - "min_stack_version": "8.3", "rule_name": "Microsoft Windows Defender Tampering", "sha256": "1049a012554fe790510c642962136afe7809f3cb6743d41c94d9064cb5cd0275", "type": "eql", "version": 110 }, "feafdc51-c575-4ed2-89dd-8e20badc2d6c": { - "min_stack_version": "8.3", "rule_name": "Potential Masquerading as Business App Installer", "sha256": "6daf457d7f6fb492b6a132e9f2ef7980cedfe5de8d41148a55b6265379ba80f5", "type": "eql", "version": 4 }, "fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": { - "min_stack_version": "8.3", "rule_name": "Execution via MS VisualStudio Pre/Post Build Events", "sha256": "f4da580149ea42f56cb5dde277432f33760266a6ae02877f5c9c71a77517fa87", "type": "eql", "version": 2 }, "feeed87c-5e95-4339-aef1-47fd79bcfbe3": { - "min_stack_version": "8.3", "rule_name": "MS Office Macro Security Registry Modifications", "sha256": "0cb2724deeff775fe087f8fc28747011973bfa19b4924546d551ae231cf102e2", "type": "eql", "version": 107 }, "ff013cb4-274d-434a-96bb-fe15ddd3ae92": { - "min_stack_version": "8.3", "rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", "sha256": "be298496f5dc80a824431ca74dd636b027fd4a95e5b4cae739b13de1c3dfe055", "type": "query", "version": 103 }, "ff0d807d-869b-4a0d-a493-52bc46d2f1b1": { - "min_stack_version": "8.9", "rule_name": "Potential DGA Activity", "sha256": "f1777c34722961e6332a58230876ae5519c4fc7e7a09d1450eb0038aeabe2640", "type": "machine_learning", "version": 3 }, "ff10d4d8-fea7-422d-afb1-e5a2702369a9": { - "min_stack_version": "8.6", "rule_name": "Cron Job Created or Changed by Previously Unknown Process", "sha256": "8d0088142351af95023ec0cbec030e26da4de32891f90802ece09174e3446293", "type": "new_terms", "version": 9 }, "ff4599cb-409f-4910-a239-52e4e6f532ff": { - "min_stack_version": "8.7", "rule_name": "LSASS Process Access via Windows API", "sha256": "45523e08c1b08b3aeb6e316fbfd73c257194c643b9c2d30533a4c05de668ca18", "type": "eql", "version": 7 }, "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": { - "min_stack_version": "8.8", - "previous": { - "8.3": { - "max_allowable_version": 205, - "rule_name": "Microsoft 365 Exchange Transport Rule Creation", - "sha256": "e247dbb68f81f5c55155bea1dd2a757717bdc740b8259a933165e5a612d3cdb7", - "type": "query", - "version": 106 - } - }, "rule_name": "Microsoft 365 Exchange Transport Rule Creation", "sha256": "24df1fab9f47005a3dcf144bdd7993c237e1da4de8b6ed8ee44d4513417e0f88", "type": "query", "version": 206 }, "ff6cf8b9-b76c-4cc1-ac1b-4935164d1029": { - "min_stack_version": "8.3", "rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory", "sha256": "b84b07ea9bb5fca4cc1522b6f29f121b0a4dc4e0b59d3c48a6b7a2cab83f18bb", "type": "eql", "version": 1 }, "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": { - "min_stack_version": "8.3", "rule_name": "GCP Firewall Rule Deletion", "sha256": "6ea6272c4b6fd3f4e7e5dfdd1e521af24e89ac9633ee8ee964f52fa09e28d068", "type": "query", "version": 104 }, "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": { - "min_stack_version": "8.3", "rule_name": "Potential Sudo Token Manipulation via Process Injection", "sha256": "a7acb15e762a822b94eadf4a2caebe464a6f3cf2f67bfbcebcacba6c928d5366", "type": "eql", diff --git a/docs/versioning.md b/docs/versioning.md new file mode 100644 index 00000000000..120c88b7054 --- /dev/null +++ b/docs/versioning.md @@ -0,0 +1,26 @@ +# Supported Versions and Releases + +This document provides detailed information about the different versions that are supported and released for prebuilt detection rules. + +## Current Version + +The current version of prebuilt detection rules is `v8.14`. + +## Previous Versions Released + +The following version(s) are released along with the current version. + +- `v8.13` +- `v8.12` +- `v8.11` + +### Previous Versions Maintained + +The following version(s) are maintained along with the current version. + +- `v8.10` +- `v8.9` + +## End of Life Policy + +Our policy is to support and provide public releases for `Current`, `Current-1`, `Current-2`, `Current-3` versions. We maintain and do not release `Current-4` and `Current-5` versions. diff --git a/rules/apm/apm_403_response_to_a_post.toml b/rules/apm/apm_403_response_to_a_post.toml index 28bea375cc3..d8010b71afc 100644 --- a/rules/apm/apm_403_response_to_a_post.toml +++ b/rules/apm/apm_403_response_to_a_post.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["apm"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/apm/apm_405_response_method_not_allowed.toml b/rules/apm/apm_405_response_method_not_allowed.toml index 4f3b957f224..bedc96ade16 100644 --- a/rules/apm/apm_405_response_method_not_allowed.toml +++ b/rules/apm/apm_405_response_method_not_allowed.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["apm"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/apm/apm_sqlmap_user_agent.toml b/rules/apm/apm_sqlmap_user_agent.toml index b147173d857..c8ba5b28669 100644 --- a/rules/apm/apm_sqlmap_user_agent.toml +++ b/rules/apm/apm_sqlmap_user_agent.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["apm"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml b/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml index aa5803afe7c..d8ccf625b32 100644 --- a/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml +++ b/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml @@ -2,15 +2,13 @@ creation_date = "2023/06/19" integration = ["endpoint", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/01/30" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt -to deliver phishing payloads via a trusted webservice. +Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt to deliver phishing +payloads via a trusted webservice. """ false_positives = [ "Approved third-party applications that use Google Drive download URLs.", @@ -25,7 +23,14 @@ references = ["https://intelligence.abnormalsecurity.com/blog/google-drive-matan risk_score = 47 rule_id = "a8afdce2-0ec1-11ee-b843-f661ea17fbcd" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Command and Control", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/command_and_control_non_standard_ssh_port.toml b/rules/cross-platform/command_and_control_non_standard_ssh_port.toml index b863a6bf6dd..26b3ddbf1af 100644 --- a/rules/cross-platform/command_and_control_non_standard_ssh_port.toml +++ b/rules/cross-platform/command_and_control_non_standard_ssh_port.toml @@ -2,9 +2,7 @@ creation_date = "2022/10/18" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/09/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -30,13 +28,14 @@ references = ["https://attack.mitre.org/techniques/T1571/"] risk_score = 21 rule_id = "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9" severity = "low" -tags = ["Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "OS: macOS", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "OS: macOS", + "Data Source: Elastic Defend", +] type = "eql" query = ''' @@ -51,15 +50,17 @@ sequence by process.entity_id with maxspan=1m ] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1571" name = "Non-Standard Port" reference = "https://attack.mitre.org/techniques/T1571/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml index b9179554efb..9dbe6ea1886 100644 --- a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml +++ b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/21" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -37,7 +35,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml index be6661803a6..0db7fbdae9c 100644 --- a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml +++ b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml @@ -1,15 +1,14 @@ [metadata] creation_date = "2021/07/14" maturity = "production" -updated_date = "2023/06/22" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = """Detects events that have a mismatch on the expected event agent ID. The status "agent_id_mismatch" -occurs when the expected agent ID associated with the API key does not match the actual agent ID in an event. This could -indicate attempts to spoof events in order to masquerade actual activity to evade detection. +description = """ +Detects events that have a mismatch on the expected event agent ID. The status "agent_id_mismatch" occurs when the +expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate +attempts to spoof events in order to masquerade actual activity to evade detection. """ false_positives = [ """ diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml index 4003974f46f..6019f522c45 100644 --- a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml +++ b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml @@ -1,15 +1,14 @@ [metadata] creation_date = "2021/07/14" maturity = "production" -updated_date = "2023/06/22" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = """Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent -being taken over and used to inject illegitimate documents into an instance as an attempt to spoof events in order to -masquerade actual activity to evade detection. +description = """ +Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent being taken over and +used to inject illegitimate documents into an instance as an attempt to spoof events in order to masquerade actual +activity to evade detection. """ false_positives = [ """ @@ -47,11 +46,11 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.threshold] field = ["agent.id"] value = 2 - [[rule.threshold.cardinality]] field = "host.id" value = 2 + + diff --git a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml index 72dfb5e4c28..c567ad89f2a 100644 --- a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml +++ b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -28,7 +26,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml index f1cc6459927..8a55874a9ce 100644 --- a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml +++ b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/04" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -29,15 +27,15 @@ For more details on adding a custom ingest pipeline refer - https://www.elastic. """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" @@ -56,20 +54,22 @@ process where event.action in ("exec", "exec_event", "executed", "process_starte ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" - [[rule.threat.technique.subtechnique]] id = "T1070.003" name = "Clear Command History" reference = "https://attack.mitre.org/techniques/T1070/003/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml index 3436a467e40..50eac1fc76a 100644 --- a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml +++ b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2022/05/23" -maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/19" integration = ["endpoint"] +maturity = "production" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -30,7 +28,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml b/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml index 2b5f675a696..37fb73fe77f 100644 --- a/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml +++ b/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml @@ -2,9 +2,7 @@ creation_date = "2022/10/18" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -34,7 +32,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/defense_evasion_timestomp_touch.toml b/rules/cross-platform/defense_evasion_timestomp_touch.toml index baed2ce5d36..36d4a8ca911 100644 --- a/rules/cross-platform/defense_evasion_timestomp_touch.toml +++ b/rules/cross-platform/defense_evasion_timestomp_touch.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/18" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -30,13 +28,13 @@ For more details on adding a custom ingest pipeline refer - https://www.elastic. """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/discovery_security_software_grep.toml b/rules/cross-platform/discovery_security_software_grep.toml index 6960ab9e57a..f22fae9c687 100644 --- a/rules/cross-platform/discovery_security_software_grep.toml +++ b/rules/cross-platform/discovery_security_software_grep.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/20" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/18" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -59,14 +57,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", - "OS: macOS", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -122,20 +121,22 @@ process.name : "grep" and user.id != "0" and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" - [[rule.threat.technique.subtechnique]] id = "T1518.001" name = "Security Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/001/" + + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml index e0181030ac5..2ef727a4d0a 100644 --- a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml +++ b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml @@ -2,9 +2,7 @@ creation_date = "2021/09/29" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -36,7 +34,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml index f8a9ba36327..f97739824da 100644 --- a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml +++ b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/12" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -18,7 +16,14 @@ references = ["https://github.com/neoneggplant/EggShell"] risk_score = 73 rule_id = "41824afb-d68c-4d0e-bfee-474dac1fa56e" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/cross-platform/execution_revershell_via_shell_cmd.toml b/rules/cross-platform/execution_revershell_via_shell_cmd.toml index b605d906467..c872f64da64 100644 --- a/rules/cross-platform/execution_revershell_via_shell_cmd.toml +++ b/rules/cross-platform/execution_revershell_via_shell_cmd.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -62,14 +60,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -86,15 +85,17 @@ process where event.type in ("start", "process_started") and not process.parent.command_line : "runc init" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/cross-platform/execution_suspicious_jar_child_process.toml b/rules/cross-platform/execution_suspicious_jar_child_process.toml index 78819736289..33a0253eecb 100644 --- a/rules/cross-platform/execution_suspicious_jar_child_process.toml +++ b/rules/cross-platform/execution_suspicious_jar_child_process.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/02/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -64,15 +62,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Use Case: Vulnerability", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" @@ -86,19 +85,20 @@ event.category:process and event.type:("start" or "process_started") and process ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -107,7 +107,8 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.command_line"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml index bd2f016944c..877e4ced8fd 100644 --- a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml +++ b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml @@ -2,9 +2,7 @@ creation_date = "2021/12/10" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -28,7 +26,15 @@ references = [ risk_score = 73 rule_id = "c3f5e1d8-910e-43b4-8d44-d748e498ca86" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Use Case: Vulnerability", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", +] type = "eql" query = ''' diff --git a/rules/cross-platform/guided_onboarding_sample_rule.toml b/rules/cross-platform/guided_onboarding_sample_rule.toml index cbcbb2dc7bb..5bbe240e151 100644 --- a/rules/cross-platform/guided_onboarding_sample_rule.toml +++ b/rules/cross-platform/guided_onboarding_sample_rule.toml @@ -1,9 +1,7 @@ [metadata] creation_date = "2022/09/22" maturity = "production" -min_stack_comments = "Guided Onboarding will be available in Elastic 8.6+" -min_stack_version = "8.7.0" -updated_date = "2024/03/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/impact_hosts_file_modified.toml b/rules/cross-platform/impact_hosts_file_modified.toml index 56ebdb5c7d6..0b5d652fd58 100644 --- a/rules/cross-platform/impact_hosts_file_modified.toml +++ b/rules/cross-platform/impact_hosts_file_modified.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/07" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -64,7 +62,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timeline_id = "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c" timeline_title = "Comprehensive File Timeline" timestamp_override = "event.ingested" @@ -91,20 +98,22 @@ any where ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1565" name = "Data Manipulation" reference = "https://attack.mitre.org/techniques/T1565/" - [[rule.threat.technique.subtechnique]] id = "T1565.001" name = "Stored Data Manipulation" reference = "https://attack.mitre.org/techniques/T1565/001/" + + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml index 1287e9e55a3..c335de8be23 100644 --- a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml +++ b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml @@ -1,9 +1,7 @@ [metadata] creation_date = "2020/09/14" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -28,11 +26,7 @@ setup = """## Setup The Zoom Filebeat module or similarly structured data is required to be compatible with this rule.""" severity = "medium" -tags = [ - "Data Source: Zoom", - "Use Case: Configuration Audit", - "Tactic: Initial Access" -] +tags = ["Data Source: Zoom", "Use Case: Configuration Audit", "Tactic: Initial Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/cross-platform/multiple_alerts_different_tactics_host.toml b/rules/cross-platform/multiple_alerts_different_tactics_host.toml index 67ee0e38193..676a9a892e7 100644 --- a/rules/cross-platform/multiple_alerts_different_tactics_host.toml +++ b/rules/cross-platform/multiple_alerts_different_tactics_host.toml @@ -1,9 +1,7 @@ [metadata] creation_date = "2022/11/16" maturity = "production" -updated_date = "2023/06/22" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -18,8 +16,8 @@ false_positives = [ """, ] from = "now-24h" -interval = "1h" index = [".alerts-security.*"] +interval = "1h" language = "kuery" license = "Elastic License v2" name = "Multiple Alerts in Different ATT&CK Tactics on a Single Host" @@ -34,10 +32,13 @@ query = ''' signal.rule.name:* and kibana.alert.rule.threat.tactic.id:* ''' + + [rule.threshold] field = ["host.id"] value = 1 - [[rule.threshold.cardinality]] field = "kibana.alert.rule.threat.tactic.id" value = 3 + + diff --git a/rules/cross-platform/multiple_alerts_involving_user.toml b/rules/cross-platform/multiple_alerts_involving_user.toml index a982df44d51..076a1096ea5 100644 --- a/rules/cross-platform/multiple_alerts_involving_user.toml +++ b/rules/cross-platform/multiple_alerts_involving_user.toml @@ -1,9 +1,7 @@ [metadata] creation_date = "2022/11/16" maturity = "production" -updated_date = "2023/06/22" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,8 +18,8 @@ false_positives = [ """, ] from = "now-24h" -interval = "1h" index = [".alerts-security.*"] +interval = "1h" language = "kuery" license = "Elastic License v2" name = "Multiple Alerts Involving a User" @@ -36,10 +34,13 @@ query = ''' signal.rule.name:* and user.name:* and not user.id:("S-1-5-18" or "S-1-5-19" or "S-1-5-20") ''' + + [rule.threshold] field = ["user.name"] value = 1 - [[rule.threshold.cardinality]] field = "signal.rule.rule_id" value = 5 + + diff --git a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml index b811014191e..85d4432c091 100644 --- a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml +++ b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/09/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -29,14 +27,15 @@ references = [ risk_score = 47 rule_id = "93f47b6f-5728-4004-ba00-625083b3dcb0" severity = "medium" -tags = ["Domain: Endpoint", - "OS: macOS", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Persistence", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" @@ -70,27 +69,27 @@ event.category:file and event.type:change and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" @@ -99,7 +98,8 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "file.path"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" + + diff --git a/rules/cross-platform/persistence_shell_profile_modification.toml b/rules/cross-platform/persistence_shell_profile_modification.toml index da32aff27b2..60a1afc60aa 100644 --- a/rules/cross-platform/persistence_shell_profile_modification.toml +++ b/rules/cross-platform/persistence_shell_profile_modification.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/09/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -24,13 +22,14 @@ references = ["https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware- risk_score = 47 rule_id = "e6c1a552-7776-44ad-ae0f-8746cc07773c" severity = "medium" -tags = ["Domain: Endpoint", - "OS: macOS", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" @@ -51,20 +50,22 @@ event.category:file and event.type:change and /Users/*/.zshenv) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.004" name = "Unix Shell Configuration Modification" reference = "https://attack.mitre.org/techniques/T1546/004/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml index af9946d38ff..71edbff424d 100644 --- a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml +++ b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/22" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/02/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,16 +18,18 @@ name = "SSH Authorized Keys File Modification" risk_score = 47 rule_id = "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f" severity = "medium" -tags = ["Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Persistence", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' event.category:file and event.type:(change or creation) and file.name:("authorized_keys" or "authorized_keys2" or "/etc/ssh/sshd_config" or "/root/.ssh") and @@ -51,46 +51,46 @@ event.category:file and event.type:(change or creation) and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.004" name = "SSH Authorized Keys" reference = "https://attack.mitre.org/techniques/T1098/004/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" + [[rule.threat.technique]] id = "T1563" name = "Remote Service Session Hijacking" reference = "https://attack.mitre.org/techniques/T1563/" - [[rule.threat.technique.subtechnique]] id = "T1563.001" name = "SSH Hijacking" reference = "https://attack.mitre.org/techniques/T1563/001/" -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" -[[rule.threat.technique.subtechnique]] -id = "T1021.004" -name = "SSH" -reference = "https://attack.mitre.org/techniques/T1021/004/" [rule.threat.tactic] id = "TA0008" @@ -100,7 +100,8 @@ reference = "https://attack.mitre.org/tactics/TA0008/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" + + diff --git a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml index 7996a3987d9..7b589072395 100644 --- a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml +++ b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,7 +18,14 @@ name = "Potential Privilege Escalation via Sudoers File Modification" risk_score = 73 rule_id = "76152ca1-71d0-4003-9e37-0983e12832da" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml index 7a9979f2517..0bbd44d8537 100644 --- a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml +++ b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -24,7 +22,14 @@ name = "Setuid / Setgid Bit Set via chmod" risk_score = 21 rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml index bd3caf4038d..0fa03093486 100644 --- a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml +++ b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml @@ -2,9 +2,7 @@ creation_date = "2021/02/03" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/01/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -33,9 +31,17 @@ references = [ risk_score = 73 rule_id = "f37f3054-d40b-49ac-aa9b-a786c74c58b8" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"] -type = "threshold" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" +type = "threshold" query = ''' event.category:process and event.type:start and diff --git a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml index f7b7b826d03..23c493369ad 100644 --- a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml +++ b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/13" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/12/18" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -21,13 +19,13 @@ risk_score = 47 rule_id = "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4" severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" @@ -37,19 +35,20 @@ not process.name:(dpkg or platform-python or puppet or yum or dnf) and not process.executable:(/opt/chef/embedded/bin/ruby or /opt/puppetlabs/puppet/bin/ruby or /usr/bin/dockerd) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" @@ -58,7 +57,8 @@ reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "file.path"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" + + diff --git a/rules/cross-platform/threat_intel_indicator_match_address.toml b/rules/cross-platform/threat_intel_indicator_match_address.toml index 55abba3f208..07ed6b5d053 100644 --- a/rules/cross-platform/threat_intel_indicator_match_address.toml +++ b/rules/cross-platform/threat_intel_indicator_match_address.toml @@ -1,12 +1,7 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2024/01/17" -min_stack_comments = """ -Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match -general rules. -""" -min_stack_version = "8.5.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -33,6 +28,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -103,7 +99,7 @@ This rule is triggered when an IP address indicator from the Threat Intel Filebe references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", - "https://www.elastic.co/security/tip" + "https://www.elastic.co/security/tip", ] risk_score = 99 rule_id = "0c41e478-5263-4c69-8f9e-7dfd2c22da64" @@ -118,72 +114,74 @@ More information can be found [here](https://www.elastic.co/guide/en/security/cu """ severity = "critical" tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"] +threat_index = ["filebeat-*", "logs-ti_*"] +threat_indicator_path = "threat.indicator" +threat_language = "kuery" +threat_query = """ +@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not +labels.is_ioc_transform_source:"true" +""" timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e" timeline_title = "Generic Threat Match Timeline" timestamp_override = "event.ingested" type = "threat_match" -threat_index = ["filebeat-*", "logs-ti_*"] -threat_indicator_path = "threat.indicator" -threat_language = "kuery" - -threat_query = ''' -@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and - not labels.is_ioc_transform_source:"true" -''' - -query = """ +query = ''' source.ip:* or destination.ip:* -""" +''' [[rule.threat_filters]] + [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -negate = false disabled = false -type = "phrase" key = "event.category" +negate = false +type = "phrase" [rule.threat_filters.meta.params] query = "threat" [rule.threat_filters.query.match_phrase] "event.category" = "threat" - [[rule.threat_filters]] + [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -negate = false disabled = false -type = "phrase" key = "event.kind" +negate = false +type = "phrase" [rule.threat_filters.meta.params] query = "enrichment" [rule.threat_filters.query.match_phrase] "event.kind" = "enrichment" - [[rule.threat_filters]] + [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -negate = false disabled = false -type = "phrase" key = "event.type" +negate = false +type = "phrase" [rule.threat_filters.meta.params] query = "indicator" [rule.threat_filters.query.match_phrase] "event.type" = "indicator" - [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "source.ip" type = "mapping" value = "threat.indicator.ip" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "destination.ip" type = "mapping" value = "threat.indicator.ip" + + diff --git a/rules/cross-platform/threat_intel_indicator_match_hash.toml b/rules/cross-platform/threat_intel_indicator_match_hash.toml index 5b6ea5fe098..54bc25febbf 100644 --- a/rules/cross-platform/threat_intel_indicator_match_hash.toml +++ b/rules/cross-platform/threat_intel_indicator_match_hash.toml @@ -1,12 +1,7 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2024/01/17" -min_stack_comments = """ -Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match -general rules. -""" -min_stack_version = "8.5.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -33,11 +28,12 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ -This rule is triggered when a hash indicator from the Threat Intel Filebeat module or integrations has a match against an -event that contains file hashes, such as antivirus alerts, process creation, library load, and file operation events. +This rule is triggered when a hash indicator from the Threat Intel Filebeat module or integrations has a match against +an event that contains file hashes, such as antivirus alerts, process creation, library load, and file operation events. """ from = "now-65m" index = ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "winlogbeat-*"] @@ -102,7 +98,7 @@ This rule is triggered when a hash indicator from the Threat Intel Filebeat modu references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", - "https://www.elastic.co/security/tip" + "https://www.elastic.co/security/tip", ] risk_score = 99 rule_id = "aab184d3-72b3-4639-b242-6597c99d8bca" @@ -117,115 +113,123 @@ More information can be found [here](https://www.elastic.co/guide/en/security/cu """ severity = "critical" tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"] +threat_index = ["filebeat-*", "logs-ti_*"] +threat_indicator_path = "threat.indicator" +threat_language = "kuery" +threat_query = """ +@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and (threat.indicator.file.hash.*:* or +threat.indicator.file.pe.imphash:*) and not labels.is_ioc_transform_source:"true" +""" timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e" timeline_title = "Generic Threat Match Timeline" timestamp_override = "event.ingested" type = "threat_match" -threat_index = ["filebeat-*", "logs-ti_*"] -threat_indicator_path = "threat.indicator" -threat_language = "kuery" - -threat_query = ''' -@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and - (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:*) and - not labels.is_ioc_transform_source:"true" -''' - -query = """ +query = ''' file.hash.*:* or process.hash.*:* or dll.hash.*:* -""" +''' [[rule.threat_filters]] + [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -negate = false disabled = false -type = "phrase" key = "event.category" +negate = false +type = "phrase" [rule.threat_filters.meta.params] query = "threat" [rule.threat_filters.query.match_phrase] "event.category" = "threat" - [[rule.threat_filters]] + [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -negate = false disabled = false -type = "phrase" key = "event.kind" +negate = false +type = "phrase" [rule.threat_filters.meta.params] query = "enrichment" [rule.threat_filters.query.match_phrase] "event.kind" = "enrichment" - [[rule.threat_filters]] + [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -negate = false disabled = false -type = "phrase" key = "event.type" +negate = false +type = "phrase" [rule.threat_filters.meta.params] query = "indicator" [rule.threat_filters.query.match_phrase] "event.type" = "indicator" - [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "file.hash.md5" type = "mapping" value = "threat.indicator.file.hash.md5" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "file.hash.sha1" type = "mapping" value = "threat.indicator.file.hash.sha1" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "file.hash.sha256" type = "mapping" value = "threat.indicator.file.hash.sha256" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "dll.hash.md5" type = "mapping" value = "threat.indicator.file.hash.md5" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "dll.hash.sha1" type = "mapping" value = "threat.indicator.file.hash.sha1" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "dll.hash.sha256" type = "mapping" value = "threat.indicator.file.hash.sha256" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "process.hash.md5" type = "mapping" value = "threat.indicator.file.hash.md5" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "process.hash.sha1" type = "mapping" value = "threat.indicator.file.hash.sha1" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "process.hash.sha256" type = "mapping" value = "threat.indicator.file.hash.sha256" + + diff --git a/rules/cross-platform/threat_intel_indicator_match_registry.toml b/rules/cross-platform/threat_intel_indicator_match_registry.toml index 3cb6742cb3f..fee4820ef14 100644 --- a/rules/cross-platform/threat_intel_indicator_match_registry.toml +++ b/rules/cross-platform/threat_intel_indicator_match_registry.toml @@ -1,12 +1,7 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2024/01/17" -min_stack_comments = """ -Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match -general rules. -""" -min_stack_version = "8.5.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -33,6 +28,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -97,7 +93,7 @@ This rule is triggered when a Windows registry indicator from the Threat Intel F references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", - "https://www.elastic.co/security/tip" + "https://www.elastic.co/security/tip", ] risk_score = 99 rule_id = "a61809f3-fb5b-465c-8bff-23a8a068ac60" @@ -112,66 +108,67 @@ More information can be found [here](https://www.elastic.co/guide/en/security/cu """ severity = "critical" tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"] +threat_index = ["filebeat-*", "logs-ti_*"] +threat_indicator_path = "threat.indicator" +threat_language = "kuery" +threat_query = """ +@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.registry.path:* and not +labels.is_ioc_transform_source:"true" +""" timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e" timeline_title = "Generic Threat Match Timeline" timestamp_override = "event.ingested" type = "threat_match" -threat_index = ["filebeat-*", "logs-ti_*"] -threat_indicator_path = "threat.indicator" -threat_language = "kuery" - -threat_query = ''' -@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.registry.path:* and - not labels.is_ioc_transform_source:"true" -''' - -query = """ +query = ''' registry.path:* -""" +''' [[rule.threat_filters]] + [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -negate = false disabled = false -type = "phrase" key = "event.category" +negate = false +type = "phrase" [rule.threat_filters.meta.params] query = "threat" [rule.threat_filters.query.match_phrase] "event.category" = "threat" - [[rule.threat_filters]] + [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -negate = false disabled = false -type = "phrase" key = "event.kind" +negate = false +type = "phrase" [rule.threat_filters.meta.params] query = "enrichment" [rule.threat_filters.query.match_phrase] "event.kind" = "enrichment" - [[rule.threat_filters]] + [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -negate = false disabled = false -type = "phrase" key = "event.type" +negate = false +type = "phrase" [rule.threat_filters.meta.params] query = "indicator" [rule.threat_filters.query.match_phrase] "event.type" = "indicator" - [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "registry.path" type = "mapping" value = "threat.indicator.registry.path" + + diff --git a/rules/cross-platform/threat_intel_indicator_match_url.toml b/rules/cross-platform/threat_intel_indicator_match_url.toml index ea456406caf..cba88abb5f7 100644 --- a/rules/cross-platform/threat_intel_indicator_match_url.toml +++ b/rules/cross-platform/threat_intel_indicator_match_url.toml @@ -1,12 +1,7 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2024/01/17" -min_stack_comments = """ -Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match -general rules. -""" -min_stack_version = "8.5.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -33,6 +28,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -106,7 +102,7 @@ This rule is triggered when a URL indicator from the Threat Intel Filebeat modul references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", - "https://www.elastic.co/security/tip" + "https://www.elastic.co/security/tip", ] risk_score = 99 rule_id = "f3e22c8b-ea47-45d1-b502-b57b6de950b3" @@ -121,72 +117,74 @@ More information can be found [here](https://www.elastic.co/guide/en/security/cu """ severity = "critical" tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"] +threat_index = ["filebeat-*", "logs-ti_*"] +threat_indicator_path = "threat.indicator" +threat_language = "kuery" +threat_query = """ +@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.url.full:* and not +labels.is_ioc_transform_source:"true" +""" timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e" timeline_title = "Generic Threat Match Timeline" timestamp_override = "event.ingested" type = "threat_match" -threat_index = ["filebeat-*", "logs-ti_*"] -threat_indicator_path = "threat.indicator" -threat_language = "kuery" - -threat_query = ''' -@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and - threat.indicator.url.full:* and not labels.is_ioc_transform_source:"true" -''' - -query = """ +query = ''' url.full:* -""" +''' [[rule.threat_filters]] + [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -negate = false disabled = false -type = "phrase" key = "event.category" +negate = false +type = "phrase" [rule.threat_filters.meta.params] query = "threat" [rule.threat_filters.query.match_phrase] "event.category" = "threat" - [[rule.threat_filters]] + [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -negate = false disabled = false -type = "phrase" key = "event.kind" +negate = false +type = "phrase" [rule.threat_filters.meta.params] query = "enrichment" [rule.threat_filters.query.match_phrase] "event.kind" = "enrichment" - [[rule.threat_filters]] + [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -negate = false disabled = false -type = "phrase" key = "event.type" +negate = false +type = "phrase" [rule.threat_filters.meta.params] query = "indicator" [rule.threat_filters.query.match_phrase] "event.type" = "indicator" - [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "url.full" type = "mapping" value = "threat.indicator.url.full" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "url.original" type = "mapping" value = "threat.indicator.url.original" + + diff --git a/rules/integrations/aws/collection_cloudtrail_logging_created.toml b/rules/integrations/aws/collection_cloudtrail_logging_created.toml index 3ecd0714803..f4c31b3d257 100644 --- a/rules/integrations/aws/collection_cloudtrail_logging_created.toml +++ b/rules/integrations/aws/collection_cloudtrail_logging_created.toml @@ -2,9 +2,7 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,7 +30,13 @@ references = [ risk_score = 21 rule_id = "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Tactic: Collection"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Log Auditing", + "Tactic: Collection", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml b/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml index a092d575a58..cbb1e5613fc 100644 --- a/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml +++ b/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml @@ -2,9 +2,7 @@ creation_date = "2024/04/10" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to 2.0.0" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -19,7 +17,6 @@ language = "kuery" license = "Elastic License v2" name = "AWS EC2 Admin Credential Fetch via Assumed Role" note = """ - ## Triage and Analysis ### Investigating AWS EC2 Admin Credential Fetch via Assumed Role diff --git a/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml b/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml index 17ca613099c..fd03af121e5 100644 --- a/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml +++ b/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/16" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -76,10 +74,10 @@ tags = [ "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Credential Access" + "Tactic: Credential Access", ] -type = "threshold" timestamp_override = "event.ingested" +type = "threshold" query = ''' event.dataset:aws.cloudtrail and diff --git a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml index 18248e82547..5e6d6ebeae3 100644 --- a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml +++ b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml @@ -2,9 +2,7 @@ creation_date = "2020/06/04" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml b/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml index 6365cc34cf8..e5e939edf76 100644 --- a/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml +++ b/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml @@ -2,16 +2,18 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Nick Jones", "Elastic"] description = """ -An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service may attempt to leverage the compromised service to access secrets in AWS Secrets Manager. This rule looks for the first time a specific user identity has programmatically retrieved a specific secret value from Secrets Manager using the `GetSecretValue` action. - -This rule assumes that AWS services such as Lambda functions and EC2 instances are setup with IAM role's assigned that have the necessary permissions to access the secrets in Secrets Manager. An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service would rely on the compromised service's IAM role to access the secrets in Secrets Manager. +An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service may +attempt to leverage the compromised service to access secrets in AWS Secrets Manager. This rule looks for the first time +a specific user identity has programmatically retrieved a specific secret value from Secrets Manager using the +`GetSecretValue` action. This rule assumes that AWS services such as Lambda functions and EC2 instances are setup with +IAM role's assigned that have the necessary permissions to access the secrets in Secrets Manager. An adversary with +access to a compromised AWS service such as an EC2 instance, Lambda function, or other service would rely on the +compromised service's IAM role to access the secrets in Secrets Manager. """ false_positives = [ """ @@ -78,7 +80,7 @@ The AWS Fleet integration, Filebeat module, or similarly structured data is requ references = [ "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html", "https://detectioninthe.cloud/ttps/credential_access/access_secret_in_secrets_manager/", - "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum" + "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum", ] risk_score = 47 rule_id = "a00681e3-9ed6-447c-ab2c-be648821c622" diff --git a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml index 889e6d56aa6..e8cfdda99fe 100644 --- a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml +++ b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/21" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,9 +29,15 @@ references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.htm risk_score = 73 rule_id = "4d50a94f-2844-43fa-8395-6afbd5e1c5ef" severity = "high" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] -type = "threshold" +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", +] timestamp_override = "event.ingested" +type = "threshold" query = ''' event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml index fab6ee327e2..0bbea8b848a 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -76,7 +74,14 @@ references = [ risk_score = 47 rule_id = "7024e2a0-315d-4334-bb1a-441c593e16ab" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Log Auditing", + "Resources: Investigation Guide", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml index 6d1ee6ef2f2..72227a18ad5 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -2,9 +2,7 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -80,7 +78,14 @@ references = [ risk_score = 47 rule_id = "1aa8fa52-44a7-4dae-b058-f3333b91c8d7" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Log Auditing", + "Resources: Investigation Guide", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml index 3d5915bd6fe..11861b99045 100644 --- a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml +++ b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/06/15" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -82,7 +80,13 @@ references = [ risk_score = 47 rule_id = "f772ec8a-e182-483c-91d2-72058f76a44c" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Resources: Investigation Guide", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Resources: Investigation Guide", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml index 451dda334c4..855c53f6374 100644 --- a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml +++ b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/06/26" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -80,7 +78,13 @@ references = [ risk_score = 21 rule_id = "7024e2a0-315d-4334-bb1a-552d604f27bc" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Resources: Investigation Guide", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Resources: Investigation Guide", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml index cc02cd56aed..c0cd38ab247 100644 --- a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml +++ b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml @@ -2,9 +2,7 @@ creation_date = "2020/06/16" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml index 7f1090ef125..3c803b5f4e9 100644 --- a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/06/15" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -79,7 +77,14 @@ references = [ risk_score = 73 rule_id = "9395fd2c-9947-4472-86ef-4aceb2f7e872" severity = "high" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Log Auditing", + "Resources: Investigation Guide", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml index 1db8508a9a1..fb2e47ad909 100644 --- a/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -37,7 +35,13 @@ references = [ risk_score = 47 rule_id = "8623535c-1e17-44e1-aa97-7a0699c3037d" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Network Security Monitoring", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml b/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml index 5d5500605c9..d39dcc0b035 100644 --- a/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml +++ b/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/19" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml b/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml index bb65f1940dc..a496a341a8c 100644 --- a/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml +++ b/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/19" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/aws/defense_evasion_escalation_aws_suspicious_saml_activity.toml b/rules/integrations/aws/defense_evasion_escalation_aws_suspicious_saml_activity.toml index 2d034a9e71c..9b150497c7d 100644 --- a/rules/integrations/aws/defense_evasion_escalation_aws_suspicious_saml_activity.toml +++ b/rules/integrations/aws/defense_evasion_escalation_aws_suspicious_saml_activity.toml @@ -2,9 +2,7 @@ creation_date = "2021/09/22" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] @@ -31,7 +29,13 @@ references = [ risk_score = 21 rule_id = "979729e7-0c52-4c4c-b71e-88103304a79f" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Identity and Access Audit", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml index 54e33b5a95f..d0f4ad05d7d 100644 --- a/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml +++ b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/28" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml b/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml index 15682431e20..0df31df63c9 100644 --- a/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml +++ b/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2024/04/12" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/05/06" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -21,7 +19,6 @@ language = "kuery" license = "Elastic License v2" name = "Route53 Resolver Query Log Configuration Deleted" note = """ - ## Triage and Analysis ### Investigating Route53 Resolver Query Log Configuration Deleted diff --git a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml index 0777ffc6523..ceb62849c0d 100644 --- a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml +++ b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/27" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -35,7 +33,13 @@ references = [ risk_score = 21 rule_id = "227dc608-e558-43d9-b521-150772250bae" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Asset Visibility", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml index 749b42b06fe..33ddcf3751a 100644 --- a/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/21" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,7 +30,13 @@ references = [ risk_score = 47 rule_id = "91d04cd4-47a9-4334-ab14-084abe274d49" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Network Security Monitoring", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml index a83cccbfaa9..1206af84945 100644 --- a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/06/09" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,7 +30,13 @@ references = [ risk_score = 47 rule_id = "5beaebc1-cc13-4bfc-9949-776f9e0dc318" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Network Security Monitoring", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml b/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml index 04631d87839..bc1ecf1dadb 100644 --- a/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml +++ b/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml @@ -2,9 +2,7 @@ creation_date = "2024/04/16" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/05/13" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -26,7 +24,6 @@ language = "kuery" license = "Elastic License v2" name = "EC2 AMI Shared with Another Account" note = """ - ## Triage and Analysis ### Investigating EC2 AMI Shared with Another Account diff --git a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml index a305bc80ded..e809fcaf22f 100644 --- a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml +++ b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/05" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -36,7 +34,14 @@ references = [ risk_score = 47 rule_id = "c1812764-0788-470f-8e74-eb4a14d47573" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Exfiltration", "Tactic: Collection"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Network Security Monitoring", + "Tactic: Exfiltration", + "Tactic: Collection", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml b/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml index 24f65ef73db..cb94ddfe272 100644 --- a/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml +++ b/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/06/24" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml b/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml index 79bb4391784..6b99a4eed46 100644 --- a/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml +++ b/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml @@ -2,9 +2,7 @@ creation_date = "2021/04/22" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -32,7 +30,14 @@ references = ["https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.h risk_score = 21 rule_id = "e919611d-6b6f-493b-8314-7ed6ac2e413b" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Exfiltration", "Tactic: Collection"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Asset Visibility", + "Tactic: Exfiltration", + "Tactic: Collection", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml index e76a934dc14..3acc55c151f 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml @@ -2,9 +2,7 @@ creation_date = "2021/06/06" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -29,7 +27,13 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Sta risk_score = 21 rule_id = "119c8877-8613-416d-a98a-96b6664ee73a" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Exfiltration"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Asset Visibility", + "Tactic: Exfiltration", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml index 8197da77b7b..fb21fe2f6d0 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml @@ -2,9 +2,7 @@ creation_date = "2021/06/29" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] @@ -34,7 +32,13 @@ references = [ risk_score = 47 rule_id = "bf1073bf-ce26-4607-b405-ba1ed8e9e204" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Asset Visibility", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml index 6059acca429..4dced14d748 100644 --- a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml +++ b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/17" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml index aa38f0674fc..48494c6f32f 100644 --- a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml +++ b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml @@ -2,9 +2,7 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -76,7 +74,15 @@ references = [ risk_score = 21 rule_id = "3e002465-876f-4f04-b016-84ef48ce7e5d" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Cloudtrail", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Impact"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Cloudtrail", + "Use Case: Log Auditing", + "Resources: Investigation Guide", + "Tactic: Impact", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml index 35f56683f91..a51d7148eb4 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/18" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -81,7 +79,15 @@ references = [ risk_score = 47 rule_id = "68a7a5a5-a2fc-4a76-ba9f-26849de881b4" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS CloudWatch", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Impact"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS CloudWatch", + "Use Case: Log Auditing", + "Resources: Investigation Guide", + "Tactic: Impact", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml index f9f57c9970d..f673d30df59 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/20" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml index efaedd39646..06305eb8968 100644 --- a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml +++ b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml @@ -2,9 +2,7 @@ creation_date = "2020/06/05" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -36,7 +34,13 @@ references = [ risk_score = 47 rule_id = "bb9b13b2-1700-48a8-a750-b43b0a72ab69" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Tactic: Impact"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS EC2", + "Tactic: Impact", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml b/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml index 7bfe2402105..289a125097f 100644 --- a/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml +++ b/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml @@ -2,9 +2,7 @@ creation_date = "2021/08/27" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml index c908c752f19..c9d1fb8a117 100644 --- a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -75,7 +73,14 @@ references = [ risk_score = 47 rule_id = "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Resources: Investigation Guide", "Tactic: Impact"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Resources: Investigation Guide", + "Tactic: Impact", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_iam_group_deletion.toml b/rules/integrations/aws/impact_iam_group_deletion.toml index 6c8c05f71c6..97463e97775 100644 --- a/rules/integrations/aws/impact_iam_group_deletion.toml +++ b/rules/integrations/aws/impact_iam_group_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/21" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -35,7 +33,13 @@ references = [ risk_score = 21 rule_id = "867616ec-41e5-4edc-ada2-ab13ab45de8a" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Tactic: Impact"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Tactic: Impact", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml b/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml index 6eb74194e22..11c2d13335e 100644 --- a/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml +++ b/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2022/09/21" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Xavier Pich"] @@ -37,7 +35,14 @@ references = [ risk_score = 47 rule_id = "6951f15e-533c-4a60-8014-a3c3ab851a1b" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS KMS", "Use Case: Log Auditing", "Tactic: Impact"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS KMS", + "Use Case: Log Auditing", + "Tactic: Impact", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_rds_group_deletion.toml b/rules/integrations/aws/impact_rds_group_deletion.toml index 4f13ca6bb77..989081659af 100644 --- a/rules/integrations/aws/impact_rds_group_deletion.toml +++ b/rules/integrations/aws/impact_rds_group_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -30,7 +28,13 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Del risk_score = 21 rule_id = "863cdf31-7fd3-41cf-a185-681237ea277b" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Tactic: Impact"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS RDS", + "Tactic: Impact", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml index 571098c7745..8648fe43465 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/21" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -39,7 +37,14 @@ references = [ risk_score = 47 rule_id = "9055ece6-2689-4224-a0e0-b04881e1f8ad" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Impact"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS RDS", + "Use Case: Asset Visibility", + "Tactic: Impact", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml b/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml index 423869ff99f..ecdf99bd422 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/20" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -34,7 +32,14 @@ references = [ risk_score = 47 rule_id = "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Impact"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS RDS", + "Use Case: Asset Visibility", + "Tactic: Impact", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/initial_access_console_login_root.toml b/rules/integrations/aws/initial_access_console_login_root.toml index e42fe045a0f..de2126e086f 100644 --- a/rules/integrations/aws/initial_access_console_login_root.toml +++ b/rules/integrations/aws/initial_access_console_login_root.toml @@ -2,9 +2,7 @@ creation_date = "2020/06/11" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -72,7 +70,7 @@ tags = [ "Data Source: AWS Signin", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Initial Access" + "Tactic: Initial Access", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/initial_access_password_recovery.toml b/rules/integrations/aws/initial_access_password_recovery.toml index 05f43038b7f..76273e283f6 100644 --- a/rules/integrations/aws/initial_access_password_recovery.toml +++ b/rules/integrations/aws/initial_access_password_recovery.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/02" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,7 +30,14 @@ references = ["https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/"] risk_score = 21 rule_id = "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Signin", "Use Case: Identity and Access Audit", "Tactic: Initial Access"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Signin", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/initial_access_via_system_manager.toml b/rules/integrations/aws/initial_access_via_system_manager.toml index 378c45ce1fc..7f7beade85d 100644 --- a/rules/integrations/aws/initial_access_via_system_manager.toml +++ b/rules/integrations/aws/initial_access_via_system_manager.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml index 2e7f5fb50cd..8b7f1512af9 100644 --- a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml +++ b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2020/07/13" -maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2023/10/24" integration = ["aws"] +maturity = "production" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -87,6 +85,13 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "78d3d8d9-b476-451d-a9e0-7a5addd70670" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide", +] type = "machine_learning" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml index f0622af6cca..0ebbb531d76 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2020/07/13" -maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2023/10/24" integration = ["aws"] +maturity = "production" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -89,6 +87,13 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "19de8096-e2b0-4bd8-80c9-34a820813fff" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide", +] type = "machine_learning" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml index ae2cf411bf2..947265fdca3 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2020/07/13" -maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2023/10/24" integration = ["aws"] +maturity = "production" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -91,6 +89,13 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "809b70d3-e2c3-455e-af1b-2626a5a1a276" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide", +] type = "machine_learning" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml index dae363dc164..1cb446348cf 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2020/07/13" -maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2023/10/24" integration = ["aws"] +maturity = "production" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -91,6 +89,13 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "dca28dee-c999-400f-b640-50a081cc0fd1" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide", +] type = "machine_learning" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml index b2e817bfcc4..88a65f6838a 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2020/07/13" -maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2023/10/24" integration = ["aws"] +maturity = "production" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -89,6 +87,13 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide", +] type = "machine_learning" diff --git a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml index 2fd07cb2991..0ec4ba8c4a3 100644 --- a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml +++ b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/06/04" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -37,7 +35,14 @@ references = [ risk_score = 21 rule_id = "39144f38-5284-4f8e-a2ae-e3fd628d90b0" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Network Security Monitoring", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS EC2", + "Use Case: Network Security Monitoring", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml index 70e77bbf7d7..356547289d0 100644 --- a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml +++ b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/05" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -33,7 +31,14 @@ references = ["https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-securi risk_score = 21 rule_id = "29052c19-ff3e-42fd-8363-7be14d7c5469" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Network Security Monitoring", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS EC2", + "Use Case: Network Security Monitoring", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_iam_group_creation.toml b/rules/integrations/aws/persistence_iam_group_creation.toml index c638a896749..5d678c72d7c 100644 --- a/rules/integrations/aws/persistence_iam_group_creation.toml +++ b/rules/integrations/aws/persistence_iam_group_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/06/05" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -35,7 +33,14 @@ references = [ risk_score = 21 rule_id = "169f3a93-efc7-4df2-94d6-0d9438c310d1" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_rds_cluster_creation.toml b/rules/integrations/aws/persistence_rds_cluster_creation.toml index 840f8a3c229..352fd7c484b 100644 --- a/rules/integrations/aws/persistence_rds_cluster_creation.toml +++ b/rules/integrations/aws/persistence_rds_cluster_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/20" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -37,7 +35,14 @@ references = [ risk_score = 21 rule_id = "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS RDS", + "Use Case: Asset Visibility", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_rds_group_creation.toml b/rules/integrations/aws/persistence_rds_group_creation.toml index 70265434c42..1140f4e4ef5 100644 --- a/rules/integrations/aws/persistence_rds_group_creation.toml +++ b/rules/integrations/aws/persistence_rds_group_creation.toml @@ -2,9 +2,7 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -29,7 +27,13 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Cre risk_score = 21 rule_id = "378f9024-8a0c-46a5-aa08-ce147ac73a4e" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS RDS", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_rds_instance_creation.toml b/rules/integrations/aws/persistence_rds_instance_creation.toml index bab38356826..ba167a1cb93 100644 --- a/rules/integrations/aws/persistence_rds_instance_creation.toml +++ b/rules/integrations/aws/persistence_rds_instance_creation.toml @@ -2,9 +2,7 @@ creation_date = "2021/06/06" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -29,7 +27,14 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Cre risk_score = 21 rule_id = "f30f3443-4fbb-4c27-ab89-c3ad49d62315" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS RDS", + "Use Case: Asset Visibility", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_redshift_instance_creation.toml b/rules/integrations/aws/persistence_redshift_instance_creation.toml index 5160db70a5f..ee4a8e87d42 100644 --- a/rules/integrations/aws/persistence_redshift_instance_creation.toml +++ b/rules/integrations/aws/persistence_redshift_instance_creation.toml @@ -2,9 +2,7 @@ creation_date = "2022/04/12" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -33,7 +31,14 @@ references = ["https://docs.aws.amazon.com/redshift/latest/APIReference/API_Crea risk_score = 21 rule_id = "015cca13-8832-49ac-a01b-a396114809f6" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Redshift", "Use Case: Asset Visibility", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Redshift", + "Use Case: Asset Visibility", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml index 4e065c4fa71..3adaff849fd 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/10" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -35,7 +33,14 @@ references = [ risk_score = 21 rule_id = "12051077-0124-4394-9522-8f4f4db1d674" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Asset Visibility", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Route53", + "Use Case: Asset Visibility", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml index 166506aa70e..758c5f25b39 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/10" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -30,7 +28,14 @@ references = ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Opera risk_score = 21 rule_id = "2045567e-b0af-444a-8c0b-0b6e2dae9e13" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Asset Visibility", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Route53", + "Use Case: Asset Visibility", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml index 7b763c72d89..50c7b0fa2ed 100644 --- a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml +++ b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/19" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] @@ -29,7 +27,14 @@ references = ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Assoc risk_score = 21 rule_id = "e3c27562-709a-42bd-82f2-3ed926cced19" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Asset Visibility", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Route53", + "Use Case: Asset Visibility", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_route_table_created.toml b/rules/integrations/aws/persistence_route_table_created.toml index b79c5f29690..c254309c058 100644 --- a/rules/integrations/aws/persistence_route_table_created.toml +++ b/rules/integrations/aws/persistence_route_table_created.toml @@ -2,9 +2,7 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -34,7 +32,14 @@ references = [ risk_score = 21 rule_id = "e12c0318-99b1-44f2-830c-3a38a43207ca" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Network Security Monitoring", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Route53", + "Use Case: Network Security Monitoring", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml b/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml index 6f3cc8f42fb..8829dc1659b 100644 --- a/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml +++ b/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml @@ -2,9 +2,7 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -38,7 +36,14 @@ references = [ risk_score = 21 rule_id = "e7cd5982-17c8-4959-874c-633acde7d426" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Network Security Monitoring", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Route53", + "Use Case: Network Security Monitoring", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml b/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml index 903cb9c1ba0..3e8adc73be3 100644 --- a/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml +++ b/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -77,7 +75,7 @@ tags = [ "Data Source: AWS Route53", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Privilege Escalation" + "Tactic: Privilege Escalation", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml index c81aedb0401..1cc2fd23f1f 100644 --- a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml +++ b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/17" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] @@ -24,7 +22,14 @@ references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRol risk_score = 21 rule_id = "93075852-b0f5-4b8b-89c3-a226efae5726" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS STS", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS STS", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml b/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml index 48ce9ac22b7..7bde75f679e 100644 --- a/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml +++ b/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/17" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] @@ -30,7 +28,14 @@ references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessio risk_score = 21 rule_id = "b45ab1d2-712f-4f01-a751-df3826969807" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS STS", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS STS", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml b/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml index 53313087b57..979d9ef466a 100644 --- a/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml +++ b/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -78,7 +76,7 @@ tags = [ "Data Source: AWS STS", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Privilege Escalation" + "Tactic: Privilege Escalation", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/collection_update_event_hub_auth_rule.toml b/rules/integrations/azure/collection_update_event_hub_auth_rule.toml index e6087f04f40..b3ffe646b7d 100644 --- a/rules/integrations/azure/collection_update_event_hub_auth_rule.toml +++ b/rules/integrations/azure/collection_update_event_hub_auth_rule.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -55,7 +53,6 @@ reference = "https://attack.mitre.org/techniques/T1530/" id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml b/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml index 301b47cc7f4..92c23e47a2b 100644 --- a/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml +++ b/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml @@ -2,9 +2,7 @@ creation_date = "2021/08/12" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/28" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/azure/credential_access_key_vault_modified.toml b/rules/integrations/azure/credential_access_key_vault_modified.toml index 60f60148cc1..b58c6dfac3f 100644 --- a/rules/integrations/azure/credential_access_key_vault_modified.toml +++ b/rules/integrations/azure/credential_access_key_vault_modified.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml index 4373e066167..5f1e83dabbf 100644 --- a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml +++ b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/19" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -34,7 +32,12 @@ references = [ risk_score = 21 rule_id = "1e0b832e-957e-43ae-b319-db82d228c908" severity = "low" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml b/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml index 54c17bac930..e6d6c3ef2b1 100644 --- a/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml +++ b/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/14" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -36,7 +34,12 @@ references = [ risk_score = 47 rule_id = "1a36cace-11a7-43a8-9a10-b497c5a02cd3" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Identity and Access Audit", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml b/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml index 48d4d5cdd59..50ea493d443 100644 --- a/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml +++ b/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml b/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml index 45331762b05..7802a541aa0 100644 --- a/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml +++ b/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml @@ -2,9 +2,7 @@ creation_date = "2021/09/22" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] @@ -30,7 +28,13 @@ references = ["https://docs.microsoft.com/en-us/azure/role-based-access-control/ risk_score = 47 rule_id = "d79c4b2a-6134-4edd-86e6-564a92a933f9" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Identity and Access Audit", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml b/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml index 47626334d16..3d1aed02314 100644 --- a/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml +++ b/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/17" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml b/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml index 230a3c55e5d..cad7d6eec7a 100644 --- a/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml +++ b/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/14" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -81,7 +79,7 @@ tags = [ "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Defense Evasion" + "Tactic: Defense Evasion", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml index a12e6f744cb..b94eb74a53b 100644 --- a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml +++ b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml index 438edb64ff4..f0c701c2cb6 100644 --- a/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,7 +29,12 @@ references = ["https://docs.microsoft.com/en-us/azure/firewall-manager/policy-ov risk_score = 21 rule_id = "e02bd3ea-72c6-4181-ac2b-0f83d17ad969" severity = "low" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Network Security Monitoring", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml index 4569cd69aed..acea8b019f8 100644 --- a/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2021/08/01" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] @@ -35,7 +33,12 @@ references = [ risk_score = 21 rule_id = "09d028a5-dcde-409f-8ae0-557cef1b7082" severity = "low" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Network Security Monitoring", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml index 1d762fb49a5..12782cf9cb0 100644 --- a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +++ b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml @@ -2,9 +2,7 @@ creation_date = "2021/06/24" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml index 1e460c72f75..4bf9be6b02e 100644 --- a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,7 +30,12 @@ references = ["https://docs.microsoft.com/en-us/azure/network-watcher/network-wa risk_score = 47 rule_id = "323cb487-279d-4218-bcbd-a568efe930c6" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Network Security Monitoring", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_suppression_rule_created.toml b/rules/integrations/azure/defense_evasion_suppression_rule_created.toml index d3ce5bbd326..5adfd45abdd 100644 --- a/rules/integrations/azure/defense_evasion_suppression_rule_created.toml +++ b/rules/integrations/azure/defense_evasion_suppression_rule_created.toml @@ -2,9 +2,7 @@ creation_date = "2021/08/27" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/azure/discovery_blob_container_access_mod.toml b/rules/integrations/azure/discovery_blob_container_access_mod.toml index d0643bd1825..61d9adf1f1c 100644 --- a/rules/integrations/azure/discovery_blob_container_access_mod.toml +++ b/rules/integrations/azure/discovery_blob_container_access_mod.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/execution_command_virtual_machine.toml b/rules/integrations/azure/execution_command_virtual_machine.toml index c23a07b5e66..6913c697a2e 100644 --- a/rules/integrations/azure/execution_command_virtual_machine.toml +++ b/rules/integrations/azure/execution_command_virtual_machine.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/17" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml b/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml index beb326d83d2..d66662ddb29 100644 --- a/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml +++ b/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/05" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml index 6fb47608bff..791f2c8c25a 100644 --- a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml +++ b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml @@ -2,9 +2,7 @@ creation_date = "2021/06/24" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/azure/impact_resource_group_deletion.toml b/rules/integrations/azure/impact_resource_group_deletion.toml index e84b2782060..6ccdd075ad5 100644 --- a/rules/integrations/azure/impact_resource_group_deletion.toml +++ b/rules/integrations/azure/impact_resource_group_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/17" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/impact_virtual_network_device_modified.toml b/rules/integrations/azure/impact_virtual_network_device_modified.toml index b8dfb12a905..f1e9e003e68 100644 --- a/rules/integrations/azure/impact_virtual_network_device_modified.toml +++ b/rules/integrations/azure/impact_virtual_network_device_modified.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/12" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml index 7a19dec88e3..fb43d7cada4 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/04" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Willem D'Haese"] @@ -79,7 +77,7 @@ tags = [ "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Initial Access" + "Tactic: Initial Access", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml index 18bec57767d..1657100c372 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/18" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] @@ -74,7 +72,7 @@ tags = [ "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Initial Access" + "Tactic: Initial Access", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml b/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml index 759a39fb377..84c1ea44cae 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/14" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -78,7 +76,7 @@ tags = [ "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Initial Access" + "Tactic: Initial Access", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml index d5fd491a1aa..8766f39fcf6 100644 --- a/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml +++ b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/01" integration = ["azure", "o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -80,7 +78,7 @@ tags = [ "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Initial Access" + "Tactic: Initial Access", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_external_guest_user_invite.toml b/rules/integrations/azure/initial_access_external_guest_user_invite.toml index bd423645618..ec46d414b1e 100644 --- a/rules/integrations/azure/initial_access_external_guest_user_invite.toml +++ b/rules/integrations/azure/initial_access_external_guest_user_invite.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_automation_account_created.toml b/rules/integrations/azure/persistence_azure_automation_account_created.toml index c8018b94f0e..114f1210d26 100644 --- a/rules/integrations/azure/persistence_azure_automation_account_created.toml +++ b/rules/integrations/azure/persistence_azure_automation_account_created.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml b/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml index 9b4723dc041..94aa992de20 100644 --- a/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml +++ b/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_automation_webhook_created.toml b/rules/integrations/azure/persistence_azure_automation_webhook_created.toml index d0d03fc2de8..370c2d78c7c 100644 --- a/rules/integrations/azure/persistence_azure_automation_webhook_created.toml +++ b/rules/integrations/azure/persistence_azure_automation_webhook_created.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml b/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml index a679e83b9ed..fda5b5dbbe4 100644 --- a/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml +++ b/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml index aed4975d38b..d3509a4a043 100644 --- a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml +++ b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/06" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml b/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml index 913b409850d..c27d826a2e9 100644 --- a/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml +++ b/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/24" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml b/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml index 6e2bcb3b6f0..fa292e7a474 100644 --- a/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml +++ b/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -75,7 +73,7 @@ tags = [ "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Persistence" + "Tactic: Persistence", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml b/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml index 73504c66777..df2043ba47f 100644 --- a/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml +++ b/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -69,7 +67,7 @@ tags = [ "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Persistence" + "Tactic: Persistence", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml index 976609b89df..1da8d4b0099 100644 --- a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml +++ b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml index 83a6a7834e1..cdb7081845a 100644 --- a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml +++ b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml b/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml index 09f19c7c6e7..c57337e5f17 100644 --- a/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml +++ b/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/18" integration = ["azure"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] @@ -29,7 +27,12 @@ references = [ risk_score = 21 rule_id = "1c966416-60c1-436b-bfd0-e002fddbfd89" severity = "low" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/cloud_defend/container_workload_protection.toml b/rules/integrations/cloud_defend/container_workload_protection.toml index fe0d918514d..af8cc879b82 100644 --- a/rules/integrations/cloud_defend/container_workload_protection.toml +++ b/rules/integrations/cloud_defend/container_workload_protection.toml @@ -2,15 +2,13 @@ creation_date = "2023/04/05" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "Initial version of the Container Workload Protection alerts" -min_stack_version = "8.8.0" -updated_date = "2024/05/13" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Generates a detection alert each time a 'Container Workload Protection' alert is received. Enabling this rule allows you to -immediately begin triaging and investigating these alerts. +Generates a detection alert each time a 'Container Workload Protection' alert is received. Enabling this rule allows you +to immediately begin triaging and investigating these alerts. """ enabled = true from = "now-10m" @@ -39,3 +37,4 @@ type = "query" query = ''' event.kind:alert and event.module:cloud_defend ''' + diff --git a/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml index 4311d3809d5..da057f623e1 100644 --- a/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml @@ -2,52 +2,60 @@ creation_date = "2023/06/28" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "New Integration: Cloud Defend" -min_stack_version = "8.8.0" -updated_date = "2023/06/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = "This rule detects the use of system search utilities like grep and find to search for AWS credentials inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying cloud environment." +description = """ +This rule detects the use of system search utilities like grep and find to search for AWS credentials inside a +container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or +facilitate a container breakout to the underlying cloud environment. +""" from = "now-6m" index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" name = "AWS Credentials Searched For Inside A Container" -tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] -references = [ - "https://sysdig.com/blog/threat-detection-aws-cloud-containers/", -] +references = ["https://sysdig.com/blog/threat-detection-aws-cloud-containers/"] risk_score = 47 rule_id = "d0b0f3ed-0b37-44bf-adee-e8cb7de92767" severity = "medium" +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", +] timestamp_override = "event.ingested" type = "eql" -query = """ +query = ''' process where event.module == "cloud_defend" and event.type == "start" and /*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/ (process.name : ("grep", "egrep", "fgrep", "find", "locate", "mlocate") or process.args : ("grep", "egrep", "fgrep", "find", "locate", "mlocate")) and process.args : ("*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_token*", "*accesskeyid*", "*secretaccesskey*", "*access_key*", "*.aws/credentials*") -""" +''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + - [rule.threat.tactic] - id = "TA0006" - reference = "https://attack.mitre.org/tactics/TA0006/" - name = "Credential Access" - [[rule.threat.technique]] - id = "T1552" - reference = "https://attack.mitre.org/techniques/T1552/" - name = "Unsecured Credentials" +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat.technique.subtechnique]] - id = "T1552.001" - reference = "https://attack.mitre.org/techniques/T1552/001/" - name = "Credentials In Files" diff --git a/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml index 77b0d8b6a71..ad37dcc18f5 100644 --- a/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml @@ -2,9 +2,7 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "New Integration: Cloud Defend" -min_stack_version = "8.8.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -21,7 +19,14 @@ name = "Sensitive Files Compression Inside A Container" risk_score = 47 rule_id = "475b42f0-61fb-4ef0-8a85-597458bfb0a1" severity = "medium" -tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access"] +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Collection", + "Tactic: Credential Access", +] timestamp_override = "event.ingested" type = "eql" @@ -95,3 +100,4 @@ reference = "https://attack.mitre.org/techniques/T1560/001/" id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + diff --git a/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml index d1b2210cb67..dc8fd0b0b06 100644 --- a/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml @@ -2,30 +2,36 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "New Integration: Cloud Defend" -min_stack_version = "8.8.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = "This rule detects the use of system search utilities like grep and find to search for private SSH keys or passwords inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying host machine." +description = """ +This rule detects the use of system search utilities like grep and find to search for private SSH keys or passwords +inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container +environment or facilitate a container breakout to the underlying host machine. +""" from = "now-6m" index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" name = "Sensitive Keys Or Passwords Searched For Inside A Container" -tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] -references = [ - "https://sysdig.com/blog/cve-2021-25741-kubelet-falco/", -] +references = ["https://sysdig.com/blog/cve-2021-25741-kubelet-falco/"] risk_score = 47 rule_id = "9661ed8b-001c-40dc-a777-0983b7b0c91a" severity = "medium" +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", +] timestamp_override = "event.ingested" type = "eql" -query = """ +query = ''' process where container.id: "*" and event.type== "start" and (( /*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/ @@ -39,22 +45,24 @@ or (process.name in ("find", "locate", "mlocate") or process.args in ("find", "locate", "mlocate")) and process.args : ("*id_rsa*", "*id_dsa*") )) -""" +''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + - [rule.threat.tactic] - id = "TA0006" - reference = "https://attack.mitre.org/tactics/TA0006/" - name = "Credential Access" - [[rule.threat.technique]] - id = "T1552" - reference = "https://attack.mitre.org/techniques/T1552/" - name = "Unsecured Credentials" +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat.technique.subtechnique]] - id = "T1552.001" - reference = "https://attack.mitre.org/techniques/T1552/001/" - name = "Credentials In Files" diff --git a/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml b/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml index 76e8dad4c46..14581165c8e 100644 --- a/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml +++ b/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml @@ -2,17 +2,16 @@ creation_date = "2023/06/06" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "New Integration: Cloud Defend" -min_stack_version = "8.8.0" -updated_date = "2023/06/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule detects the creation or modification of the dynamic linker preload shared object (ld.so.preload) inside a container. -The Linux dynamic linker is used to load libraries needed by a program at runtime. Adversaries may hijack the dynamic linker by modifying -the /etc/ld.so.preload file to point to malicious libraries. This behavior can be used to grant unauthorized access to system resources and -has been used to evade detection of malicious processes in container environments. +This rule detects the creation or modification of the dynamic linker preload shared object (ld.so.preload) inside a +container. The Linux dynamic linker is used to load libraries needed by a program at runtime. Adversaries may hijack the +dynamic linker by modifying the /etc/ld.so.preload file to point to malicious libraries. This behavior can be used to +grant unauthorized access to system resources and has been used to evade detection of malicious processes in container +environments. """ from = "now-6m" index = ["logs-cloud_defend*"] @@ -22,9 +21,9 @@ license = "Elastic License v2" name = "Modification of Dynamic Linker Preload Shared Object Inside A Container" references = [ "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/", - "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang/", + "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang/", "https://sysdig.com/blog/threat-detection-aws-cloud-containers/", -] +] risk_score = 73 rule_id = "342f834b-21a6-41bf-878c-87d116eba3ee" severity = "high" @@ -54,3 +53,4 @@ reference = "https://attack.mitre.org/techniques/T1574/006/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml b/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml index cae35970e82..bb9fab55b3f 100644 --- a/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml @@ -2,73 +2,88 @@ creation_date = "2023/04/26" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "New Integration: Cloud Defend" -min_stack_version = "8.8.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = "This rule detects commonly abused network utilities running inside a container. Network utilities like nc, nmap, dig, tcpdump, ngrep, telnet, mitmproxy, zmap can be used for malicious purposes such as network reconnaissance, monitoring, or exploitation, and should be monitored closely within a container." -false_positives = [""" - There is a potential for false positives if the container is used for legitimate tasks that require the use of network utilities, such as network troubleshooting, testing or system monitoring. It is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity. - """] +description = """ +This rule detects commonly abused network utilities running inside a container. Network utilities like nc, nmap, dig, +tcpdump, ngrep, telnet, mitmproxy, zmap can be used for malicious purposes such as network reconnaissance, monitoring, +or exploitation, and should be monitored closely within a container. +""" +false_positives = [ + """ + There is a potential for false positives if the container is used for legitimate tasks that require the use of + network utilities, such as network troubleshooting, testing or system monitoring. It is important to investigate any + alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate + container activity. + """, +] from = "now-6m" index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" name = "Suspicious Network Tool Launched Inside A Container" -tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Command and Control", "Tactic: Reconnaissance"] risk_score = 47 rule_id = "1a289854-5b78-49fe-9440-8a8096b1ab50" severity = "medium" +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Command and Control", + "Tactic: Reconnaissance", +] timestamp_override = "event.ingested" type = "eql" -query = """ +query = ''' process where container.id: "*" and event.type== "start" and ( (process.name: ("nc", "ncat", "nmap", "dig", "nslookup", "tcpdump", "tshark", "ngrep", "telnet", "mitmproxy", "socat", "zmap", "masscan", "zgrab")) or /*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/ (process.args: ("nc", "ncat", "nmap", "dig", "nslookup", "tcpdump", "tshark", "ngrep", "telnet", "mitmproxy", "socat", "zmap", "masscan", "zgrab")) ) -""" +''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" - [rule.threat.tactic] - id = "TA0007" - reference = "https://attack.mitre.org/tactics/TA0007/" - name = "Discovery" - - [[rule.threat.technique]] - id = "T1046" - reference = "https://attack.mitre.org/techniques/T1046/" - name = "Network Service Discovery" +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" - name = "Command and Control" - - [[rule.threat.technique]] - id = "T1105" - reference = "https://attack.mitre.org/techniques/T1105/" - name = "Ingress Tool Transfer" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" + - [rule.threat.tactic] - id = "TA0043" - reference = "https://attack.mitre.org/tactics/TA0043/" - name = "Reconnaissance" +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" - [[rule.threat.technique]] - id = "T1595" - reference = "https://attack.mitre.org/techniques/T1595/" - name = "Active Scanning" diff --git a/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml b/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml index 50f1e3610e6..24a7ee25a08 100644 --- a/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml @@ -2,16 +2,23 @@ creation_date = "2023/04/26" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "New Integration: Cloud Defend" -min_stack_version = "8.8.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = "This rule detects when a container management binary is run from inside a container. These binaries are critical components of many containerized environments, and their presence and execution in unauthorized containers could indicate compromise or a misconfiguration." -false_positives = [""" - There is a potential for false positives if the container is used for legitimate administrative tasks that require the use of container management utilities, such as deploying, scaling, or updating containerized applications. It is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity. - """] +description = """ +This rule detects when a container management binary is run from inside a container. These binaries are critical +components of many containerized environments, and their presence and execution in unauthorized containers could +indicate compromise or a misconfiguration. +""" +false_positives = [ + """ + There is a potential for false positives if the container is used for legitimate administrative tasks that require + the use of container management utilities, such as deploying, scaling, or updating containerized applications. It is + important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity + or part of legitimate container activity. + """, +] from = "now-6m" index = ["logs-cloud_defend*"] interval = "5m" @@ -21,24 +28,32 @@ name = "Container Management Utility Run Inside A Container" risk_score = 21 rule_id = "6c6bb7ea-0636-44ca-b541-201478ef6b50" severity = "low" -tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", +] timestamp_override = "event.ingested" type = "eql" -query = """ +query = ''' process where container.id: "*" and event.type== "start" and process.name: ("dockerd", "docker", "kubelet", "kube-proxy", "kubectl", "containerd", "runc", "systemd", "crictl") -""" +''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" + - [rule.threat.tactic] - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - name = "Execution" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] - id = "T1609" - reference = "https://attack.mitre.org/techniques/T1609/" - name = "Container Administration Command" diff --git a/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml b/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml index 6a8e4acd1ca..64fb497ec44 100644 --- a/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml @@ -2,13 +2,15 @@ creation_date = "2023/04/26" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "New Integration: Cloud Defend" -min_stack_version = "8.8.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = "This rule detects when chmod is used to add the execute permission to a file inside a container. Modifying file permissions to make a file executable could indicate malicious activity, as an attacker may attempt to run unauthorized or malicious code inside the container." +description = """ +This rule detects when chmod is used to add the execute permission to a file inside a container. Modifying file +permissions to make a file executable could indicate malicious activity, as an attacker may attempt to run unauthorized +or malicious code inside the container. +""" from = "now-6m" index = ["logs-cloud_defend*"] interval = "5m" @@ -18,45 +20,53 @@ name = "File Made Executable via Chmod Inside A Container" risk_score = 47 rule_id = "ec604672-bed9-43e1-8871-cf591c052550" severity = "medium" -tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion"] +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "eql" -query = """ +query = ''' file where container.id: "*" and event.type in ("change", "creation") and /*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/ (process.name : "chmod" or process.args : "chmod") and process.args : ("*x*", "777", "755", "754", "700") and not process.args: "-x" -""" +''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [rule.threat.tactic] - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - name = "Execution" - [[rule.threat.technique]] - id = "T1059" - reference = "https://attack.mitre.org/techniques/T1059/" - name = "Command and Scripting Interpreter" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1222" +name = "File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/" +[[rule.threat.technique.subtechnique]] +id = "T1222.002" +name = "Linux and Mac File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/002/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.threat.tactic] - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" - name = "Defense Evasion" - - [[rule.threat.technique]] - id = "T1222" - reference = "https://attack.mitre.org/techniques/T1222/" - name = "File and Directory Permissions Modification" - - [[rule.threat.technique.subtechnique]] - id = "T1222.002" - reference = "https://attack.mitre.org/techniques/T1222/002/" - name = "Linux and Mac File and Directory Permissions Modification" - diff --git a/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml b/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml index 78e59f5f28e..16de26f880e 100644 --- a/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml +++ b/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml @@ -2,17 +2,16 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "New Integration: Cloud Defend" -min_stack_version = "8.8.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ This rule detects interactive 'exec' events launched against a container using the 'exec' command. Using the 'exec' -command in a pod allows a user to establish a temporary shell session and execute any process/command inside the container. -This rule specifically targets higher-risk interactive commands that allow real-time interaction with a container's shell. -A malicious actor could use this level of access to further compromise the container environment or attempt a container breakout. +command in a pod allows a user to establish a temporary shell session and execute any process/command inside the +container. This rule specifically targets higher-risk interactive commands that allow real-time interaction with a +container's shell. A malicious actor could use this level of access to further compromise the container environment or +attempt a container breakout. """ false_positives = [ """ @@ -37,7 +36,13 @@ references = [ risk_score = 73 rule_id = "420e5bb4-93bf-40a3-8f4a-4cc1af90eca1" severity = "high" -tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", +] timestamp_override = "event.ingested" type = "eql" @@ -57,23 +62,24 @@ process.interactive == true [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + + +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" - [rule.threat.tactic] - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - name = "Execution" - [[rule.threat.technique]] - id = "T1059" - reference = "https://attack.mitre.org/techniques/T1059/" - name = "Command and Scripting Interpreter" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique.subtechnique]] - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" - name = "Unix Shell" - - [[rule.threat.technique]] - id = "T1609" - name = "Container Administration Command" - reference = "https://attack.mitre.org/techniques/T1609/" diff --git a/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml b/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml index 12ba616f380..55c5ccec6c3 100644 --- a/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml @@ -2,16 +2,19 @@ creation_date = "2023/04/26" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "New Integration: Cloud Defend" -min_stack_version = "8.8.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = "This rule detects when an interactive shell is spawned inside a running container. This could indicate a potential container breakout attempt or an attacker's attempt to gain unauthorized access to the underlying host." -false_positives = [""" - Legitimate users and processes, such as system administration tools, may utilize shell utilities inside a container resulting in false positives. - """ +description = """ +This rule detects when an interactive shell is spawned inside a running container. This could indicate a potential +container breakout attempt or an attacker's attempt to gain unauthorized access to the underlying host. +""" +false_positives = [ + """ + Legitimate users and processes, such as system administration tools, may utilize shell utilities inside a container + resulting in false positives. + """, ] from = "now-6m" index = ["logs-cloud_defend*"] @@ -19,14 +22,20 @@ interval = "5m" language = "eql" license = "Elastic License v2" name = "Suspicious Interactive Shell Spawned From Inside A Container" -tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] risk_score = 73 rule_id = "8d3d0794-c776-476b-8674-ee2e685f6470" severity = "high" +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", +] timestamp_override = "event.ingested" type = "eql" -query = """ +query = ''' process where container.id: "*" and event.type== "start" and @@ -37,22 +46,24 @@ event.action in ("fork", "exec") and event.action != "end" (process.executable: "*/*sh" and process.args: ("-i", "-it")) or process.args: "*/*sh" ) -""" +''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + - [rule.threat.tactic] - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - name = "Execution" - [[rule.threat.technique]] - id = "T1059" - reference = "https://attack.mitre.org/techniques/T1059/" - name = "Command and Scripting Interpreter" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique.subtechnique]] - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" - name = "Unix Shell" diff --git a/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml b/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml index 3557818cd73..c739bdcdcbf 100644 --- a/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml @@ -2,16 +2,23 @@ creation_date = "2023/04/26" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "New Integration: Cloud Defend" -min_stack_version = "8.8.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = "This rule detects an established netcat listener running inside a container. Netcat is a utility used for reading and writing data across network connections, and it can be used for malicious purposes such as establishing a backdoor for persistence or exfiltrating data." -false_positives = [""" - There is a potential for false positives if the container is used for legitimate tasks that require the use of netcat, such as network troubleshooting, testing or system monitoring. It is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity. - """] +description = """ +This rule detects an established netcat listener running inside a container. Netcat is a utility used for reading and +writing data across network connections, and it can be used for malicious purposes such as establishing a backdoor for +persistence or exfiltrating data. +""" +false_positives = [ + """ + There is a potential for false positives if the container is used for legitimate tasks that require the use of + netcat, such as network troubleshooting, testing or system monitoring. It is important to investigate any alerts + generated by this rule to determine if they are indicative of malicious activity or part of legitimate container + activity. + """, +] from = "now-6m" index = ["logs-cloud_defend*"] interval = "5m" @@ -21,11 +28,17 @@ name = "Netcat Listener Established Inside A Container" risk_score = 73 rule_id = "a52a9439-d52c-401c-be37-2785235c6547" severity = "high" -tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", +] timestamp_override = "event.ingested" type = "eql" -query = """ +query = ''' process where container.id: "*" and event.type== "start" and event.action in ("fork", "exec") and ( @@ -38,22 +51,24 @@ process.args: ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") /* bind shell to specific port */ or process.args:("-*l*", "--listen", "-*p*", "--source-port") ) -""" +''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + - [rule.threat.tactic] - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - name = "Execution" - [[rule.threat.technique]] - id = "T1059" - reference = "https://attack.mitre.org/techniques/T1059/" - name = "Command and Scripting Interpreter" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique.subtechnique]] - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" - name = "Unix Shell" diff --git a/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml b/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml index 09e02b6b142..d4cdae3dcc6 100644 --- a/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml +++ b/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml @@ -2,21 +2,20 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "New Integration: Cloud Defend" -min_stack_version = "8.8.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule detects an incoming SSH connection established inside a running container. Running an ssh daemon inside -a container should be avoided and monitored closely if necessary. If an attacker gains valid credentials they can use -it to gain initial access or establish persistence within a compromised environment. +This rule detects an incoming SSH connection established inside a running container. Running an ssh daemon inside a +container should be avoided and monitored closely if necessary. If an attacker gains valid credentials they can use it +to gain initial access or establish persistence within a compromised environment. """ -false_positives = [""" - SSH usage may be legitimate depending on the environment. - Access patterns and follow-on activity should be analyzed to distinguish between authorized and potentially malicious behavior. - """ +false_positives = [ + """ + SSH usage may be legitimate depending on the environment. Access patterns and follow-on activity should be analyzed + to distinguish between authorized and potentially malicious behavior. + """, ] from = "now-6m" index = ["logs-cloud_defend*"] @@ -24,13 +23,20 @@ interval = "5m" language = "eql" license = "Elastic License v2" name = "SSH Connection Established Inside A Running Container" -references = [ +references = [ "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container/", ] risk_score = 73 rule_id = "f5488ac1-099e-4008-a6cb-fb638a0f0828" severity = "high" -tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement"] +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Lateral Movement", +] timestamp_override = "event.ingested" type = "eql" @@ -55,12 +61,11 @@ id = "T1133" name = "External Remote Services" reference = "https://attack.mitre.org/techniques/T1133/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -72,7 +77,10 @@ id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml b/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml index 3b63f77876b..5ed644ebed5 100644 --- a/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml @@ -2,21 +2,21 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "New Integration: Cloud Defend" -min_stack_version = "8.8.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule detects an SSH or SSHD process executed from inside a container. This includes both the client ssh binary and server ssh daemon process. -SSH usage inside a container should be avoided and monitored closely when necessary. With valid credentials an attacker may move laterally to -other containers or to the underlying host through container breakout. They may also use valid SSH credentials as a persistence mechanism. +This rule detects an SSH or SSHD process executed from inside a container. This includes both the client ssh binary and +server ssh daemon process. SSH usage inside a container should be avoided and monitored closely when necessary. With +valid credentials an attacker may move laterally to other containers or to the underlying host through container +breakout. They may also use valid SSH credentials as a persistence mechanism. """ -false_positives = [""" - SSH usage may be legitimate depending on the environment. - Access patterns and follow-on activity should be analyzed to distinguish between authorized and potentially malicious behavior. - """ +false_positives = [ + """ + SSH usage may be legitimate depending on the environment. Access patterns and follow-on activity should be analyzed + to distinguish between authorized and potentially malicious behavior. + """, ] from = "now-6m" index = ["logs-cloud_defend*"] @@ -24,14 +24,21 @@ interval = "5m" language = "eql" license = "Elastic License v2" name = "SSH Process Launched From Inside A Container" -references = [ +references = [ "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container/", "https://www.blackhillsinfosec.com/sshazam-hide-your-c2-inside-of-ssh/", ] risk_score = 73 rule_id = "03a514d9-500e-443e-b6a9-72718c548f6c" severity = "high" -tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence"] +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "eql" @@ -53,11 +60,12 @@ id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -65,6 +73,7 @@ id = "T1133" name = "External Remote Services" reference = "https://attack.mitre.org/techniques/T1133/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml b/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml index 9e40863fbcc..30220e18f92 100644 --- a/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml +++ b/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml @@ -2,17 +2,15 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "New Integration: Cloud Defend" -min_stack_version = "8.8.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule detects the creation or modification of an authorized_keys or sshd_config file inside a container. -The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. -Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s). -Unexpected and unauthorized SSH usage inside a container can be an indicator of compromise and should be investigated. +This rule detects the creation or modification of an authorized_keys or sshd_config file inside a container. The Secure +Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. +Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s). Unexpected and +unauthorized SSH usage inside a container can be an indicator of compromise and should be investigated. """ from = "now-6m" index = ["logs-cloud_defend*"] @@ -23,7 +21,14 @@ name = "SSH Authorized Keys File Modified Inside a Container" risk_score = 73 rule_id = "f7769104-e8f9-4931-94a2-68fc04eadec3" severity = "high" -tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Lateral Movement"] +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Lateral Movement", +] timestamp_override = "event.ingested" type = "eql" @@ -44,15 +49,24 @@ id = "T1098.004" name = "SSH Authorized Keys" reference = "https://attack.mitre.org/techniques/T1098/004/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - - - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" + + [[rule.threat.technique]] id = "T1563" name = "Remote Service Session Hijacking" @@ -62,16 +76,10 @@ id = "T1563.001" name = "SSH Hijacking" reference = "https://attack.mitre.org/techniques/T1563/001/" -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" -[[rule.threat.technique.subtechnique]] -id = "T1021.004" -name = "SSH" -reference = "https://attack.mitre.org/techniques/T1021/004/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml index 7d3c3b6c284..e02c4778a14 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/26" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "New Integration: Cloud Defend" -min_stack_version = "8.8.0" -updated_date = "2023/12/18" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml index 5b9bb8a9d8d..8c44e8b3c60 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/26" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "New Integration: Cloud Defend" -min_stack_version = "8.8.0" -updated_date = "2023/12/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml index 59d455b4410..014a64956d8 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml @@ -2,10 +2,8 @@ creation_date = "2021/06/23" integration = ["cyberarkpas"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -35,7 +33,12 @@ risk_score = 73 rule_id = "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54" rule_name_override = "event.action" severity = "high" -tags = ["Data Source: CyberArk PAS", "Use Case: Log Auditing", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] +tags = [ + "Data Source: CyberArk PAS", + "Use Case: Log Auditing", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml index 9c63474aa4a..4fd99826fe8 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml @@ -2,10 +2,8 @@ creation_date = "2021/06/23" integration = ["cyberarkpas"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -35,7 +33,12 @@ risk_score = 73 rule_id = "c5f81243-56e0-47f9-b5bb-55a5ed89ba57" rule_name_override = "event.action" severity = "high" -tags = ["Data Source: CyberArk PAS", "Use Case: Log Auditing", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] +tags = [ + "Data Source: CyberArk PAS", + "Use Case: Log Auditing", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml index 0291e681351..55bf68afc0f 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "New rule" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -19,6 +17,13 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_high_sent_bytes_destination_geo_country_iso_code" name = "Potential Data Exfiltration Activity to an Unusual ISO Code" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", +] +risk_score = 21 +rule_id = "e1db8899-97c1-4851-8993-3a3265353601" setup = """## Setup The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). @@ -45,13 +50,6 @@ Before you can enable rules for Data Exfiltration Detection, you'll need to enab - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/ded", - "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", -] -risk_score = 21 -rule_id = "e1db8899-97c1-4851-8993-3a3265353601" severity = "low" tags = [ "Use Case: Data Exfiltration Detection", diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml index 71f7de4c7ec..88a012b6e29 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "New rule" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -19,6 +17,13 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_high_sent_bytes_destination_ip" name = "Potential Data Exfiltration Activity to an Unusual IP Address" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", +] +risk_score = 21 +rule_id = "cc653d77-ddd2-45b1-9197-c75ad19df66c" setup = """## Setup The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). @@ -45,13 +50,6 @@ Before you can enable rules for Data Exfiltration Detection, you'll need to enab - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/ded", - "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", -] -risk_score = 21 -rule_id = "cc653d77-ddd2-45b1-9197-c75ad19df66c" severity = "low" tags = [ "Use Case: Data Exfiltration Detection", diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml index 7d5b38f0403..20d6850ca12 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "New rule" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -18,6 +16,13 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_high_sent_bytes_destination_port" name = "Potential Data Exfiltration Activity to an Unusual Destination Port" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", +] +risk_score = 21 +rule_id = "ef8cc01c-fc49-4954-a175-98569c646740" setup = """## Setup The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). @@ -44,13 +49,6 @@ Before you can enable rules for Data Exfiltration Detection, you'll need to enab - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/ded", - "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", -] -risk_score = 21 -rule_id = "ef8cc01c-fc49-4954-a175-98569c646740" severity = "low" tags = [ "Use Case: Data Exfiltration Detection", diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml index 69708440927..1a3e7ef8555 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "New rule" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -19,6 +17,13 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_high_sent_bytes_destination_region_name" name = "Potential Data Exfiltration Activity to an Unusual Region" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", +] +risk_score = 21 +rule_id = "bfba5158-1fd6-4937-a205-77d96213b341" setup = """## Setup The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). @@ -45,13 +50,6 @@ Before you can enable rules for Data Exfiltration Detection, you'll need to enab - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/ded", - "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", -] -risk_score = 21 -rule_id = "bfba5158-1fd6-4937-a205-77d96213b341" severity = "low" tags = [ "Use Case: Data Exfiltration Detection", diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml index a560d7cd27a..b62f5b16920 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint"] maturity = "production" -min_stack_comments = "New rule" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -19,6 +17,13 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_high_bytes_written_to_external_device" name = "Spike in Bytes Sent to an External Device" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", +] +risk_score = 21 +rule_id = "35a3b253-eea8-46f0-abd3-68bdd47e6e3d" setup = """## Setup The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). @@ -44,13 +49,6 @@ Before you can enable rules for Data Exfiltration Detection, you'll need to enab - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/ded", - "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", -] -risk_score = 21 -rule_id = "35a3b253-eea8-46f0-abd3-68bdd47e6e3d" severity = "low" tags = [ "Use Case: Data Exfiltration Detection", diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml index 7a30d8d9b24..d484668f893 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint"] maturity = "production" -min_stack_comments = "New rule" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -20,6 +18,13 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_high_bytes_written_to_external_device_airdrop" name = "Spike in Bytes Sent to an External Device via Airdrop" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", +] +risk_score = 21 +rule_id = "e92c99b6-c547-4bb6-b244-2f27394bc849" setup = """## Setup The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). @@ -45,13 +50,6 @@ Before you can enable rules for Data Exfiltration Detection, you'll need to enab - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/ded", - "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", -] -risk_score = 21 -rule_id = "e92c99b6-c547-4bb6-b244-2f27394bc849" severity = "low" tags = [ "Use Case: Data Exfiltration Detection", diff --git a/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml b/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml index cdc7a88d3b4..fc98cc66a3f 100644 --- a/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml +++ b/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint"] maturity = "production" -min_stack_comments = "New rule" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -19,6 +17,13 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_rare_process_writing_to_external_device" name = "Unusual Process Writing Data to an External Device" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", +] +risk_score = 21 +rule_id = "4b95ecea-7225-4690-9938-2a2c0bad9c99" setup = """## Setup The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). @@ -44,13 +49,6 @@ Before you can enable rules for Data Exfiltration Detection, you'll need to enab - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/ded", - "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", -] -risk_score = 21 -rule_id = "4b95ecea-7225-4690-9938-2a2c0bad9c99" severity = "low" tags = [ "Use Case: Data Exfiltration Detection", diff --git a/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml b/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml index d6550b0d420..47b2a9d9957 100644 --- a/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml +++ b/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/14" integration = ["dga", "endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "DGA package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -17,6 +15,13 @@ index = ["logs-endpoint.events.*", "logs-network_traffic.*"] language = "kuery" license = "Elastic License v2" name = "Machine Learning Detected DGA activity using a known SUNBURST DNS domain" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/dga", + "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration", +] +risk_score = 99 +rule_id = "bcaa15ce-2d41-44d7-a322-918f9db77766" setup = """## Setup The rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. @@ -63,13 +68,6 @@ Before you can enable this rule, you'll need to enrich DNS events with predictio } ``` """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/dga", - "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration", -] -risk_score = 99 -rule_id = "bcaa15ce-2d41-44d7-a322-918f9db77766" severity = "critical" tags = [ "Domain: Network", diff --git a/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml b/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml index 76e884d760f..0830449ff22 100644 --- a/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml +++ b/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/14" integration = ["dga", "endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "DGA package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 70 @@ -19,6 +17,13 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "dga_high_sum_probability" name = "Potential DGA Activity" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/dga", + "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration", +] +risk_score = 21 +rule_id = "ff0d807d-869b-4a0d-a493-52bc46d2f1b1" setup = """## Setup The rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. @@ -72,13 +77,6 @@ Before you can enable this rule, you'll need to enable the corresponding Anomaly - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/dga/kibana/ml_module/dga-ml.json) configuration file, you will see a card for DGA under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/dga", - "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration", -] -risk_score = 21 -rule_id = "ff0d807d-869b-4a0d-a493-52bc46d2f1b1" severity = "low" tags = [ "Use Case: Domain Generation Algorithm Detection", diff --git a/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml b/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml index 88007164d87..dca1fb0b3b9 100644 --- a/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml +++ b/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/14" integration = ["dga", "endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "DGA package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -17,6 +15,13 @@ index = ["logs-endpoint.events.*", "logs-network_traffic.*"] language = "kuery" license = "Elastic License v2" name = "Machine Learning Detected a DNS Request With a High DGA Probability Score" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/dga", + "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration", +] +risk_score = 21 +rule_id = "da7f5803-1cd4-42fd-a890-0173ae80ac69" setup = """## Setup The rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. @@ -63,13 +68,6 @@ Before you can enable this rule, you'll need to enrich DNS events with predictio } ``` """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/dga", - "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration", -] -risk_score = 21 -rule_id = "da7f5803-1cd4-42fd-a890-0173ae80ac69" severity = "low" tags = [ "Domain: Network", diff --git a/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml b/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml index 79e0bc018a6..ef50f101169 100644 --- a/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml +++ b/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/14" integration = ["dga", "endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "DGA package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -17,6 +15,13 @@ index = ["logs-endpoint.events.*", "logs-network_traffic.*"] language = "kuery" license = "Elastic License v2" name = "Machine Learning Detected a DNS Request Predicted to be a DGA Domain" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/dga", + "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration", +] +risk_score = 21 +rule_id = "f3403393-1fd9-4686-8f6e-596c58bc00b4" setup = """## Setup The rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. @@ -63,13 +68,6 @@ Before you can enable this rule, you'll need to enrich DNS events with predictio } ``` """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/dga", - "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration", -] -risk_score = 21 -rule_id = "f3403393-1fd9-4686-8f6e-596c58bc00b4" severity = "low" tags = [ "Domain: Network", diff --git a/rules/integrations/endpoint/elastic_endpoint_security.toml b/rules/integrations/endpoint/elastic_endpoint_security.toml index ddc45fe6865..7353bf7fcc6 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security.toml @@ -2,10 +2,8 @@ creation_date = "2020/07/08" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml index afc316a77bf..3d33d2ee993 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/23" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,7 +29,13 @@ references = ["https://cloud.google.com/pubsub/docs/overview"] risk_score = 21 rule_id = "d62b64a8-a7c9-43e5-aee3-15a725a794e7" severity = "low" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Collection"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Log Auditing", + "Tactic: Collection", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml index de979e3009e..701fd52c77f 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/23" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,7 +29,13 @@ references = ["https://cloud.google.com/pubsub/docs/admin"] risk_score = 21 rule_id = "a10d3d9d-0f65-48f1-8b25-af175e2594f5" severity = "low" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Collection"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Log Auditing", + "Tactic: Collection", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml index f19f55da16b..bf65a769bb5 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -34,7 +32,13 @@ references = [ risk_score = 21 rule_id = "30562697-9859-4ae0-a8c5-dab45d664170" severity = "low" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml index 68d787f49bb..2bd5d930541 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -33,7 +31,13 @@ references = [ risk_score = 47 rule_id = "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1" severity = "medium" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml index 3f219874af8..ae5126fc5fb 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -34,7 +32,13 @@ references = [ risk_score = 47 rule_id = "2783d84f-5091-4d7d-9319-9fceda8fa71b" severity = "medium" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml index 5e66bedffac..a9e9ba23557 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -33,7 +31,13 @@ references = ["https://cloud.google.com/logging/docs/buckets", "https://cloud.go risk_score = 47 rule_id = "5663b693-0dea-4f2e-8275-f1ae5ff2de8e" severity = "medium" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Log Auditing", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml index cb523589193..3b91941b1cc 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/18" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,7 +29,13 @@ references = ["https://cloud.google.com/logging/docs/export"] risk_score = 47 rule_id = "51859fa0-d86b-4214-bf48-ebb30ed91305" severity = "medium" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Log Auditing", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml index 03c2b9b4a97..d81d4f1c70e 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/23" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,7 +29,13 @@ references = ["https://cloud.google.com/pubsub/docs/overview"] risk_score = 21 rule_id = "cc89312d-6f47-48e4-a87c-4977bd4633c3" severity = "low" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Log Auditing", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml index df8980906ee..b0c2ba3b66a 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/18" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,7 +29,13 @@ references = ["https://cloud.google.com/pubsub/docs/overview"] risk_score = 21 rule_id = "3202e172-01b1-4738-a932-d024c514ba72" severity = "low" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Log Auditing", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml index b1f8119e794..58c3e161484 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -29,7 +27,13 @@ references = ["https://cloud.google.com/storage/docs/key-terms#buckets"] risk_score = 47 rule_id = "97359fd8-757d-4b1d-9af1-ef29e4a8680e" severity = "medium" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Identity and Access Audit", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml index 93d434aa0f7..5aa2543b2d8 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -30,7 +28,13 @@ references = ["https://cloud.google.com/storage/docs/access-control/iam-permissi risk_score = 47 rule_id = "2326d1b2-9acf-4dee-bd21-867ea7378b4d" severity = "medium" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Identity and Access Audit", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml index 9d7467ce9be..ae837651b9c 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,7 +29,13 @@ references = ["https://cloud.google.com/vpc/docs/vpc"] risk_score = 47 rule_id = "c58c3081-2e1d-4497-8491-e73a45d1a6d6" severity = "medium" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml index d8ab78834fc..14e579912ce 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,7 +29,13 @@ references = ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google. risk_score = 21 rule_id = "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8" severity = "low" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml index 9084f33dcf6..b0b775a5f06 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,7 +29,13 @@ references = ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google. risk_score = 47 rule_id = "a17bcc91-297b-459b-b5ce-bc7460d8f82a" severity = "medium" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml index 28408b63947..c1b0254c4f0 100644 --- a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml +++ b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,7 +29,13 @@ references = ["https://cloud.google.com/logging/docs/export#how_sinks_work"] risk_score = 21 rule_id = "184dfe52-2999-42d9-b9d1-d1ca54495a61" severity = "low" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Exfiltration"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Log Auditing", + "Tactic: Exfiltration", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml b/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml index 4bd608d6896..c999c7eebe1 100644 --- a/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml +++ b/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,7 +29,13 @@ references = ["https://cloud.google.com/iam/docs/understanding-roles"] risk_score = 21 rule_id = "e2fb5b18-e33c-4270-851e-c3d675c9afcd" severity = "low" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Impact"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Identity and Access Audit", + "Tactic: Impact", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/impact_gcp_service_account_deleted.toml b/rules/integrations/gcp/impact_gcp_service_account_deleted.toml index 15b278eef14..7f30b45a128 100644 --- a/rules/integrations/gcp/impact_gcp_service_account_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_service_account_deleted.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,7 +30,13 @@ references = ["https://cloud.google.com/iam/docs/service-accounts"] risk_score = 47 rule_id = "8fb75dda-c47a-4e34-8ecd-34facf7aad13" severity = "medium" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Impact"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Identity and Access Audit", + "Tactic: Impact", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/impact_gcp_service_account_disabled.toml b/rules/integrations/gcp/impact_gcp_service_account_disabled.toml index 5f4640b988e..034f249af9b 100644 --- a/rules/integrations/gcp/impact_gcp_service_account_disabled.toml +++ b/rules/integrations/gcp/impact_gcp_service_account_disabled.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,7 +30,13 @@ references = ["https://cloud.google.com/iam/docs/service-accounts"] risk_score = 47 rule_id = "bca7d28e-4a48-47b1-adb7-5074310e9a61" severity = "medium" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Impact"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Identity and Access Audit", + "Tactic: Impact", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml b/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml index b4c74cf818c..cfc19dbb136 100644 --- a/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml index a412746fc16..fbf52054537 100644 --- a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml +++ b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,7 +29,13 @@ references = ["https://cloud.google.com/iam/docs/understanding-custom-roles"] risk_score = 47 rule_id = "aa8007f0-d1df-49ef-8520-407857594827" severity = "medium" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Initial Access"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml index 894d12936f7..18048b305d9 100644 --- a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml +++ b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -35,7 +33,13 @@ references = [ risk_score = 21 rule_id = "9890ee61-d061-403d-9bf6-64934c51f638" severity = "low" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml index 8ee7350643e..07b969e6a80 100644 --- a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml +++ b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -36,7 +34,13 @@ references = [ risk_score = 21 rule_id = "0e5acaae-6a64-4bbc-adb8-27649c03f7e1" severity = "low" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/persistence_gcp_service_account_created.toml b/rules/integrations/gcp/persistence_gcp_service_account_created.toml index 4207b15ffdb..b929f9b69a2 100644 --- a/rules/integrations/gcp/persistence_gcp_service_account_created.toml +++ b/rules/integrations/gcp/persistence_gcp_service_account_created.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -33,7 +31,13 @@ references = ["https://cloud.google.com/iam/docs/service-accounts"] risk_score = 21 rule_id = "7ceb2216-47dd-4e64-9433-cddc99727623" severity = "low" -tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml b/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml index d38ee949682..d85163a5c79 100644 --- a/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml +++ b/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml @@ -2,18 +2,15 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/30" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules -can be used to enforce certain workflows or requirements before a contributor can push changes to a branch in -your repository. Changes to these protected branch settings should be investigated and verified as legitimate -activity. Unauthorized changes could be used to lower your organization's security posture and leave you exposed -for future attacks. +This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules can be +used to enforce certain workflows or requirements before a contributor can push changes to a branch in your repository. +Changes to these protected branch settings should be investigated and verified as legitimate activity. Unauthorized +changes could be used to lower your organization's security posture and leave you exposed for future attacks. """ from = "now-9m" index = ["logs-github.audit-*"] @@ -26,11 +23,13 @@ severity = "medium" tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Github"] timestamp_override = "event.ingested" type = "eql" + query = ''' configuration where event.dataset == "github.audit" - and github.category == "protected_branch" and event.type == "change" + and github.category == "protected_branch" and event.type == "change" ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/integrations/github/execution_github_app_deleted.toml b/rules/integrations/github/execution_github_app_deleted.toml index 891c181759a..b49bc9b3389 100644 --- a/rules/integrations/github/execution_github_app_deleted.toml +++ b/rules/integrations/github/execution_github_app_deleted.toml @@ -2,15 +2,11 @@ creation_date = "2023/10/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/11" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = """ -Detects the deletion of a GitHub app either from a repo or an organization. -""" +description = "Detects the deletion of a GitHub app either from a repo or an organization.\n" from = "now-9m" index = ["logs-github.audit-*"] language = "eql" @@ -19,11 +15,7 @@ name = "GitHub App Deleted" risk_score = 21 rule_id = "fd01b949-81be-46d5-bcf8-284395d5f56d" severity = "low" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Github" - ] +tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Github"] timestamp_override = "event.ingested" type = "eql" @@ -31,6 +23,7 @@ query = ''' configuration where event.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion" ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -43,3 +36,4 @@ reference = "https://attack.mitre.org/techniques/T1648/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml b/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml index dfa81e0277d..85da5ced62c 100644 --- a/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml +++ b/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml @@ -2,14 +2,13 @@ creation_date = "2023/10/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added to GitHub Integration" -min_stack_version = "8.8.0" -updated_date = "2023/12/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Detects a high number of unique private repo clone events originating from a single personal access token within a short time period. +Detects a high number of unique private repo clone events originating from a single personal access token within a short +time period. """ from = "now-6m" index = ["logs-github.audit-*"] @@ -19,12 +18,13 @@ name = "High Number of Cloned GitHub Repos From PAT" risk_score = 21 rule_id = "fb0afac5-bbd6-49b0-b4f8-44e5381e1587" severity = "low" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "threshold" @@ -34,6 +34,7 @@ github.programmatic_access_type:("OAuth access token" or "Fine-grained personal github.repository_public:false ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -50,7 +51,8 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.threshold] field = ["github.hashed_token"] value = 1 - [[rule.threshold.cardinality]] field = "github.repo" value = 10 + + diff --git a/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml b/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml index 2908f7b3e87..b055bbe42af 100644 --- a/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml +++ b/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml @@ -1,17 +1,14 @@ [metadata] creation_date = "2023/12/14" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/18" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule is part of the "GitHub UEBA - Unusual Activity from Account Pack", and leverages alert data to -determine when multiple alerts are executed by the same user in a timespan of one hour. -Analysts can use this to prioritize triage and response, as these alerts are a higher indicator of compromised user -accounts or PATs. +This rule is part of the "GitHub UEBA - Unusual Activity from Account Pack", and leverages alert data to determine when +multiple alerts are executed by the same user in a timespan of one hour. Analysts can use this to prioritize triage and +response, as these alerts are a higher indicator of compromised user accounts or PATs. """ from = "now-60m" index = [".alerts-security.*"] @@ -21,13 +18,14 @@ name = "GitHub UEBA - Multiple Alerts from a GitHub Account" risk_score = 47 rule_id = "929223b4-fba3-4a1c-a943-ec4716ad23ec" severity = "medium" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Rule Type: Higher-Order Rule", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: Higher-Order Rule", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "threshold" @@ -35,6 +33,7 @@ query = ''' signal.rule.tags:("Use Case: UEBA" and "Data Source: Github") and kibana.alert.workflow_status:"open" ''' + [[rule.threat]] framework = "MITRE ATT&CK" @@ -46,7 +45,8 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.threshold] field = ["user.name"] value = 1 - [[rule.threshold.cardinality]] field = "signal.rule.name" value = 5 + + diff --git a/rules/integrations/github/execution_new_github_app_installed.toml b/rules/integrations/github/execution_new_github_app_installed.toml index 2d07e6bb6ba..8d63b58be15 100644 --- a/rules/integrations/github/execution_new_github_app_installed.toml +++ b/rules/integrations/github/execution_new_github_app_installed.toml @@ -2,18 +2,16 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/03" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule detects when a new GitHub App has been installed in your organization account. -GitHub Apps extend GitHub's functionality both within and outside of GitHub. -When an app is installed it is granted permissions to read or modify your repository and organization data. -Only trusted apps should be installed and any newly installed apps should be investigated to verify their legitimacy. -Unauthorized app installation could lower your organization's security posture and leave you exposed for future attacks. +This rule detects when a new GitHub App has been installed in your organization account. GitHub Apps extend GitHub's +functionality both within and outside of GitHub. When an app is installed it is granted permissions to read or modify +your repository and organization data. Only trusted apps should be installed and any newly installed apps should be +investigated to verify their legitimacy. Unauthorized app installation could lower your organization's security posture +and leave you exposed for future attacks. """ from = "now-9m" index = ["logs-github.audit-*"] @@ -26,10 +24,12 @@ severity = "medium" tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Github"] timestamp_override = "event.ingested" type = "eql" + query = ''' configuration where event.dataset == "github.audit" and event.action == "integration_installation.create" ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -38,7 +38,6 @@ name = "Software Deployment Tools" reference = "https://attack.mitre.org/techniques/T1072/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/integrations/github/impact_github_repository_deleted.toml b/rules/integrations/github/impact_github_repository_deleted.toml index 9eebd68aea8..c75c9c689d8 100644 --- a/rules/integrations/github/impact_github_repository_deleted.toml +++ b/rules/integrations/github/impact_github_repository_deleted.toml @@ -2,19 +2,15 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule detects when a GitHub repository is deleted within your organization. -Repositories are a critical component used within an organization to manage work, -collaborate with others and release products to the public. Any delete action against -a repository should be investigated to determine it's validity. Unauthorized deletion -of organization repositories could cause irreversible loss of intellectual property and -indicate compromise within your organization. +This rule detects when a GitHub repository is deleted within your organization. Repositories are a critical component +used within an organization to manage work, collaborate with others and release products to the public. Any delete +action against a repository should be investigated to determine it's validity. Unauthorized deletion of organization +repositories could cause irreversible loss of intellectual property and indicate compromise within your organization. """ from = "now-9m" index = ["logs-github.audit-*"] @@ -24,18 +20,21 @@ name = "GitHub Repository Deleted" risk_score = 47 rule_id = "345889c4-23a8-4bc0-b7ca-756bd17ce83b" severity = "medium" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Impact", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Impact", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "eql" + query = ''' configuration where event.module == "github" and event.action == "repo.destroy" ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -44,8 +43,8 @@ name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/integrations/github/persistence_github_org_owner_added.toml b/rules/integrations/github/persistence_github_org_owner_added.toml index 7fd963c9fe6..df89d4bd008 100644 --- a/rules/integrations/github/persistence_github_org_owner_added.toml +++ b/rules/integrations/github/persistence_github_org_owner_added.toml @@ -2,16 +2,14 @@ creation_date = "2023/09/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Detects when a new member is added to a GitHub organization as an owner. -This role provides admin level privileges. Any new owner roles should be investigated to determine it's validity. -Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings. +Detects when a new member is added to a GitHub organization as an owner. This role provides admin level privileges. Any +new owner roles should be investigated to determine it's validity. Unauthorized owner roles could indicate compromise +within your organization and provide unlimited access to data and settings. """ from = "now-9m" index = ["logs-github.audit-*"] @@ -21,18 +19,21 @@ name = "New GitHub Owner Added" risk_score = 47 rule_id = "24401eca-ad0b-4ff9-9431-487a8e183af9" severity = "medium" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Persistence", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Persistence", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "eql" + query = ''' iam where event.dataset == "github.audit" and event.action == "org.add_member" and github.permission == "admin" ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,6 +46,7 @@ name = "Cloud Account" reference = "https://attack.mitre.org/techniques/T1136/003/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/integrations/github/persistence_organization_owner_role_granted.toml b/rules/integrations/github/persistence_organization_owner_role_granted.toml index 08adb684912..7c31e52610b 100644 --- a/rules/integrations/github/persistence_organization_owner_role_granted.toml +++ b/rules/integrations/github/persistence_organization_owner_role_granted.toml @@ -2,16 +2,14 @@ creation_date = "2023/09/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule detects when a member is granted the organization owner role of a GitHub organization. -This role provides admin level privileges. Any new owner role should be investigated to determine its validity. -Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings. +This rule detects when a member is granted the organization owner role of a GitHub organization. This role provides +admin level privileges. Any new owner role should be investigated to determine its validity. Unauthorized owner roles +could indicate compromise within your organization and provide unlimited access to data and settings. """ from = "now-9m" index = ["logs-github.audit-*"] @@ -21,18 +19,21 @@ name = "GitHub Owner Role Granted To User" risk_score = 47 rule_id = "9b343b62-d173-4cfd-bd8b-e6379f964ca4" severity = "medium" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Persistence", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Persistence", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "eql" + query = ''' iam where event.dataset == "github.audit" and event.action == "org.update_member" and github.permission == "admin" ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,6 +46,7 @@ name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml b/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml index 87875196e6f..3b0bb139b97 100644 --- a/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml +++ b/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/24" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -82,7 +80,12 @@ references = ["https://support.google.com/a/answer/1247799?hl=en"] risk_score = 47 rule_id = "07b5f85a-240f-11ed-b3d9-f661ea17fbce" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Google Workspace", "Tactic: Collection", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Tactic: Collection", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml b/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml index 0cfba8bdd98..2f9485b97b3 100644 --- a/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml +++ b/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml @@ -2,9 +2,7 @@ creation_date = "2022/09/13" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -82,7 +80,12 @@ references = ["https://support.google.com/a/answer/2685650?hl=en"] risk_score = 47 rule_id = "9510add4-3392-11ed-bd01-f661ea17fbce" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Google Workspace", "Tactic: Collection", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Tactic: Collection", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml b/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml index 32f0a1a9258..32ca309972a 100644 --- a/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml +++ b/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml @@ -2,9 +2,7 @@ creation_date = "2023/03/21" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml b/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml index 98380cea753..422ba0189ba 100644 --- a/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml +++ b/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/25" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -90,7 +88,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Configuration Audit", "Resources: Investigation Guide", - "Tactic: Defense Evasion" + "Tactic: Defense Evasion", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml index f97647f948b..1b92225d220 100644 --- a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml +++ b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -85,7 +83,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Defense Evasion", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml index 073d40ed61c..e16f5f51216 100644 --- a/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml +++ b/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml @@ -2,9 +2,7 @@ creation_date = "2022/09/06" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -85,7 +83,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Defense Evasion", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml index 703af0aefe3..600ad32787a 100644 --- a/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml +++ b/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml @@ -2,18 +2,19 @@ creation_date = "2023/03/30" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Detects the first time a third-party application logs in and authenticated with OAuth. OAuth is used to grant permissions to specific resources and services in Google Workspace. Compromised credentials or service accounts could allow an adversary to authenticate to Google Workspace as a valid user and inherit their privileges. +Detects the first time a third-party application logs in and authenticated with OAuth. OAuth is used to grant +permissions to specific resources and services in Google Workspace. Compromised credentials or service accounts could +allow an adversary to authenticate to Google Workspace as a valid user and inherit their privileges. """ false_positives = [ """ - Developers may leverage third-party applications for legitimate purposes in Google Workspace such as for administrative tasks. + Developers may leverage third-party applications for legitimate purposes in Google Workspace such as for + administrative tasks. """, ] from = "now-130m" @@ -67,7 +68,6 @@ reference = "https://attack.mitre.org/techniques/T1550/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -89,7 +89,8 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["google_workspace.token.client.id"] - [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-15d" \ No newline at end of file +value = "now-15d" + + diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_restrictions_for_google_marketplace_changed_to_allow_any_app.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_restrictions_for_google_marketplace_changed_to_allow_any_app.toml index 5e34dce622f..771d2750a38 100644 --- a/rules/integrations/google_workspace/defense_evasion_google_workspace_restrictions_for_google_marketplace_changed_to_allow_any_app.toml +++ b/rules/integrations/google_workspace/defense_evasion_google_workspace_restrictions_for_google_marketplace_changed_to_allow_any_app.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/25" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -94,7 +92,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Defense Evasion", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml b/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml index d369794ed3c..65f289b2659 100644 --- a/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml +++ b/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml @@ -2,10 +2,8 @@ creation_date = "2023/01/15" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Google Workspace feature only present in 8.4+ stack versions" -min_stack_version = "8.4.0" -updated_date = "2023/06/22" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -38,7 +36,12 @@ risk_score = 73 rule_id = "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc" rule_name_override = "google_workspace.alert.type" severity = "high" -tags = ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Log Auditing", "Use Case: Threat Detection"] +tags = [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Log Auditing", + "Use Case: Threat Detection", +] timestamp_override = "event.ingested" type = "query" @@ -46,21 +49,23 @@ query = ''' event.dataset: google_workspace.alert ''' + [[rule.severity_mapping]] field = "google_workspace.alert.metadata.severity" -value = "LOW" operator = "equals" severity = "low" +value = "LOW" [[rule.severity_mapping]] field = "google_workspace.alert.metadata.severity" -value = "MEDIUM" operator = "equals" severity = "medium" +value = "MEDIUM" [[rule.severity_mapping]] field = "google_workspace.alert.metadata.severity" -value = "HIGH" operator = "equals" severity = "high" +value = "HIGH" + diff --git a/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml b/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml index 14aedf96052..747f1ff2ffa 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -85,7 +83,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Impact", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml index 482baaafd1f..9999e04f1b5 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml b/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml index 74015523b76..c023a887bf0 100644 --- a/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml +++ b/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml @@ -2,9 +2,7 @@ creation_date = "2023/02/16" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/initial_access_google_workspace_object_copied_from_external_drive_and_access_granted_to_custom_application.toml b/rules/integrations/google_workspace/initial_access_google_workspace_object_copied_from_external_drive_and_access_granted_to_custom_application.toml index 3d9429701d2..73a01ef943d 100644 --- a/rules/integrations/google_workspace/initial_access_google_workspace_object_copied_from_external_drive_and_access_granted_to_custom_application.toml +++ b/rules/integrations/google_workspace/initial_access_google_workspace_object_copied_from_external_drive_and_access_granted_to_custom_application.toml @@ -2,9 +2,7 @@ creation_date = "2023/03/07" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -91,7 +89,12 @@ references = [ risk_score = 47 rule_id = "f33e68a4-bd19-11ed-b02f-f661ea17fbcc" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Google Workspace", "Tactic: Initial Access", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Tactic: Initial Access", + "Resources: Investigation Guide", +] type = "eql" query = ''' diff --git a/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml b/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml index 76b673f2d0c..379476c08dc 100644 --- a/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml +++ b/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -42,7 +40,12 @@ references = ["https://support.google.com/a/answer/1110339"] risk_score = 21 rule_id = "00678712-b2df-11ed-afe9-f661ea17fbcc" severity = "low" -tags = ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Initial Access"] +tags = [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml index d59bb7cebaa..d7eb4ce5531 100644 --- a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml +++ b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -89,7 +87,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Persistence", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml b/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml index 9a5cac6aeca..0d47da77d01 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/26" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -89,7 +87,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Persistence", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml index a99d257299c..78b80ba643e 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -92,7 +90,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Persistence", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml index 570539eebff..eb8bc2a6282 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/12" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -83,7 +81,13 @@ references = ["https://developers.google.com/admin-sdk/directory/v1/guides/deleg risk_score = 47 rule_id = "acbc8bb9-2486-49a8-8779-45fb5f9a93ee" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml index 770238e7a6e..1a5b51af505 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -85,7 +83,13 @@ references = ["https://support.google.com/a/answer/2406043?hl=en"] risk_score = 47 rule_id = "ad3f2807-2b3e-47d7-b282-f84acbbe14be" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml index 21f071d546d..6181ee74c49 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.4.0" -updated_date = "2023/04/12" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -87,7 +85,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Persistence", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml index 672b61c7883..fae520fa6e7 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -87,7 +85,13 @@ references = ["https://support.google.com/a/answer/2406043?hl=en"] risk_score = 47 rule_id = "6f435062-b7fc-4af9-acea-5b1ead65c5a5" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml b/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml index fc0fc257654..bec0569605e 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml @@ -2,9 +2,7 @@ creation_date = "2022/09/06" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -91,7 +89,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Persistence", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml index 5a0fc0bd2a5..098cfa6157e 100644 --- a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml +++ b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -min_stack_comments = "Breaking changes for Google Workspace integration." -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -85,7 +83,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Persistence", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/kubernetes/discovery_denied_service_account_request.toml b/rules/integrations/kubernetes/discovery_denied_service_account_request.toml index b04db4c49c1..50e54311ef7 100644 --- a/rules/integrations/kubernetes/discovery_denied_service_account_request.toml +++ b/rules/integrations/kubernetes/discovery_denied_service_account_request.toml @@ -2,9 +2,7 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -min_stack_comments = "New fields added to Kubernetes Integration" -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml index 2c1f88b33e3..d0589a903d9 100644 --- a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml +++ b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml @@ -2,9 +2,7 @@ creation_date = "2022/06/30" integration = ["kubernetes"] maturity = "production" -min_stack_comments = "New fields added to Kubernetes Integration" -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml index 0834391421b..1c134a8e0b8 100644 --- a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml +++ b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml @@ -2,9 +2,7 @@ creation_date = "2022/05/17" integration = ["kubernetes"] maturity = "production" -min_stack_comments = "New fields added to Kubernetes Integration" -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml index 6da38310c01..2fd9df0a9e0 100644 --- a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml +++ b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml @@ -2,10 +2,7 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -min_stack_comments = "New fields added to Kubernetes Integration" -min_stack_version = "8.4.0" -updated_date = "2023/06/23" - +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml index 2d649630771..84e57ae7e00 100644 --- a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml +++ b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml @@ -2,9 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -min_stack_comments = "New fields added to Kubernetes Integration" -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml b/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml index 6389cbb8ec1..ab1756c91af 100644 --- a/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml +++ b/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml @@ -2,9 +2,7 @@ creation_date = "2022/09/20" integration = ["kubernetes"] maturity = "production" -min_stack_comments = "New fields added to Kubernetes Integration" -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml index 6b261fa4c6d..6b67122e530 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml @@ -2,9 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -min_stack_comments = "New fields added to Kubernetes Integration" -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml index 770e16e076c..e1e7005a68c 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml @@ -2,9 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -min_stack_comments = "New fields added to Kubernetes Integration" -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml index d40d9a87af8..49a1dec6249 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml @@ -2,9 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -min_stack_comments = "New fields added to Kubernetes Integration" -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml index b91cc231599..20c8c18652f 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml @@ -2,9 +2,7 @@ creation_date = "2022/07/11" integration = ["kubernetes"] maturity = "production" -min_stack_comments = "New fields added to Kubernetes Integration" -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml index 39639d75a39..f1f93659d1d 100644 --- a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml +++ b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml @@ -2,9 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -min_stack_comments = "New fields added to Kubernetes Integration" -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml b/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml index 97e333ac0ea..051c4b214e9 100644 --- a/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml +++ b/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml @@ -2,9 +2,7 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -min_stack_comments = "New fields added to Kubernetes Integration" -min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml index 57b927c85fd..fdac1aa8b75 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -min_stack_comments = "LMD package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 70 @@ -19,6 +17,14 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_mean_rdp_process_args" name = "High Mean of Process Arguments in an RDP Session" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "36c48a0c-c63a-4cbc-aee1-8cac87db31a9" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -45,14 +51,6 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "36c48a0c-c63a-4cbc-aee1-8cac87db31a9" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml index c88ed4a04e7..619c08ec281 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -min_stack_comments = "LMD package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 70 @@ -19,6 +17,14 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_mean_rdp_session_duration" name = "High Mean of RDP Session Duration" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "a74c60cb-70ee-4629-a127-608ead14ebf1" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -45,14 +51,6 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "a74c60cb-70ee-4629-a127-608ead14ebf1" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml b/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml index cec48ce9680..f2930aca5a6 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -min_stack_comments = "LMD package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 70 @@ -20,6 +18,14 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_file_size_remote_file_transfer" name = "Unusual Remote File Size" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "0678bc9c-b71a-433b-87e6-2f664b6b3131" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -45,14 +51,6 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "0678bc9c-b71a-433b-87e6-2f664b6b3131" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml b/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml index 83e027be23f..f2072d40f55 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -min_stack_comments = "LMD package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 70 @@ -19,6 +17,14 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_var_rdp_session_duration" name = "High Variance in RDP Session Duration" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "a8d35ca0-ad8d-48a9-9f6c-553622dca61a" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -45,14 +51,6 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "a8d35ca0-ad8d-48a9-9f6c-553622dca61a" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml index 8528ef1ce1a..283fd17854a 100644 --- a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml +++ b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -min_stack_comments = "LMD package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 70 @@ -19,6 +17,14 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_rare_file_path_remote_transfer" name = "Unusual Remote File Directory" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "be4c5aed-90f5-4221-8bd5-7ab3a4334751" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -44,14 +50,6 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "be4c5aed-90f5-4221-8bd5-7ab3a4334751" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml index 1e67d54e040..fad3bd17f58 100644 --- a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml +++ b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -min_stack_comments = "LMD package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 70 @@ -18,6 +16,14 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_rare_file_extension_remote_transfer" name = "Unusual Remote File Extension" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "814d96c7-2068-42aa-ba8e-fe0ddd565e2e" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -43,14 +49,6 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "814d96c7-2068-42aa-ba8e-fe0ddd565e2e" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml index 6717d596f81..0c1dccd6c10 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -min_stack_comments = "LMD package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 70 @@ -19,6 +17,14 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_rdp_distinct_count_destination_ip_for_source" name = "Spike in Number of Connections Made from a Source IP" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "3e0561b5-3fac-4461-84cc-19163b9aaa61" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -45,14 +51,6 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "3e0561b5-3fac-4461-84cc-19163b9aaa61" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml index e9812f200e9..d3193f054d7 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -min_stack_comments = "LMD package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 70 @@ -19,6 +17,14 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_rdp_distinct_count_source_ip_for_destination" name = "Spike in Number of Connections Made to a Destination IP" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -45,14 +51,6 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml index f9f27d852dd..cdb15b8e932 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -min_stack_comments = "LMD package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 70 @@ -18,6 +16,14 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_sum_rdp_number_of_processes" name = "Spike in Number of Processes in an RDP Session" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -44,14 +50,6 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml index 23f283148b9..7abc56dfef5 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -min_stack_comments = "LMD package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 70 @@ -20,6 +18,14 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_count_remote_file_transfer" name = "Spike in Remote File Transfers" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "e9b0902b-c515-413b-b80b-a8dcebc81a66" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -45,14 +51,6 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "e9b0902b-c515-413b-b80b-a8dcebc81a66" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml b/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml index 8819bf40ed0..d16f9cba327 100644 --- a/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml +++ b/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -min_stack_comments = "LMD package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [rule] anomaly_threshold = 70 @@ -19,6 +17,14 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_unusual_time_weekday_rdp_session_start" name = "Unusual Time or Day for an RDP Session" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "3f4e2dba-828a-452a-af35-fe29c5e78969" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -45,14 +51,6 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "3f4e2dba-828a-452a-af35-fe29c5e78969" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml index 332e71150a4..9cd9d0b4429 100644 --- a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml +++ b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml @@ -2,9 +2,7 @@ creation_date = "2021/03/29" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Gary Blackwell", "Austin Songer"] diff --git a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml index 862240ebb40..eefc98fb4d2 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Willem D'Haese", "Austin Songer"] @@ -30,9 +28,14 @@ references = ["https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-u risk_score = 73 rule_id = "26f68dba-ce29-497b-8e13-b4fde1db5a2d" severity = "high" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] -type = "threshold" +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", +] timestamp_override = "event.ingested" +type = "threshold" query = ''' event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and diff --git a/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml b/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml index b709ca3dec9..697a0f7718e 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/01" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -30,9 +28,14 @@ The Office 365 Logs Fleet integration, Filebeat module, or similarly structured risk_score = 73 rule_id = "3efee4f0-182a-40a8-a835-102c68a4175d" severity = "high" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] -type = "threshold" +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", +] timestamp_override = "event.ingested" +type = "threshold" query = ''' event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and diff --git a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml index 58d24cb0497..f74a123e361 100644 --- a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml +++ b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -29,9 +27,14 @@ The Office 365 Logs Fleet integration, Filebeat module, or similarly structured risk_score = 73 rule_id = "2de10e77-c144-4e69-afb7-344e7127abd0" severity = "high" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] -type = "threshold" +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", +] timestamp_override = "event.ingested" +type = "threshold" query = ''' event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:"SsoArtifactInvalidOrExpired" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml index 8f99baefdef..77bc6a6dfa9 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -33,7 +31,12 @@ references = [ risk_score = 47 rule_id = "60f3adec-1df9-4104-9c75-b97d9f078b25" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml index c160e5ed558..ec5a1d9bbc5 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -33,7 +31,12 @@ references = [ risk_score = 47 rule_id = "d743ff2a-203e-4a46-a3e3-40512cfe8fbb" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml index b7384af5a46..3a8e0b5063c 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -33,7 +31,12 @@ references = [ risk_score = 47 rule_id = "ca79768e-40e1-4e45-a097-0e5fbc876ac2" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml index df89e34c06e..9d9933ff325 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -33,7 +31,12 @@ references = [ risk_score = 21 rule_id = "03024bd9-d23f-4ec1-8674-3cf1a21e130b" severity = "low" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml b/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml index 147b3d4a33a..c702bee9a9c 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/13" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml index 4cb6fe52e78..b000de68c75 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml +++ b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml index b765b557589..1d3f8d6595f 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml +++ b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml b/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml index d562df516f4..d249e245d1a 100644 --- a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml +++ b/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml b/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml index 288995e6a39..91ff9f58844 100644 --- a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml +++ b/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml b/rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml index 90fe94c86f4..517c52cf466 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/18" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/05/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -34,15 +32,20 @@ note = """## Triage and analysis - User changing of ClientAppId or new connection post an extended period of leave. - If the total number of accessed Mailboxes by ClientAppId is too high there is a high chance it's a false positive. """ +references = ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a"] +risk_score = 47 +rule_id = "48819484-9826-4083-9eba-1da74cd0eaf2" setup = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ -references = ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a"] -risk_score = 47 -rule_id = "48819484-9826-4083-9eba-1da74cd0eaf2" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"] +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Initial Access", +] timestamp_override = "event.ingested" type = "new_terms" @@ -107,10 +110,11 @@ id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [rule.new_terms] field = "new_terms_fields" value = ["o365.audit.ClientAppId"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-25d" + + diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml index c08ab9f6604..19722674349 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -34,7 +32,12 @@ references = [ risk_score = 47 rule_id = "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"] +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Initial Access", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml index 61782f36120..71db20bf46d 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -34,7 +32,12 @@ references = [ risk_score = 47 rule_id = "97314185-2568-4561-ae81-f3e480e5e695" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"] +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Initial Access", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml index a9b2dd6b3ef..c0734782b56 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -33,7 +31,12 @@ references = [ risk_score = 47 rule_id = "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Initial Access"] +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml b/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml index 0453d71ad3a..9eb423152f7 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] @@ -29,7 +27,12 @@ references = [ risk_score = 47 rule_id = "0136b315-b566-482f-866c-1d8e2477ba16" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"] +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Initial Access", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml b/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml index 90c76c255e5..0b96dcaff21 100644 --- a/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml +++ b/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/12" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml b/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml index 52de44169fd..1e179228799 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml +++ b/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/10" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml index 480d23d769c..4ba15633da1 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml +++ b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/10" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml index e62ba72b5bb..348964efd89 100644 --- a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml +++ b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml b/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml index daf801209d0..90ef1163536 100644 --- a/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml b/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml index d3c59704944..d445e6723d7 100644 --- a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml +++ b/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -33,7 +31,12 @@ references = [ risk_score = 47 rule_id = "98995807-5b09-4e37-8a54-5cae5dc932d7" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml index 94cfa618762..821b0bf2f8c 100644 --- a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml +++ b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/06" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -29,7 +27,12 @@ references = [ risk_score = 47 rule_id = "88671231-6626-4e1b-abb7-6e361a171fbb" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml b/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml index e4a143449a3..a8da34138b9 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,12 +29,7 @@ references = ["https://docs.microsoft.com/en-us/microsoftteams/platform/concepts risk_score = 47 rule_id = "bbd1a775-8267-41fa-9232-20e5582596ac" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml b/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml index a5288bc405e..a47f63526f6 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml b/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml index 03d0fdbd60a..cad302f3660 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml b/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml index 7cc85cff038..5e7873a454e 100644 --- a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml +++ b/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." -min_stack_version = "8.8.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] @@ -30,7 +28,12 @@ references = [ risk_score = 21 rule_id = "684554fc-0777-47ce-8c9b-3d01f198d7f8" severity = "low" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"] +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml index 5f546571cb0..7a71526db20 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/19" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -min_stack_comments = "LotL package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2024/04/01" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -20,6 +18,13 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_rare_process_by_host" name = "Unusual Process Spawned by a Host" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "56004189-4e69-4a39-b4a9-195329d226e9" setup = """## Setup The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. @@ -75,13 +80,6 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: If the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and check whether any ProblemChild predictions have been generated. - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/problemchild", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "56004189-4e69-4a39-b4a9-195329d226e9" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml index 08116f76b9f..eda57d0433b 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -min_stack_comments = "LotL package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2024/04/01" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -20,6 +18,13 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_rare_process_by_parent" name = "Unusual Process Spawned by a Parent Process" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "ea09ff26-3902-4c53-bb8e-24b7a5d029dd" setup = """## Setup The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. @@ -75,13 +80,6 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet. - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/problemchild", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "ea09ff26-3902-4c53-bb8e-24b7a5d029dd" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml index 1f39131547d..c9039de7f75 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -min_stack_comments = "LotL package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2024/04/01" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -21,6 +19,13 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_rare_process_by_user" name = "Unusual Process Spawned by a User" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb" setup = """## Setup The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. @@ -76,13 +81,6 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet. - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/problemchild", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml index ae2a2dd3426..7b8a91cef65 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint"] maturity = "production" -min_stack_comments = "LotL package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2024/04/01" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -18,6 +16,13 @@ index = ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "13e908b9-7bf0-4235-abc9-b5deb500d0ad" setup = """## Setup The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. @@ -66,13 +71,6 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi } ``` """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/problemchild", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "13e908b9-7bf0-4235-abc9-b5deb500d0ad" severity = "low" tags = [ "OS: Windows", diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml index 0357b533ebb..c134556b6f8 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -min_stack_comments = "LotL package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2024/04/01" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -18,6 +16,13 @@ index = ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "994e40aa-8c85-43de-825e-15f665375ee8" setup = """## Setup The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. @@ -66,13 +71,6 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi } ``` """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/problemchild", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "994e40aa-8c85-43de-825e-15f665375ee8" severity = "low" tags = [ "OS: Windows", diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml index 77346bbbfcb..bfb17d0f270 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -min_stack_comments = "LotL package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2024/04/01" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -22,6 +20,13 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_high_sum_by_host" name = "Suspicious Windows Process Cluster Spawned by a Host" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "bdfebe11-e169-42e3-b344-c5d2015533d3" setup = """## Setup The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. @@ -77,13 +82,6 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet. - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/problemchild", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "bdfebe11-e169-42e3-b344-c5d2015533d3" severity = "low" tags = [ "Use Case: Living off the Land Attack Detection", diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml index 693b3cadd28..f8a89d0a9fa 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -min_stack_comments = "LotL package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2024/04/01" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -22,6 +20,13 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_high_sum_by_parent" name = "Suspicious Windows Process Cluster Spawned by a Parent Process" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0" setup = """## Setup The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. @@ -77,13 +82,6 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet. - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/problemchild", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml index d9533c157b3..98ff9844090 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -min_stack_comments = "LotL package job ID and rule removal updates" -min_stack_version = "8.9.0" -updated_date = "2024/04/01" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -22,6 +20,13 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_high_sum_by_user" name = "Suspicious Windows Process Cluster Spawned by a User" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "1224da6c-0326-4b4f-8454-68cdc5ae542b" setup = """## Setup The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. @@ -77,13 +82,6 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet. - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/problemchild", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "1224da6c-0326-4b4f-8454-68cdc5ae542b" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/linux/command_and_control_cat_network_activity.toml b/rules/linux/command_and_control_cat_network_activity.toml index 42f466d8307..5d422e19931 100644 --- a/rules/linux/command_and_control_cat_network_activity.toml +++ b/rules/linux/command_and_control_cat_network_activity.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,13 +29,14 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" + [rule] author = ["Elastic"] description = """ -This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat -is capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. -This activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools -or files to another host in the network or exfiltrate data while attempting to evade detection in the process. +This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat is +capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. This +activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools or +files to another host in the network or exfiltrate data while attempting to evade detection in the process. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -131,13 +130,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.entity_id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -153,6 +153,7 @@ sequence by host.id, process.entity_id with maxspan=1s )] ''' + [[rule.threat]] framework = "MITRE ATT&CK" @@ -160,7 +161,6 @@ framework = "MITRE ATT&CK" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -168,7 +168,6 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -176,3 +175,4 @@ framework = "MITRE ATT&CK" id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/linux/command_and_control_linux_chisel_client_activity.toml b/rules/linux/command_and_control_linux_chisel_client_activity.toml index 5a6cb5f3e72..45b888b7016 100644 --- a/rules/linux/command_and_control_linux_chisel_client_activity.toml +++ b/rules/linux/command_and_control_linux_chisel_client_activity.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,14 +29,15 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" + [rule] author = ["Elastic"] description = """ -This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection attempt. -Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure -communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass -network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal -systems. +This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection +attempt. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding +and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication +channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized +access to internal systems. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -108,8 +107,8 @@ This rule looks for a sequence of command line arguments that are consistent wit """ references = [ "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", - "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" - ] + "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding", +] risk_score = 47 rule_id = "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd" setup = """## Setup @@ -139,13 +138,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.entity_id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -158,15 +158,17 @@ sequence by host.id, process.entity_id with maxspan=1s "ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd")] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/linux/command_and_control_linux_chisel_server_activity.toml b/rules/linux/command_and_control_linux_chisel_server_activity.toml index 0f511f1f3cf..1ddfe0bd6a4 100644 --- a/rules/linux/command_and_control_linux_chisel_server_activity.toml +++ b/rules/linux/command_and_control_linux_chisel_server_activity.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,14 +29,15 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" + [rule] author = ["Elastic"] description = """ -This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received connection -within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, -enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish -covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that -allow unauthorized access to internal systems. +This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received +connection within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP +tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to +establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating +tunnels that allow unauthorized access to internal systems. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -108,8 +107,8 @@ This rule looks for a sequence of command line arguments that are consistent wit """ references = [ "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", - "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" - ] + "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding", +] risk_score = 47 rule_id = "ac8805f6-1e08-406c-962e-3937057fa86f" setup = """## Setup @@ -139,13 +138,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.entity_id with maxspan=1m [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -158,15 +158,17 @@ sequence by host.id, process.entity_id with maxspan=1m "ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd", "hugo")] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/linux/command_and_control_linux_kworker_netcon.toml b/rules/linux/command_and_control_linux_kworker_netcon.toml index 1c34f956065..6fa97bf2cb1 100644 --- a/rules/linux/command_and_control_linux_kworker_netcon.toml +++ b/rules/linux/command_and_control_linux_kworker_netcon.toml @@ -2,16 +2,14 @@ creation_date = "2023/10/18" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/04/30" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the -kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel -space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. +kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel +space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process. """ from = "now-9m" @@ -49,14 +47,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and process.name:kworker* and not destination.ip:( @@ -72,50 +71,49 @@ process.name:kworker* and not destination.ip:( ) and not destination.port:2049 ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - id = "TA0011" - name = "Command and Control" - reference = "https://attack.mitre.org/tactics/TA0011/" - +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" - [rule.threat.tactic] - id = "TA0005" - name = "Defense Evasion" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique]] - name = "Masquerading" - id = "T1036" - reference = "https://attack.mitre.org/techniques/T1036/" - - [[rule.threat.technique]] - name = "Rootkit" - id = "T1014" - reference = "https://attack.mitre.org/techniques/T1014/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" - [rule.threat.tactic] - id = "TA0010" - name = "Exfiltration" - reference = "https://attack.mitre.org/tactics/TA0010/" - [[rule.threat.technique]] - name = "Exfiltration Over C2 Channel" - id = "T1041" - reference = "https://attack.mitre.org/techniques/T1041/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" [rule.new_terms] field = "new_terms_fields" value = ["process.name", "destination.ip", "destination.port"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + diff --git a/rules/linux/command_and_control_linux_proxychains_activity.toml b/rules/linux/command_and_control_linux_proxychains_activity.toml index 4fe527e7466..6af677c749b 100644 --- a/rules/linux/command_and_control_linux_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_proxychains_activity.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,12 +29,13 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" + [rule] author = ["Elastic"] description = """ -This rule monitors for the execution of the ProxyChains utility. ProxyChains is a command-line tool that enables the -routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted -resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and +This rule monitors for the execution of the ProxyChains utility. ProxyChains is a command-line tool that enables the +routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted +resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions. """ from = "now-9m" @@ -112,30 +111,33 @@ risk_score = 21 rule_id = "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "proxychains" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml index 063f3188912..d0e52b96bfe 100644 --- a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,13 +29,15 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" + [rule] author = ["Elastic"] description = """ This rule monitors for the execution of suspicious linux tools through ProxyChains. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to -restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, -and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions. +restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade +detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and +intentions. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -137,16 +137,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "proxychains" and process.args : ( @@ -156,15 +157,17 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml index e063595ee22..b1ca0af322f 100644 --- a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml +++ b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/30" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,12 +29,14 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" + [rule] author = ["Elastic"] description = """ -This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can -leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels, -and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote control. +This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can +leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels, +and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote +control. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -108,8 +108,8 @@ This rule looks for several utilities that are capable of setting up tunnel netw """ references = [ "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", - "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" - ] + "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding", +] risk_score = 47 rule_id = "6ee947e9-de7e-4281-a55d-09289bdf947e" setup = """## Setup @@ -139,15 +139,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( ( @@ -168,15 +169,17 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml index 75e542d0975..8e52abef11f 100644 --- a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml +++ b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml @@ -2,9 +2,7 @@ creation_date = "2023/06/14" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/12/12" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" + [rule] author = ["Elastic"] description = """ @@ -169,13 +168,13 @@ Packetbeat is a real-time network packet analyzer that you can use for applicati """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" @@ -200,14 +199,15 @@ not destination.ip:( not destination.port:(22 or 80 or 443) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" @@ -216,7 +216,8 @@ reference = "https://attack.mitre.org/tactics/TA0011/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "destination.ip", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/linux/command_and_control_tunneling_via_earthworm.toml b/rules/linux/command_and_control_tunneling_via_earthworm.toml index e9cf2452665..edf2c027b3c 100644 --- a/rules/linux/command_and_control_tunneling_via_earthworm.toml +++ b/rules/linux/command_and_control_tunneling_via_earthworm.toml @@ -2,9 +2,7 @@ creation_date = "2021/04/12" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" + [rule] author = ["Elastic"] description = """ @@ -150,13 +149,13 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/credential_access_collection_sensitive_files.toml b/rules/linux/credential_access_collection_sensitive_files.toml index 2e1bf781c53..b4def3d777d 100644 --- a/rules/linux/credential_access_collection_sensitive_files.toml +++ b/rules/linux/credential_access_collection_sensitive_files.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/22" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -63,14 +61,14 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Collection", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Collection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" @@ -109,37 +107,37 @@ event.category:process and host.os.type:linux and event.type:start and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" - [[rule.threat.technique.subtechnique]] id = "T1552.001" name = "Credentials In Files" reference = "https://attack.mitre.org/techniques/T1552/001/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" reference = "https://attack.mitre.org/techniques/T1560/" - [[rule.threat.technique.subtechnique]] id = "T1560.001" name = "Archive via Utility" reference = "https://attack.mitre.org/techniques/T1560/001/" + + [rule.threat.tactic] id = "TA0009" name = "Collection" @@ -148,7 +146,8 @@ reference = "https://attack.mitre.org/tactics/TA0009/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.command_line", "process.parent.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" + + diff --git a/rules/linux/credential_access_credential_dumping.toml b/rules/linux/credential_access_credential_dumping.toml index 0c136e26c7d..1b57dacdf04 100644 --- a/rules/linux/credential_access_credential_dumping.toml +++ b/rules/linux/credential_access_credential_dumping.toml @@ -2,28 +2,23 @@ creation_date = "2023/02/27" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies the execution of the unshadow utility which is part of John the Ripper, -a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve -the combined contents of the '/etc/shadow' and '/etc/password' files. -Using the combined file generated from the utility, the malicious threat actors can use them as input -for password-cracking utilities or prepare themselves for future operations by gathering -credential information of the victim. +Identifies the execution of the unshadow utility which is part of John the Ripper, a password-cracking tool on the host +machine. Malicious actors can use the utility to retrieve the combined contents of the '/etc/shadow' and '/etc/password' +files. Using the combined file generated from the utility, the malicious threat actors can use them as input for +password-cracking utilities or prepare themselves for future operations by gathering credential information of the +victim. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Linux Credential Dumping via Unshadow" -references = [ - "https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/", -] +references = ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"] risk_score = 47 rule_id = "e7cb3cfd-aaa3-4d7b-af18-23b89955062c" setup = """## Setup @@ -53,34 +48,37 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "unshadow" and process.args_count >= 3 ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique.subtechnique]] id = "T1003.008" name = "/etc/passwd and /etc/shadow" reference = "https://attack.mitre.org/techniques/T1003/008/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/linux/credential_access_gdb_init_process_hooking.toml b/rules/linux/credential_access_gdb_init_process_hooking.toml index e5b8dfc173b..23bf71fefd2 100644 --- a/rules/linux/credential_access_gdb_init_process_hooking.toml +++ b/rules/linux/credential_access_gdb_init_process_hooking.toml @@ -2,14 +2,12 @@ creation_date = "2023/08/30" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors for the potential memory dump of the init process (PID 1) through gdb. Attackers may leverage memory +This rule monitors for the potential memory dump of the init process (PID 1) through gdb. Attackers may leverage memory dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include "truffleproc" and "bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly. """ @@ -18,10 +16,7 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Linux init (PID 1) Secret Dump via GDB" -references = [ - "https://github.com/controlplaneio/truffleproc", - "https://github.com/hajzer/bash-memory-dump" -] +references = ["https://github.com/controlplaneio/truffleproc", "https://github.com/hajzer/bash-memory-dump"] risk_score = 47 rule_id = "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f" setup = """## Setup @@ -51,34 +46,37 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "gdb" and process.args in ("--pid", "-p") and process.args == "1" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique.subtechnique]] id = "T1003.007" name = "Proc Filesystem" reference = "https://attack.mitre.org/techniques/T1003/007/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/linux/credential_access_gdb_process_hooking.toml b/rules/linux/credential_access_gdb_process_hooking.toml index 1a72efb5829..622a54dba55 100644 --- a/rules/linux/credential_access_gdb_process_hooking.toml +++ b/rules/linux/credential_access_gdb_process_hooking.toml @@ -2,15 +2,13 @@ creation_date = "2023/08/30" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ This rule monitors for potential memory dumping through gdb. Attackers may leverage memory dumping techniques to attempt -secret extraction from privileged processes. Tools that display this behavior include "truffleproc" and +secret extraction from privileged processes. Tools that display this behavior include "truffleproc" and "bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly. """ from = "now-9m" @@ -18,24 +16,22 @@ index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_mana language = "eql" license = "Elastic License v2" name = "Linux Process Hooking via GDB" -references = [ - "https://github.com/controlplaneio/truffleproc", - "https://github.com/hajzer/bash-memory-dump" -] +references = ["https://github.com/controlplaneio/truffleproc", "https://github.com/hajzer/bash-memory-dump"] risk_score = 21 rule_id = "66c058f3-99f4-4d18-952b-43348f2577a0" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "gdb" and process.args in ("--pid", "-p") and @@ -43,20 +39,22 @@ process where host.os.type == "linux" and event.type == "start" and event.action process.args != "1" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique.subtechnique]] id = "T1003.007" name = "Proc Filesystem" reference = "https://attack.mitre.org/techniques/T1003/007/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml b/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml index 8f187c78dbc..7e883b44436 100644 --- a/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml +++ b/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml @@ -2,15 +2,13 @@ creation_date = "2023/07/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/20" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a -short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a +Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a +short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a set of customly crafted passwords in an attempt to gain access to these accounts. """ from = "now-9m" @@ -47,13 +45,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.parent.executable, user.id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "su" and @@ -64,20 +63,22 @@ sequence by host.id, process.parent.executable, user.id with maxspan=1s ] with runs=10 ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" - [[rule.threat.technique.subtechnique]] id = "T1110.001" name = "Password Guessing" reference = "https://attack.mitre.org/techniques/T1110/001/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml index ca151185152..264cbb61e71 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml @@ -2,15 +2,13 @@ creation_date = "2022/09/14" integration = ["system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies multiple external consecutive login failures targeting a user account from the same source address within -a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known +Identifies multiple external consecutive login failures targeting a user account from the same source address within a +short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts. """ from = "now-9m" @@ -79,12 +77,9 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "low" -tags = ["Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access" - ] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] type = "eql" + query = ''' sequence by host.id, source.ip, user.name with maxspan=15s [ authentication where host.os.type == "linux" and diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml index 6640ba40453..dc4b7b8ec79 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml @@ -2,15 +2,13 @@ creation_date = "2023/02/21" integration = ["system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies multiple internal consecutive login failures targeting a user account from the same source address within -a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known +Identifies multiple internal consecutive login failures targeting a user account from the same source address within a +short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts. """ from = "now-9m" @@ -75,12 +73,9 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "medium" -tags = ["Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access" - ] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] type = "eql" + query = ''' sequence by host.id, source.ip, user.name with maxspan=15s [ authentication where host.os.type == "linux" and diff --git a/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml index d554c3a0918..936f72da6b4 100644 --- a/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml @@ -2,18 +2,16 @@ creation_date = "2023/07/06" integration = ["auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different -combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can -include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and -potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting -a specific user account from the same source address and within a short time interval, followed by a successful +An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different +combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can +include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and +potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting +a specific user account from the same source address and within a short time interval, followed by a successful authentication. """ from = "now-9m" @@ -60,13 +58,14 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "medium" tags = [ - "Data Source: Auditd Manager", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access" - ] + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", +] type = "eql" + query = ''' sequence by host.id, auditd.data.addr, related.user with maxspan=5s [authentication where host.os.type == "linux" and event.action == "authenticated" and @@ -77,14 +76,13 @@ sequence by host.id, auditd.data.addr, related.user with maxspan=5s auditd.data.addr != "0.0.0.0" and auditd.data.addr != "::"] | tail 1 ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" - [[rule.threat.technique.subtechnique]] id = "T1110.001" name = "Password Guessing" @@ -95,7 +93,10 @@ id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml index cd5da35ff6f..f4c9c353808 100644 --- a/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml @@ -2,18 +2,16 @@ creation_date = "2023/07/06" integration = ["auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and +An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and password combinations to gain unauthorized access to a remote computer via RDP, and if successful, the potential impact -can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks -within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising -the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a +can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks +within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising +the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a specific user account within a short time interval, followed by a successful authentication. """ from = "now-9m" @@ -60,13 +58,14 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "medium" tags = [ - "Data Source: Auditd Manager", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access" - ] + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", +] type = "eql" + query = ''' sequence by host.id, related.user with maxspan=5s [authentication where host.os.type == "linux" and event.action == "authenticated" and @@ -75,14 +74,13 @@ sequence by host.id, related.user with maxspan=5s auditd.data.terminal : "*rdp*" and event.outcome == "success"] | tail 1 ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" - [[rule.threat.technique.subtechnique]] id = "T1110.001" name = "Password Guessing" @@ -93,7 +91,10 @@ id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml index ed7a05b5662..735059d55f4 100644 --- a/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml @@ -2,18 +2,16 @@ creation_date = "2022/09/14" integration = ["system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can attempt -to login into multiple users with a common or known password to gain access to accounts. +Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can +attempt to login into multiple users with a common or known password to gain access to accounts. """ from = "now-9m" -index = ["auditbeat-*", "filebeat-*", "logs-system.auth-*"] +index = ["auditbeat-*", "filebeat-*", "logs-system.auth-*"] language = "eql" license = "Elastic License v2" name = "Potential Successful SSH Brute Force Attack" @@ -81,13 +79,9 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access" - ] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] type = "eql" + query = ''' sequence by host.id, source.ip, user.name with maxspan=15s [authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and @@ -97,14 +91,13 @@ sequence by host.id, source.ip, user.name with maxspan=15s event.outcome == "success" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" - [[rule.threat.technique.subtechnique]] id = "T1110.001" name = "Password Guessing" @@ -115,7 +108,10 @@ id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/linux/credential_access_proc_credential_dumping.toml b/rules/linux/credential_access_proc_credential_dumping.toml index ff941228c7e..9da10c339f0 100644 --- a/rules/linux/credential_access_proc_credential_dumping.toml +++ b/rules/linux/credential_access_proc_credential_dumping.toml @@ -2,17 +2,15 @@ creation_date = "2023/04/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/20" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz. -Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits -a known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by -dumping the process and extracting lines that have a high probability of containing cleartext passwords. +Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits a +known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by dumping the +process and extracting lines that have a high probability of containing cleartext passwords. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -21,7 +19,7 @@ license = "Elastic License v2" name = "Potential Linux Credential Dumping via Proc Filesystem" references = [ "https://github.com/huntergregal/mimipenguin", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781" + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781", ] risk_score = 47 rule_id = "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311" @@ -52,14 +50,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Use Case: Vulnerability", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.parent.name with maxspan=1m [process where host.os.type == "linux" and process.name == "ps" and event.action == "exec" @@ -68,25 +67,27 @@ sequence by host.id, process.parent.name with maxspan=1m and process.args : "/tmp/*"] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique.subtechnique]] id = "T1003.007" name = "Proc Filesystem" reference = "https://attack.mitre.org/techniques/T1003/007/" + [[rule.threat.technique]] id = "T1212" name = "Exploitation for Credential Access" reference = "https://attack.mitre.org/techniques/T1212/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/linux/credential_access_ssh_backdoor_log.toml b/rules/linux/credential_access_ssh_backdoor_log.toml index ecc4b593291..a537b35e543 100644 --- a/rules/linux/credential_access_ssh_backdoor_log.toml +++ b/rules/linux/credential_access_ssh_backdoor_log.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -66,7 +64,15 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml index 1c84372ed06..2b7ee154fe7 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml @@ -2,9 +2,7 @@ creation_date = "2023/02/22" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/20" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -46,16 +44,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -75,20 +73,22 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -name = "Impair Defenses" id = "T1562" +name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] -name = "Disable or Modify Tools" id = "T1562.001" +name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] -name = "Defense Evasion" id = "TA0005" +name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index 9c21dacf15b..78771aa6d7e 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/27" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -57,7 +55,14 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index 31c0b7f2d6b..544c7ce58e0 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/17" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -61,25 +59,26 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name in ("base16", "base32", "base32plain", "base32hex") and not process.args in ("--help", "--version") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" @@ -90,7 +89,9 @@ id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml index ba14cbaf631..362dc53aaf3 100644 --- a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml +++ b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml @@ -2,16 +2,14 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move -and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, -so if it does, the activity should be investigated. +This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move and +rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if +it does, the activity should be investigated. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -47,13 +45,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.entity_id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -84,25 +83,27 @@ sequence by host.id, process.entity_id with maxspan=1s ) and not file.path : ("/tmp/rear*", "/var/tmp/rear*", "/var/tmp/dracut*", "/var/tmp/mkinitramfs*")] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1564" -name = "Hide Artifacts" -reference = "https://attack.mitre.org/techniques/T1564/" - [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.003" name = "Rename System Utilities" reference = "https://attack.mitre.org/techniques/T1036/003/" + +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_chattr_immutable_file.toml b/rules/linux/defense_evasion_chattr_immutable_file.toml index 6708e47842d..dacc91b8d4d 100644 --- a/rules/linux/defense_evasion_chattr_immutable_file.toml +++ b/rules/linux/defense_evasion_chattr_immutable_file.toml @@ -2,9 +2,7 @@ creation_date = "2022/07/22" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/01/11" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -64,13 +62,13 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -81,19 +79,20 @@ process where host.os.type == "linux" and event.type == "start" and user.id == " not process.parent.name in ("systemd", "cf-agent", "ntpdate", "xargs", "px", "preinst", "auth") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" - [[rule.threat.technique.subtechnique]] id = "T1222.002" name = "Linux and Mac File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/002/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml index 6f37f146f24..989283a3641 100644 --- a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml +++ b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/24" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -46,45 +44,48 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "dmesg" and process.args == "-c" ''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1070" +name = "Indicator Removal" +reference = "https://attack.mitre.org/techniques/T1070/" +[[rule.threat.technique.subtechnique]] +id = "T1070.002" +name = "Clear Linux or Mac System Logs" +reference = "https://attack.mitre.org/techniques/T1070/002/" + [[rule.threat.technique]] -name = "Impair Defenses" id = "T1562" +name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] -name = "Disable or Modify Tools" id = "T1562.001" +name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" -[[rule.threat.technique]] -name = "Indicator Removal" -id = "T1070" -reference = "https://attack.mitre.org/techniques/T1070/" -[[rule.threat.technique.subtechnique]] -name = "Clear Linux or Mac System Logs" -id = "T1070.002" -reference = "https://attack.mitre.org/techniques/T1070/002/" [rule.threat.tactic] -name = "Defense Evasion" id = "TA0005" +name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_disable_apparmor_attempt.toml b/rules/linux/defense_evasion_disable_apparmor_attempt.toml index b871a387c7b..f5010f7c8b8 100644 --- a/rules/linux/defense_evasion_disable_apparmor_attempt.toml +++ b/rules/linux/defense_evasion_disable_apparmor_attempt.toml @@ -2,14 +2,12 @@ creation_date = "2023/08/28" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces +This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces fine-grained access control policies to restrict the actions and resources that specific applications and processes can access. Adversaries may disable security tools to avoid possible detection of their tools and activities. """ @@ -47,16 +45,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -65,20 +64,22 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index ef0ade341fa..3de937008a8 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/22" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -59,35 +57,38 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "setenforce" and process.args == "0" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml b/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml index 7751d734d66..e51936b4a4f 100644 --- a/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml +++ b/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml @@ -2,18 +2,16 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.5.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies instances where the 'touch' command is executed on a Linux system with the "-r" flag, -which is used to modify the timestamp of a file based on another file's timestamp. The rule targets specific VM-related -paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". These paths are associated with VMware virtualization -software, and their presence in the touch command arguments may indicate that a threat actor is attempting to -tamper with timestamps of VM-related files and configurations on the system. +Identifies instances where the 'touch' command is executed on a Linux system with the "-r" flag, which is used to modify +the timestamp of a file based on another file's timestamp. The rule targets specific VM-related paths, such as +"/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". These paths are associated with VMware virtualization software, and +their presence in the touch command arguments may indicate that a threat actor is attempting to tamper with timestamps +of VM-related files and configurations on the system. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -52,36 +50,39 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "touch" and process.args == "-r" and process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" - [[rule.threat.technique.subtechnique]] id = "T1070.006" name = "Timestomp" reference = "https://attack.mitre.org/techniques/T1070/006/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index 9b41a3d3ddc..c14918a6bd2 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/27" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/20" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -47,13 +45,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" @@ -63,20 +61,22 @@ process where host.os.type == "linux" and event.type == "start" and process.name ) and not process.parent.name == "logrotate" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" - [[rule.threat.technique.subtechnique]] id = "T1070.004" name = "File Deletion" reference = "https://attack.mitre.org/techniques/T1070/004/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index 308ff063e22..e18c9cd1e32 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/02/20" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -64,28 +62,30 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' host.os.type:linux and event.category:process and event.type:start and process.name:(chattr or chgrp or chmod or chown) and process.working_directory:(/dev/shm or /tmp or /var/tmp) and not process.parent.name:(apt-key or update-motd-updates-available) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" @@ -94,7 +94,8 @@ reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.parent.executable", "process.command_line"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index c5ccfbfbe5e..f157040848e 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/29" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/20" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -69,12 +67,12 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -85,24 +83,24 @@ process.args regex~ """\.[a-z0-9_\-][a-z0-9_\-\.]{1,254}""" and not process.name in ("ls", "find", "grep", "git", "jq", "basename") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" - [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/linux/defense_evasion_hidden_shared_object.toml b/rules/linux/defense_evasion_hidden_shared_object.toml index c841c28f353..f320147a67b 100644 --- a/rules/linux/defense_evasion_hidden_shared_object.toml +++ b/rules/linux/defense_evasion_hidden_shared_object.toml @@ -2,9 +2,7 @@ creation_date = "2022/07/20" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/20" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -63,34 +61,37 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" and not process.name == "dockerd" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" - [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index b1efaa15b39..c483820f097 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/24" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -54,13 +52,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -70,38 +68,39 @@ process.name == "rmmod" or (process.name == "modprobe" and process.args in ("--r process.parent.name in ("sudo", "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/defense_evasion_kthreadd_masquerading.toml b/rules/linux/defense_evasion_kthreadd_masquerading.toml index 110b6c20f3c..01b696e0dac 100644 --- a/rules/linux/defense_evasion_kthreadd_masquerading.toml +++ b/rules/linux/defense_evasion_kthreadd_masquerading.toml @@ -2,25 +2,21 @@ creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Monitors for kernel processes with associated process executable fields that are not empty. Unix kernel processes such +Monitors for kernel processes with associated process executable fields that are not empty. Unix kernel processes such as kthreadd and kworker typically do not have process.executable fields associated to them. Attackers may attempt to -hide their malicious programs by masquerading as legitimate kernel processes. +hide their malicious programs by masquerading as legitimate kernel processes. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Executable Masquerading as Kernel Process" -references = [ - "https://sandflysecurity.com/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/", -] +references = ["https://sandflysecurity.com/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/"] risk_score = 21 rule_id = "202829f6-0271-4e88-b882-11a655c590d4" setup = """## Setup @@ -51,39 +47,42 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name : ("kworker*", "kthread*") and process.executable != null ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1564" -name = "Hide Artifacts" -reference = "https://attack.mitre.org/techniques/T1564/" - [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.004" name = "Masquerade Task or Service" reference = "https://attack.mitre.org/techniques/T1036/004/" + +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml index ca5cf9311e1..446e8c07c47 100644 --- a/rules/linux/defense_evasion_log_files_deleted.toml +++ b/rules/linux/defense_evasion_log_files_deleted.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -64,13 +62,13 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -93,20 +91,22 @@ file where host.os.type == "linux" and event.type == "deletion" and not process.name in ("gzip", "executor", "dockerd") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" - [[rule.threat.technique.subtechnique]] id = "T1070.002" name = "Clear Linux or Mac System Logs" reference = "https://attack.mitre.org/techniques/T1070/002/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_mount_execution.toml b/rules/linux/defense_evasion_mount_execution.toml index 7d28a1ca3d7..ad3e587dc05 100644 --- a/rules/linux/defense_evasion_mount_execution.toml +++ b/rules/linux/defense_evasion_mount_execution.toml @@ -2,29 +2,25 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies the execution of mount process with hidepid parameter, which can make processes invisible to -other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide -the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user -can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for -the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more. -With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option, -which can now be monitored and detected. +Identifies the execution of mount process with hidepid parameter, which can make processes invisible to other users from +the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide the process from other +users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user can see all processes and the +logged-in user can only see their own process. This provides a defense evasion mechanism for the adversaries to hide +their process executions from all other commands such as ps, top, pgrep and more. With the Linux kernel hardening +hidepid option all the user has to do is remount the /proc filesystem with the option, which can now be monitored and +detected. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Potential Hidden Process via Mount Hidepid" -references = [ - "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", -] +references = ["https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/"] risk_score = 47 rule_id = "dc71c186-9fe4-4437-a4d0-85ebb32b8204" setup = """## Setup @@ -54,31 +50,34 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "mount" and process.args == "/proc" and process.args == "-o" and process.args : "*hidepid=2*" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_potential_proot_exploits.toml b/rules/linux/defense_evasion_potential_proot_exploits.toml index 8acf5345e81..d02281ab704 100644 --- a/rules/linux/defense_evasion_potential_proot_exploits.toml +++ b/rules/linux/defense_evasion_potential_proot_exploits.toml @@ -2,32 +2,27 @@ creation_date = "2023/03/07" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies the execution of the PRoot utility, an open-source tool for user-space implementation of -chroot, mount --bind, and binfmt_misc. Adversaries can leverage an open-source tool PRoot -to expand the scope of their operations to multiple Linux distributions and simplify their necessary efforts. -In a normal threat scenario, the scope of an attack is limited by the varying configurations of each Linux distribution. -With PRoot, it provides an attacker with a consistent operational environment across different Linux distributions, -such as Ubuntu, Fedora, and Alpine. PRoot also provides emulation capabilities that allow for malware built on other -architectures, such as ARM, to be run.The post-exploitation technique called bring your own filesystem (BYOF), -can be used by the threat actors to execute malicious payload or elevate privileges or perform network scans or -orchestrate another attack on the environment. Although PRoot was originally not developed with malicious intent -it can be easily tuned to work for one. +Identifies the execution of the PRoot utility, an open-source tool for user-space implementation of chroot, mount +--bind, and binfmt_misc. Adversaries can leverage an open-source tool PRoot to expand the scope of their operations to +multiple Linux distributions and simplify their necessary efforts. In a normal threat scenario, the scope of an attack +is limited by the varying configurations of each Linux distribution. With PRoot, it provides an attacker with a +consistent operational environment across different Linux distributions, such as Ubuntu, Fedora, and Alpine. PRoot also +provides emulation capabilities that allow for malware built on other architectures, such as ARM, to be run.The +post-exploitation technique called bring your own filesystem (BYOF), can be used by the threat actors to execute +malicious payload or elevate privileges or perform network scans or orchestrate another attack on the environment. +Although PRoot was originally not developed with malicious intent it can be easily tuned to work for one. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Defense Evasion via PRoot" -references = [ - "https://proot-me.github.io/", -] +references = ["https://proot-me.github.io/"] risk_score = 47 rule_id = "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0" setup = """## Setup @@ -57,29 +52,32 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.parent.name == "proot" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1211" name = "Exploitation for Defense Evasion" reference = "https://attack.mitre.org/techniques/T1211/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_rename_esxi_files.toml b/rules/linux/defense_evasion_rename_esxi_files.toml index b1b0bd4e747..114e0492005 100644 --- a/rules/linux/defense_evasion_rename_esxi_files.toml +++ b/rules/linux/defense_evasion_rename_esxi_files.toml @@ -2,9 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.5.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,9 +47,16 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action == "rename" and file.Ext.original.name : ("*.vmdk", "*.vmx", "*.vmxf", "*.vmsd", "*.vmsn", "*.vswp", "*.vmss", "*.nvram", "*.vmem") @@ -75,4 +80,5 @@ reference = "https://attack.mitre.org/techniques/T1036/003/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_rename_esxi_index_file.toml b/rules/linux/defense_evasion_rename_esxi_index_file.toml index 7160ee85a4a..c9061d947da 100644 --- a/rules/linux/defense_evasion_rename_esxi_index_file.toml +++ b/rules/linux/defense_evasion_rename_esxi_index_file.toml @@ -2,16 +2,14 @@ creation_date = "2023/04/11" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.5.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ Identifies instances where the "index.html" file within the "/usr/lib/vmware/*" directory is renamed on a Linux system. -The rule monitors for the "rename" event action associated with this specific file and path, -which could indicate malicious activity. +The rule monitors for the "rename" event action associated with this specific file and path, which could indicate +malicious activity. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -49,9 +47,16 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action == "rename" and file.name : "index.html" and file.Ext.original.path : "/usr/lib/vmware/*" @@ -74,4 +79,5 @@ reference = "https://attack.mitre.org/techniques/T1036/003/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml b/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml index 1a4cdb2de89..bda9821f54b 100644 --- a/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml +++ b/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml @@ -2,15 +2,13 @@ creation_date = "2023/09/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors for the execution of suspicious commands via screen and tmux. When launching a command and detaching -directly, the commands will be executed in the background via its parent process. Attackers may leverage screen or tmux +This rule monitors for the execution of suspicious commands via screen and tmux. When launching a command and detaching +directly, the commands will be executed in the background via its parent process. Attackers may leverage screen or tmux to execute commands while attempting to evade detection. """ from = "now-9m" @@ -22,15 +20,16 @@ risk_score = 21 rule_id = "e0cc3807-e108-483c-bf66-5a4fbe0d7e89" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.parent.name in ("screen", "tmux") and process.name : ( @@ -39,15 +38,17 @@ process.parent.name in ("screen", "tmux") and process.name : ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/discovery_dynamic_linker_via_od.toml b/rules/linux/discovery_dynamic_linker_via_od.toml index 59488c955e8..16c7da4dec3 100644 --- a/rules/linux/discovery_dynamic_linker_via_od.toml +++ b/rules/linux/discovery_dynamic_linker_via_od.toml @@ -2,9 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -50,16 +48,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "od" and process.args in ( @@ -68,15 +67,17 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_esxi_software_via_find.toml b/rules/linux/discovery_esxi_software_via_find.toml index a19fca3f14c..b629270c6cc 100644 --- a/rules/linux/discovery_esxi_software_via_find.toml +++ b/rules/linux/discovery_esxi_software_via_find.toml @@ -2,9 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.5.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -19,7 +17,9 @@ index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_mana language = "eql" license = "Elastic License v2" name = "ESXI Discovery via Find" -references = ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"] +references = [ + "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/", +] risk_score = 47 rule_id = "33a6752b-da5e-45f8-b13a-5f094c09522f" setup = """## Setup @@ -49,30 +49,33 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "find" and process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_esxi_software_via_grep.toml b/rules/linux/discovery_esxi_software_via_grep.toml index 961a5e07c2f..1affdffe0c6 100644 --- a/rules/linux/discovery_esxi_software_via_grep.toml +++ b/rules/linux/discovery_esxi_software_via_grep.toml @@ -2,14 +2,12 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.5.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments +Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments related to virtual machine (VM) files, such as "vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", or "vmem". These file extensions are associated with VM-related file formats, and their presence in grep command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system. @@ -19,7 +17,9 @@ index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_mana language = "eql" license = "Elastic License v2" name = "ESXI Discovery via Grep" -references = ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"] +references = [ + "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/", +] risk_score = 47 rule_id = "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4" setup = """## Setup @@ -49,16 +49,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name in ("grep", "egrep", "pgrep") and process.args in ( @@ -66,15 +67,17 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index d182bf29928..271cfcaaabd 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -53,15 +51,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' event.category:process and host.os.type:linux and event.type:start and event.action:(exec or exec_event) and ( (process.name:(lsmod or modinfo)) or @@ -72,14 +71,15 @@ or readykernel or lvm2 or vz-start or iscsi or mdadm or ovalprobes or bcache or weak-modules or zfs) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -88,7 +88,8 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.command_line", "process.command_line", "host.id"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/linux/discovery_linux_hping_activity.toml b/rules/linux/discovery_linux_hping_activity.toml index f59a8f2bdd8..ac1d28f7af0 100644 --- a/rules/linux/discovery_linux_hping_activity.toml +++ b/rules/linux/discovery_linux_hping_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -65,30 +63,33 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name in ("hping", "hping2", "hping3") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_linux_nping_activity.toml b/rules/linux/discovery_linux_nping_activity.toml index f2c110c3e2c..9e48fc76e96 100644 --- a/rules/linux/discovery_linux_nping_activity.toml +++ b/rules/linux/discovery_linux_nping_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -65,30 +63,33 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "nping" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_ping_sweep_detected.toml b/rules/linux/discovery_ping_sweep_detected.toml index c7a655bd561..0fa247325c9 100644 --- a/rules/linux/discovery_ping_sweep_detected.toml +++ b/rules/linux/discovery_ping_sweep_detected.toml @@ -2,16 +2,14 @@ creation_date = "2023/09/04" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/20" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This threshold rule monitors for the rapid execution of unix utilities that are capable of conducting network scans. -Adversaries may leverage built-in tools such as ping, netcat or socat to execute ping sweeps across the network while -attempting to evade detection or due to the lack of network mapping tools available on the compromised host. +This threshold rule monitors for the rapid execution of unix utilities that are capable of conducting network scans. +Adversaries may leverage built-in tools such as ping, netcat or socat to execute ping sweeps across the network while +attempting to evade detection or due to the lack of network mapping tools available on the compromised host. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -48,29 +46,31 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "threshold" + query = ''' event.category:process and host.os.type:linux and event.action:(exec or exec_event or executed or process_started) and event.type:start and process.name:(ping or nping or hping or hping2 or hping3 or nc or ncat or netcat or socat) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -79,7 +79,8 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.threshold] field = ["host.id", "process.parent.entity_id", "process.executable"] value = 1 - [[rule.threshold.cardinality]] field = "process.args" value = 100 + + diff --git a/rules/linux/discovery_proc_maps_read.toml b/rules/linux/discovery_proc_maps_read.toml index 56c21b5fd3b..fa5cc29d2ef 100644 --- a/rules/linux/discovery_proc_maps_read.toml +++ b/rules/linux/discovery_proc_maps_read.toml @@ -2,9 +2,7 @@ creation_date = "2024/01/29" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,14 +47,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name in ("cat", "grep") and process.args : "/proc/*/maps" and process.entry_leader.name in ( @@ -64,15 +63,17 @@ process.name in ("cat", "grep") and process.args : "/proc/*/maps" and process.en ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_pspy_process_monitoring_detected.toml b/rules/linux/discovery_pspy_process_monitoring_detected.toml index 3c02f0ea084..95a14458afb 100644 --- a/rules/linux/discovery_pspy_process_monitoring_detected.toml +++ b/rules/linux/discovery_pspy_process_monitoring_detected.toml @@ -2,16 +2,14 @@ creation_date = "2023/07/20" integration = ["auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule leverages auditd to monitor for processes scanning different processes within the /proc directory using the -openat syscall. This is a strong indication for the usage of the pspy utility. Attackers may leverage the pspy process -monitoring utility to monitor system processes without requiring root permissions, in order to find potential privilege +This rule leverages auditd to monitor for processes scanning different processes within the /proc directory using the +openat syscall. This is a strong indication for the usage of the pspy utility. Attackers may leverage the pspy process +monitoring utility to monitor system processes without requiring root permissions, in order to find potential privilege escalation vectors. """ from = "now-9m" @@ -48,22 +46,23 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "low" tags = [ - "Data Source: Auditd Manager", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery" - ] + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", +] type = "eql" + query = ''' sequence by process.pid, host.id with maxspan=5s [file where host.os.type == "linux" and auditd.data.syscall == "openat" and file.path == "/proc" and auditd.data.a0 : ("ffffffffffffff9c", "ffffff9c") and auditd.data.a2 : ("80000", "88000") ] with runs=10 ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1057" name = "Process Discovery" @@ -74,7 +73,9 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_sudo_allowed_command_enumeration.toml b/rules/linux/discovery_sudo_allowed_command_enumeration.toml index f9719cca5e6..5e29c5d85ea 100644 --- a/rules/linux/discovery_sudo_allowed_command_enumeration.toml +++ b/rules/linux/discovery_sudo_allowed_command_enumeration.toml @@ -2,16 +2,14 @@ creation_date = "2023/08/30" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/20" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors for the usage of the sudo -l command, which is used to list the allowed and forbidden commands for -the invoking user. Attackers may execute this command to enumerate commands allowed to be executed with sudo permissions, -potentially allowing to escalate privileges to root. +This rule monitors for the usage of the sudo -l command, which is used to list the allowed and forbidden commands for +the invoking user. Attackers may execute this command to enumerate commands allowed to be executed with sudo +permissions, potentially allowing to escalate privileges to root. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -47,14 +45,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "sudo" and process.args == "-l" and process.args_count == 2 and @@ -62,15 +61,17 @@ process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish not group.Ext.real.id : "0" and not user.Ext.real.id : "0" and not process.args == "dpkg" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1033" name = "System Owner/User Discovery" reference = "https://attack.mitre.org/techniques/T1033/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_suid_sguid_enumeration.toml b/rules/linux/discovery_suid_sguid_enumeration.toml index 4b6179ebf8b..73fd48e341d 100644 --- a/rules/linux/discovery_suid_sguid_enumeration.toml +++ b/rules/linux/discovery_suid_sguid_enumeration.toml @@ -2,17 +2,15 @@ creation_date = "2023/07/24" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors for the usage of the "find" command in conjunction with SUID and SGUID permission arguments. SUID -(Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the -privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In -case an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this +This rule monitors for the usage of the "find" command in conjunction with SUID and SGUID permission arguments. SUID +(Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the +privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In case +an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this misconfiguration to escalate privileges by exploiting vulnerabilities or built-in features in the privileged program. """ from = "now-9m" @@ -48,9 +46,17 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "find" and process.args : "-perm" and process.args : ( @@ -61,37 +67,36 @@ process.name == "find" and process.args : "-perm" and process.args : ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1083" name = "File and Directory Discovery" reference = "https://attack.mitre.org/techniques/T1083/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.001" name = "Setuid and Setgid" reference = "https://attack.mitre.org/techniques/T1548/001/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -99,3 +104,4 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/discovery_suspicious_which_command_execution.toml b/rules/linux/discovery_suspicious_which_command_execution.toml index 99dfe0b87bd..76595d4412a 100644 --- a/rules/linux/discovery_suspicious_which_command_execution.toml +++ b/rules/linux/discovery_suspicious_which_command_execution.toml @@ -2,16 +2,14 @@ creation_date = "2023/08/30" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may leverage -the which command to enumerate the system for useful installed utilities that may be used after compromising a system to -escalate privileges or move latteraly across the network. +This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may +leverage the which command to enumerate the system for useful installed utilities that may be used after compromising a +system to escalate privileges or move latteraly across the network. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -22,15 +20,16 @@ risk_score = 21 rule_id = "5b18eef4-842c-4b47-970f-f08d24004bde" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "which" and process.args_count >= 10 and not process.parent.name == "jem" and @@ -39,18 +38,20 @@ not process.args == "--tty-only" /* potential tuning if rule would turn out to be noisy and process.args in ("nmap", "nc", "ncat", "netcat", nc.traditional", "gcc", "g++", "socat") and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") -*/ +*/ ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_unusual_user_enumeration_via_id.toml b/rules/linux/discovery_unusual_user_enumeration_via_id.toml index d36e05269c7..860c3e226b4 100644 --- a/rules/linux/discovery_unusual_user_enumeration_via_id.toml +++ b/rules/linux/discovery_unusual_user_enumeration_via_id.toml @@ -2,15 +2,13 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ This rule monitors for a sequence of 20 "id" command executions within 1 second by the same parent process. This -behavior is unusual, and may be indicative of the execution of an enumeration script such as LinPEAS or LinEnum. These +behavior is unusual, and may be indicative of the execution of an enumeration script such as LinPEAS or LinEnum. These scripts leverage the "id" command to enumerate the privileges of all users present on the system. """ from = "now-9m" @@ -46,8 +44,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.parent.entity_id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -55,15 +60,17 @@ sequence by host.id, process.parent.entity_id with maxspan=1s not (process.parent.name == "rpm" or process.parent.args : "/var/tmp/rpm-tmp*")] with runs=20 ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1033" name = "System Owner/User Discovery" reference = "https://attack.mitre.org/techniques/T1033/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml index 58b5f00493c..62990271aa5 100644 --- a/rules/linux/discovery_virtual_machine_fingerprinting.toml +++ b/rules/linux/discovery_virtual_machine_fingerprinting.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/27" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -64,7 +62,14 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml index 8ce0819392b..ebd86e57f93 100644 --- a/rules/linux/execution_abnormal_process_id_file_created.toml +++ b/rules/linux/execution_abnormal_process_id_file_created.toml @@ -2,9 +2,7 @@ creation_date = "2022/05/11" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/02/20" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -100,15 +98,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Threat: BPFDoor", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Threat: BPFDoor", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "new_terms" @@ -126,14 +124,15 @@ vzctl or ifup or rpcbind or runc or gitlab-runner-helper or elastic-agent or met not file.name : (jem.*.pid) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1106" name = "Native API" reference = "https://attack.mitre.org/techniques/T1106/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -142,7 +141,8 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "file.path"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml b/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml index ae5eff02ebe..668a851f9f6 100644 --- a/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml +++ b/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml @@ -2,20 +2,18 @@ creation_date = "2023/10/11" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Linux environment variable capture feature via the Elastic Defend Integration was added in 8.6." -min_stack_version = "8.6.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction +Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction with an unusual command line length. A flaw in curl version <= 8.3 makes curl vulnerable to a heap based buffer overflow -during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be executed -with and without the use of environment variables. For increased visibility, enable the collection of http_proxy, -HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of this rule. +during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be +executed with and without the use of environment variables. For increased visibility, enable the collection of +http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of +this rule. """ - from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" @@ -24,7 +22,7 @@ name = "Potential curl CVE-2023-38545 Exploitation" references = [ "https://curl.se/docs/CVE-2023-38545.html", "https://daniel.haxx.se/blog/2023/10/11/curl-8-4-0/", - "https://twitter.com/_JohnHammond/status/1711986412554531015" + "https://twitter.com/_JohnHammond/status/1711986412554531015", ] risk_score = 47 rule_id = "f41296b4-9975-44d6-9486-514c6f635b2d" @@ -68,15 +66,16 @@ For more information on capturing environment variables refer to the [helper gui """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Use Case: Vulnerability", - "Tactic: Execution", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Use Case: Vulnerability", + "Tactic: Execution", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "curl" and ( @@ -87,15 +86,17 @@ not process.parent.name in ("cf-agent", "agent-run", "agent-check", "rudder", "a not process.args == "/opt/rudder/bin/curl" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_file_execution_followed_by_deletion.toml b/rules/linux/execution_file_execution_followed_by_deletion.toml index a65032f833e..c6b2f93a4b1 100644 --- a/rules/linux/execution_file_execution_followed_by_deletion.toml +++ b/rules/linux/execution_file_execution_followed_by_deletion.toml @@ -2,15 +2,13 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ This rule monitors for the creation of a file, followed by its execution and self-deletion in a short timespan within a -directory often used for malicious purposes by threat actors. This behavior is often used by malware to execute +directory often used for malicious purposes by threat actors. This behavior is often used by malware to execute malicious code and delete itself to hide its tracks. """ from = "now-9m" @@ -46,8 +44,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, user.id with maxspan=1m [file where host.os.type == "linux" and event.action == "creation" and @@ -61,20 +66,22 @@ sequence by host.id, user.id with maxspan=1m "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*")] by file.name ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml index 56c2f746912..4e0c64c9bb5 100644 --- a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml +++ b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -111,7 +109,14 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] type = "eql" query = ''' diff --git a/rules/linux/execution_interpreter_tty_upgrade.toml b/rules/linux/execution_interpreter_tty_upgrade.toml index d607c959f17..791a62e3941 100644 --- a/rules/linux/execution_interpreter_tty_upgrade.toml +++ b/rules/linux/execution_interpreter_tty_upgrade.toml @@ -2,15 +2,13 @@ creation_date = "2023/09/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/03/08" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies when a non-interactive terminal (tty) is being upgraded to a fully interactive shell. Attackers may upgrade -a simple reverse shell to a fully interactive tty after obtaining initial access to a host, in order to obtain a more +Identifies when a non-interactive terminal (tty) is being upgraded to a fully interactive shell. Attackers may upgrade a +simple reverse shell to a fully interactive tty after obtaining initial access to a host, in order to obtain a more stable connection. """ from = "now-9m" @@ -46,15 +44,17 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" -tags = ["Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( (process.name == "stty" and process.args == "raw" and process.args == "-echo" and process.args_count >= 3) or @@ -63,20 +63,22 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_nc_listener_via_rlwrap.toml b/rules/linux/execution_nc_listener_via_rlwrap.toml index bda20e74850..d629fd28e01 100644 --- a/rules/linux/execution_nc_listener_via_rlwrap.toml +++ b/rules/linux/execution_nc_listener_via_rlwrap.toml @@ -2,15 +2,13 @@ creation_date = "2023/09/22" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ Monitors for the execution of a netcat listener via rlwrap. rlwrap is a 'readline wrapper', a small utility that uses -the GNU Readline library to allow the editing of keyboard input for any command. This utility can be used in conjunction +the GNU Readline library to allow the editing of keyboard input for any command. This utility can be used in conjunction with netcat to gain a more stable reverse shell. """ false_positives = [ @@ -54,35 +52,39 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "rlwrap" and process.args in ("nc", "ncat", "netcat", "nc.openbsd", "socat") and process.args : "*l*" and process.args_count >= 4 ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml b/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml index 24d545add14..205b2b1e18a 100644 --- a/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml +++ b/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml @@ -2,28 +2,24 @@ creation_date = "2024/03/13" integration = ["auditd_manager", "endpoint"] maturity = "production" -min_stack_comments = "The sampling feature within EQL was introduced in 8.6.0" -min_stack_version = "8.6.0" -updated_date = "2024/03/13" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Monitors for the execution of a unix binary with read, write and execute memory region permissions, followed by a +Monitors for the execution of a unix binary with read, write and execute memory region permissions, followed by a network connection. The mprotect() system call is used to change the access protections on a region of memory that has already been allocated. This syscall allows a process to modify the permissions of pages in its virtual address space, enabling or disabling permissions such as read, write, and execute for those pages. RWX permissions on memory is in many -cases overly permissive, and should (especially in conjunction with an outbound network connection) be analyzed -thoroughly. +cases overly permissive, and should (especially in conjunction with an outbound network connection) be analyzed +thoroughly. """ from = "now-9m" index = ["logs-endpoint.events.*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Network Connection from Binary with RWX Memory Region" -references = [ - "https://man7.org/linux/man-pages/man2/mprotect.2.html" -] +references = ["https://man7.org/linux/man-pages/man2/mprotect.2.html"] risk_score = 47 rule_id = "32300431-c2d5-432d-8ec8-0e03f9924756" setup = """## Setup @@ -45,15 +41,16 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' sample by host.id, process.pid, process.name /* auditd.data.a2 == "7" translates to RWX memory region protection (PROT_READ | PROT_WRITE | PROT_EXEC) */ @@ -62,33 +59,34 @@ sample by host.id, process.pid, process.name not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] -name = "Command and Control" id = "TA0011" +name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_network_event_post_compilation.toml b/rules/linux/execution_network_event_post_compilation.toml index e1f236cfb81..f35e2868e42 100644 --- a/rules/linux/execution_network_event_post_compilation.toml +++ b/rules/linux/execution_network_event_post_compilation.toml @@ -2,15 +2,13 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent network -connection event. This behavior can indicate the set up of a reverse tcp connection to a command-and-control server. +This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent network +connection event. This behavior can indicate the set up of a reverse tcp connection to a command-and-control server. Attackers may spawn reverse shells to establish persistence onto a target system. """ from = "now-9m" @@ -47,13 +45,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id with maxspan=1m [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -64,33 +63,34 @@ sequence by host.id with maxspan=1m not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] by process.name ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] -name = "Command and Control" id = "TA0011" +name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml index 35a7229b11d..e8399decc4a 100644 --- a/rules/linux/execution_perl_tty_shell.toml +++ b/rules/linux/execution_perl_tty_shell.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/16" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -57,7 +55,14 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/execution_potential_hack_tool_executed.toml b/rules/linux/execution_potential_hack_tool_executed.toml index 7f496983ab4..345349b911a 100644 --- a/rules/linux/execution_potential_hack_tool_executed.toml +++ b/rules/linux/execution_potential_hack_tool_executed.toml @@ -2,14 +2,12 @@ creation_date = "2023/09/22" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/03/08" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Monitors for the execution of different processes that might be used by attackers for malicious intent. An alert from +Monitors for the execution of different processes that might be used by attackers for malicious intent. An alert from this rule should be investigated further, as hack tools are commonly used by blue teamers and system administrators as well. """ @@ -47,17 +45,18 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -timestamp_override = "event.ingested" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", +] +timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name in ( @@ -78,6 +77,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" @@ -85,3 +85,4 @@ framework = "MITRE ATT&CK" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_process_started_from_process_id_file.toml b/rules/linux/execution_process_started_from_process_id_file.toml index cbe81a44d46..2cc5578a982 100644 --- a/rules/linux/execution_process_started_from_process_id_file.toml +++ b/rules/linux/execution_process_started_from_process_id_file.toml @@ -2,9 +2,7 @@ creation_date = "2022/05/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/20" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -68,15 +66,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Threat: BPFDoor", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Threat: BPFDoor", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" @@ -85,15 +83,17 @@ process where host.os.type == "linux" and event.type == "start" and user.id == " process.executable regex~ """/var/run/\w+\.(pid|lock|reboot)""" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_process_started_in_shared_memory_directory.toml b/rules/linux/execution_process_started_in_shared_memory_directory.toml index fa6d47407d7..f3f896a29d3 100644 --- a/rules/linux/execution_process_started_in_shared_memory_directory.toml +++ b/rules/linux/execution_process_started_in_shared_memory_directory.toml @@ -2,9 +2,7 @@ creation_date = "2022/05/10" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/13" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -59,14 +57,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Threat: BPFDoor", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Threat: BPFDoor", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -77,14 +75,15 @@ not process.executable : ("/var/run/docker/*", "/var/run/utsns/*", "/var/run/s6/ "/var/run/argo/argoexec") and not process.parent.command_line : "/usr/bin/runc init" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index e419b51a46a..04af725fae9 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/15" integration = ["endpoint"] maturity = "production" -updated_date = "2024/03/08" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -45,15 +43,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -timestamp_override = "event.ingested" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] +timestamp_override = "event.ingested" type = "eql" query = ''' @@ -66,20 +64,22 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.006" name = "Python" reference = "https://attack.mitre.org/techniques/T1059/006/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_remote_code_execution_via_postgresql.toml b/rules/linux/execution_remote_code_execution_via_postgresql.toml index f5db5c61332..37031b2bf7d 100644 --- a/rules/linux/execution_remote_code_execution_via_postgresql.toml +++ b/rules/linux/execution_remote_code_execution_via_postgresql.toml @@ -2,18 +2,16 @@ creation_date = "2022/06/20" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within -a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a -public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection -attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities -for unauthorized access and malicious actions. +This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within a +PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a public +facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection attacks, +which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities for +unauthorized access and malicious actions. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -48,13 +46,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -66,20 +65,22 @@ user.name == "postgres" and ( ) and not process.parent.name : "puppet" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml index b3bef3b27d8..648294234e5 100644 --- a/rules/linux/execution_shell_evasion_linux_binary.toml +++ b/rules/linux/execution_shell_evasion_linux_binary.toml @@ -2,15 +2,13 @@ creation_date = "2022/05/06" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive -system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, +Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive +system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary. """ from = "now-9m" @@ -127,9 +125,17 @@ Session View uses process data collected by the Elastic Defend integration, but For more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and ( @@ -184,20 +190,22 @@ process where host.os.type == "linux" and event.type == "start" and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_shell_via_background_process.toml b/rules/linux/execution_shell_via_background_process.toml index 43075372068..2c768bc4152 100644 --- a/rules/linux/execution_shell_via_background_process.toml +++ b/rules/linux/execution_shell_via_background_process.toml @@ -2,15 +2,13 @@ creation_date = "2023/09/20" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Monitors for the execution of background processes with process arguments capable of opening a socket in the /dev/tcp -channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further. +Monitors for the execution of background processes with process arguments capable of opening a socket in the /dev/tcp +channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -45,49 +43,51 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -timestamp_override = "event.ingested" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] +timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name in ("setsid", "nohup") and process.args : "*/dev/tcp/*0>&1*" and process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] -name = "Command and Control" id = "TA0011" +name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_shell_via_child_tcp_utility_linux.toml b/rules/linux/execution_shell_via_child_tcp_utility_linux.toml index 0369a74e6ca..dcbcb5da900 100644 --- a/rules/linux/execution_shell_via_child_tcp_utility_linux.toml +++ b/rules/linux/execution_shell_via_child_tcp_utility_linux.toml @@ -2,9 +2,7 @@ creation_date = "2023/11/02" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/17" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -19,7 +17,7 @@ language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Child" references = [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", ] risk_score = 47 rule_id = "2138bb70-5a5e-42fd-be5e-b38edf6a6777" @@ -52,13 +50,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.entity_id with maxspan=5s [network where event.type == "start" and host.os.type == "linux" and @@ -71,33 +70,34 @@ sequence by host.id, process.entity_id with maxspan=5s )] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] -name = "Command and Control" id = "TA0011" +name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_shell_via_java_revshell_linux.toml b/rules/linux/execution_shell_via_java_revshell_linux.toml index ef459002a9a..8294a0bd405 100644 --- a/rules/linux/execution_shell_via_java_revshell_linux.toml +++ b/rules/linux/execution_shell_via_java_revshell_linux.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/13" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -18,7 +16,7 @@ language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Java" references = [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", ] risk_score = 47 rule_id = "5a3d5447-31c9-409a-aed1-72f9921594fd" @@ -49,13 +47,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id with maxspan=5s [network where host.os.type == "linux" and event.action in ("connection_accepted", "connection_attempted") and @@ -77,33 +76,34 @@ sequence by host.id with maxspan=5s )] by process.parent.entity_id ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] -name = "Command and Control" id = "TA0011" +name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml index a01e4390428..4d5cb20854a 100644 --- a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml +++ b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml @@ -2,15 +2,13 @@ creation_date = "2023/07/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/13" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by -the specified utilities that are initialized from a single process followed by a network connection attempt will be +This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by +the specified utilities that are initialized from a single process followed by a network connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system. """ from = "now-9m" @@ -19,7 +17,7 @@ language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Suspicious Child Process" references = [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", ] risk_score = 47 rule_id = "76e4d92b-61c1-4a95-ab61-5fd94179a1ee" @@ -50,13 +48,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.entity_id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "fork") and ( @@ -86,33 +85,34 @@ sequence by host.id, process.entity_id with maxspan=1s destination.ip != null and not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] -name = "Command and Control" id = "TA0011" +name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_shell_via_meterpreter_linux.toml b/rules/linux/execution_shell_via_meterpreter_linux.toml index d8400c11b21..789d77cf14f 100644 --- a/rules/linux/execution_shell_via_meterpreter_linux.toml +++ b/rules/linux/execution_shell_via_meterpreter_linux.toml @@ -2,16 +2,14 @@ creation_date = "2023/08/10" integration = ["auditd_manager"] maturity = "production" -min_stack_comments = "The sampling feature within EQL was introduced in 8.6.0" -min_stack_version = "8.6.0" -updated_date = "2024/02/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged +This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged by the Metasploit Meterpreter shell to gather information about the target that it is executing its shell on. Detecting -this pattern is indicative of a successful meterpreter shell connection. +this pattern is indicative of a successful meterpreter shell connection. """ from = "now-9m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -60,14 +58,15 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "medium" tags = [ - "Data Source: Auditd Manager", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution" - ] + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", +] timestamp_override = "event.ingested" type = "eql" + query = ''' sample by host.id, process.pid, user.id [file where host.os.type == "linux" and auditd.data.syscall == "open" and auditd.data.a2 == "1b6" and file.path == "/etc/machine-id"] @@ -77,33 +76,34 @@ sample by host.id, process.pid, user.id [file where host.os.type == "linux" and auditd.data.syscall == "open" and auditd.data.a2 == "1b6" and file.path == "/proc/net/if_inet6"] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] -name = "Command and Control" id = "TA0011" +name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_shell_via_suspicious_binary.toml b/rules/linux/execution_shell_via_suspicious_binary.toml index 47e3831d96c..3e79f5cfac4 100644 --- a/rules/linux/execution_shell_via_suspicious_binary.toml +++ b/rules/linux/execution_shell_via_suspicious_binary.toml @@ -2,16 +2,14 @@ creation_date = "2023/07/05" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ This detection rule detects the creation of a shell through a chain consisting of the execution of a suspicious binary (located in a commonly abused location or executed manually) followed by a network event and ending with a shell being -spawned. Stageless reverse tcp shells display this behaviour. Attackers may spawn reverse shells to establish +spawned. Stageless reverse tcp shells display this behaviour. Attackers may spawn reverse shells to establish persistence onto a target system. """ from = "now-9m" @@ -20,7 +18,7 @@ language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Suspicious Binary" references = [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", ] risk_score = 47 rule_id = "fa3a59dc-33c3-43bf-80a9-e8437a922c7f" @@ -51,13 +49,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.entity_id with maxspan=1s [ process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -79,33 +78,34 @@ sequence by host.id, process.entity_id with maxspan=1s process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] -name = "Command and Control" id = "TA0011" +name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" \ No newline at end of file diff --git a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml index 5d69e71986d..56c51e0f506 100644 --- a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/17" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -19,7 +17,7 @@ language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell" references = [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", ] risk_score = 47 rule_id = "48b3d2e3-f4e8-41e6-95e6-9b2091228db3" @@ -50,13 +48,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id with maxspan=5s [network where event.type == "start" and host.os.type == "linux" and @@ -69,33 +68,34 @@ sequence by host.id with maxspan=5s )] by process.parent.entity_id ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] -name = "Command and Control" id = "TA0011" +name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml index 0f609ef4385..0a453512b3b 100644 --- a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml @@ -2,16 +2,14 @@ creation_date = "2023/07/04" integration = ["auditd_manager"] maturity = "production" -min_stack_comments = "The sampling feature within EQL was introduced in 8.6.0" -min_stack_version = "8.6.0" -updated_date = "2024/03/13" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This +This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This activity consists of a sample of an execve, socket and connect syscall executed by the same process, where the -auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux +auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux UDP reverse shell to bypass traditional firewall restrictions and gain remote access to a target system covertly. """ from = "now-9m" @@ -20,7 +18,7 @@ language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via UDP" references = [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", ] risk_score = 47 rule_id = "a5eb21b7-13cc-4b94-9fe2-29bb2914e037" @@ -65,10 +63,11 @@ tags = [ "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", - "Tactic: Execution" - ] + "Tactic: Execution", +] timestamp_override = "event.ingested" type = "eql" + query = ''' sample by host.id, process.pid, process.parent.pid [process where host.os.type == "linux" and event.type == "start" and event.action == "executed" and process.name : ( @@ -87,33 +86,34 @@ sample by host.id, process.pid, process.parent.pid not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] -name = "Command and Control" id = "TA0011" +name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml index 0f19dd5052c..95c59d6022f 100644 --- a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml +++ b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml @@ -2,9 +2,7 @@ creation_date = "2023/06/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -19,9 +17,7 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Content Extracted or Decompressed via Funzip" -references = [ - "https://attack.mitre.org/software/S0482/" -] +references = ["https://attack.mitre.org/software/S0482/"] risk_score = 47 rule_id = "dc0b7782-0df0-47ff-8337-db0d678bdb66" setup = """## Setup @@ -50,9 +46,17 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.action in ("exec", "exec_event") and ((process.args == "tail" and process.args == "-c" and process.args == "funzip")) and @@ -61,38 +65,39 @@ not process.parent.executable : ("/usr/bin/dracut", "/sbin/dracut", "/usr/bin/xa not (process.parent.name in ("sh", "sudo") and process.parent.command_line : "*nessus_su*") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] -name = "Unix Shell" id = "T1059.004" +name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Defense Evasion" -id = "TA0005" -reference = "https://attack.mitre.org/tactics/TA0005/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] -name = "Obfuscated Files or Information" id = "T1027" +name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" [[rule.threat.technique]] -name = "Deobfuscate/Decode Files or Information" id = "T1140" +name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/execution_suspicious_executable_running_system_commands.toml b/rules/linux/execution_suspicious_executable_running_system_commands.toml index f0bf6422447..39074a87aef 100644 --- a/rules/linux/execution_suspicious_executable_running_system_commands.toml +++ b/rules/linux/execution_suspicious_executable_running_system_commands.toml @@ -2,17 +2,15 @@ creation_date = "2023/06/14" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ This rule monitors for the execution of several commonly used system commands executed by a previously unknown -executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially -malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code. -Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the +executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially +malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code. +Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise. """ from = "now-9m" @@ -48,7 +46,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" @@ -64,28 +69,30 @@ process.executable:( not process.parent.executable:(/bin/* or /usr/bin/* or /run/k3s/* or /etc/network/* or /opt/Elastic/*) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] -name = "Command and Scripting Interpreter" id = "T1059" +name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] -name = "Unix Shell" id = "T1059.004" +name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/linux/execution_suspicious_mining_process_creation_events.toml b/rules/linux/execution_suspicious_mining_process_creation_events.toml index 35ee9d990ea..6578d9e15bd 100644 --- a/rules/linux/execution_suspicious_mining_process_creation_events.toml +++ b/rules/linux/execution_suspicious_mining_process_creation_events.toml @@ -2,9 +2,7 @@ creation_date = "2023/02/08" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -46,34 +44,37 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.type == "creation" and event.action : ("creation", "file_create_event") and file.name : ("aliyun.service", "moneroocean_miner.service", "c3pool_miner.service", "pnsd.service", "apache4.service", "pastebin.service", "xvf.service") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] -name = "Command and Scripting Interpreter" id = "T1059" +name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] -name = "Unix Shell" id = "T1059.004" +name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_tc_bpf_filter.toml b/rules/linux/execution_tc_bpf_filter.toml index 80dbb34e51f..1422ba8d48e 100644 --- a/rules/linux/execution_tc_bpf_filter.toml +++ b/rules/linux/execution_tc_bpf_filter.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2022/07/11" -maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/20" integration = ["endpoint"] +maturity = "production" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -52,14 +50,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Threat: TripleCross", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Threat: TripleCross", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -69,20 +67,22 @@ process.args == "filter" and process.args == "add" and process.args == "bpf" and not process.parent.executable == "/usr/sbin/libvirtd" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml b/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml index 28e6322f5f2..27ee5bebed4 100644 --- a/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml +++ b/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml @@ -2,9 +2,7 @@ creation_date = "2024/03/13" integration = ["auditd_manager"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/03/13" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,16 +11,14 @@ Monitors for the execution of a previously unknown unix binary with read, write The mprotect() system call is used to change the access protections on a region of memory that has already been allocated. This syscall allows a process to modify the permissions of pages in its virtual address space, enabling or disabling permissions such as read, write, and execute for those pages. RWX permissions on memory is in many cases -overly permissive, and should be analyzed thoroughly. +overly permissive, and should be analyzed thoroughly. """ from = "now-9m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "kuery" license = "Elastic License v2" name = "Unknown Execution of Binary with RWX Memory Region" -references = [ - "https://man7.org/linux/man-pages/man2/mprotect.2.html" -] +references = ["https://man7.org/linux/man-pages/man2/mprotect.2.html"] risk_score = 47 rule_id = "23bcd283-2bc0-4db2-81d4-273fc051e5c0" setup = """## Setup @@ -44,40 +40,43 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' event.category:process and host.os.type:linux and auditd.data.syscall:mprotect and auditd.data.a2:7 ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" + + diff --git a/rules/linux/impact_data_encrypted_via_openssl.toml b/rules/linux/impact_data_encrypted_via_openssl.toml index f2d6c90908f..2e7a762d6bc 100644 --- a/rules/linux/impact_data_encrypted_via_openssl.toml +++ b/rules/linux/impact_data_encrypted_via_openssl.toml @@ -2,9 +2,7 @@ creation_date = "2023/06/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -19,8 +17,8 @@ language = "eql" license = "Elastic License v2" name = "Suspicious Data Encryption via OpenSSL Utility" references = [ - "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", - "https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html", + "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", + "https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html", ] risk_score = 47 rule_id = "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73" @@ -50,8 +48,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, user.name, process.parent.entity_id with maxspan=5s [ process where host.os.type == "linux" and event.action == "exec" and @@ -62,15 +67,17 @@ sequence by host.id, user.name, process.parent.entity_id with maxspan=5s not process.args in ("-d", "-a", "-A", "-base64", "-none", "-nosalt") ] with runs=10 ''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1486" +name = "Data Encrypted for Impact" +reference = "https://attack.mitre.org/techniques/T1486/" + [rule.threat.tactic] -name = "Impact" id = "TA0040" +name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" -[[rule.threat.technique]] -name = "Data Encrypted for Impact" -id = "T1486" -reference = "https://attack.mitre.org/techniques/T1486/" diff --git a/rules/linux/impact_esxi_process_kill.toml b/rules/linux/impact_esxi_process_kill.toml index 8b90034686f..bc58c8a9c8c 100644 --- a/rules/linux/impact_esxi_process_kill.toml +++ b/rules/linux/impact_esxi_process_kill.toml @@ -2,17 +2,15 @@ creation_date = "2023/04/11" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.5.0" -updated_date = "2024/02/20" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies instances where VMware processes, such as "vmware-vmx" or "vmx," are terminated on a Linux system -by a "kill" command. The rule monitors for the "end" event type, which signifies the termination of a process. -The presence of a "kill" command as the parent process for terminating VMware processes may indicate that a -threat actor is attempting to interfere with the virtualized environment on the targeted system. +Identifies instances where VMware processes, such as "vmware-vmx" or "vmx," are terminated on a Linux system by a "kill" +command. The rule monitors for the "end" event type, which signifies the termination of a process. The presence of a +"kill" command as the parent process for terminating VMware processes may indicate that a threat actor is attempting to +interfere with the virtualized environment on the targeted system. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -51,29 +49,32 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Impact", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "end" and process.name in ("vmware-vmx", "vmx") and process.parent.name == "kill" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1489" name = "Service Stop" reference = "https://attack.mitre.org/techniques/T1489/" + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml b/rules/linux/impact_potential_linux_ransomware_file_encryption.toml index f88c579f28c..ad559bb91c5 100644 --- a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml +++ b/rules/linux/impact_potential_linux_ransomware_file_encryption.toml @@ -2,17 +2,15 @@ creation_date = "2023/03/20" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule identifies a sequence of 100 file extension rename events within a set of common file paths by the same -process in a timespan of 1 second. Ransomware is a type of malware that encrypts a victim's files or systems and -demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware -attack is the mass encryption of the file system, after which a new file extension is added to the file. +This rule identifies a sequence of 100 file extension rename events within a set of common file paths by the same +process in a timespan of 1 second. Ransomware is a type of malware that encrypts a victim's files or systems and demands +payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack +is the mass encryption of the file system, after which a new file extension is added to the file. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -48,13 +46,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Impact", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by process.entity_id, host.id with maxspan=1s [file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*" @@ -71,15 +70,17 @@ sequence by process.entity_id, host.id with maxspan=1s ] with runs=25 ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1486" name = "Data Encrypted for Impact" reference = "https://attack.mitre.org/techniques/T1486/" + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/linux/impact_potential_linux_ransomware_note_detected.toml b/rules/linux/impact_potential_linux_ransomware_note_detected.toml index 347b2c6a512..c7ffba1b304 100644 --- a/rules/linux/impact_potential_linux_ransomware_note_detected.toml +++ b/rules/linux/impact_potential_linux_ransomware_note_detected.toml @@ -2,18 +2,16 @@ creation_date = "2023/03/20" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with -a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of +This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a +file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a -new file extension is added to the file. +new file extension is added to the file. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -49,13 +47,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Impact", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by process.entity_id, host.id with maxspan=1s [file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*" @@ -75,15 +74,17 @@ sequence by process.entity_id, host.id with maxspan=1s ] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1486" name = "Data Encrypted for Impact" reference = "https://attack.mitre.org/techniques/T1486/" + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/linux/impact_process_kill_threshold.toml b/rules/linux/impact_process_kill_threshold.toml index dcbc680f361..3115bb5696b 100644 --- a/rules/linux/impact_process_kill_threshold.toml +++ b/rules/linux/impact_process_kill_threshold.toml @@ -2,15 +2,11 @@ creation_date = "2022/07/27" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = """ -This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period. -""" +description = "This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.\n" from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "kuery" @@ -78,30 +74,31 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager" - ] -type = "threshold" + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" +type = "threshold" query = ''' event.category:process and host.os.type:linux and event.type:start and process.name:"pkill" and process.args:"-f" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1489" name = "Service Stop" reference = "https://attack.mitre.org/techniques/T1489/" + [rule.threat.tactic] id = "TA0040" name = "Impact" @@ -110,3 +107,4 @@ reference = "https://attack.mitre.org/tactics/TA0040/" [rule.threshold] field = ["host.id", "process.executable", "user.name"] value = 10 + diff --git a/rules/linux/lateral_movement_ssh_it_worm_download.toml b/rules/linux/lateral_movement_ssh_it_worm_download.toml index c84fb498998..a09d873ebb1 100644 --- a/rules/linux/lateral_movement_ssh_it_worm_download.toml +++ b/rules/linux/lateral_movement_ssh_it_worm_download.toml @@ -2,15 +2,13 @@ creation_date = "2023/09/21" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies processes that are capable of downloading files with command line arguments containing URLs to SSH-IT's -autonomous SSH worm. This worm intercepts outgoing SSH connections every time a user uses ssh. +Identifies processes that are capable of downloading files with command line arguments containing URLs to SSH-IT's +autonomous SSH worm. This worm intercepts outgoing SSH connections every time a user uses ssh. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -48,16 +46,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name in ("curl", "wget") and process.args : ( @@ -66,30 +65,32 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [[rule.threat.technique.subtechnique]] id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" + [[rule.threat.technique]] id = "T1563" name = "Remote Service Session Hijacking" reference = "https://attack.mitre.org/techniques/T1563/" - [[rule.threat.technique.subtechnique]] id = "T1563.001" name = "SSH Hijacking" reference = "https://attack.mitre.org/techniques/T1563/001/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index f2186f9954b..b994203c66d 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -67,13 +65,14 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by process.entity_id [process where host.os.type == "linux" and process.name == "telnet" and event.type == "start"] @@ -87,15 +86,17 @@ sequence by process.entity_id ] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/linux/lateral_movement_telnet_network_activity_internal.toml b/rules/linux/lateral_movement_telnet_network_activity_internal.toml index b50c4c107d8..9775b55351f 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_internal.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_internal.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -67,13 +65,14 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by process.entity_id [process where host.os.type == "linux" and process.name == "telnet" and event.type == "start"] @@ -87,15 +86,17 @@ sequence by process.entity_id ] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/linux/persistence_apt_package_manager_execution.toml b/rules/linux/persistence_apt_package_manager_execution.toml index 97a17fe29ae..30d1a3012de 100644 --- a/rules/linux/persistence_apt_package_manager_execution.toml +++ b/rules/linux/persistence_apt_package_manager_execution.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2024/02/01" -maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" integration = ["endpoint"] +maturity = "production" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -50,15 +48,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id with maxspan=5s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -73,9 +72,9 @@ sequence by host.id with maxspan=5s ] by process.parent.entity_id ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -86,29 +85,28 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -116,3 +114,4 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/persistence_apt_package_manager_netcon.toml b/rules/linux/persistence_apt_package_manager_netcon.toml index 696c037e108..f61fea40231 100644 --- a/rules/linux/persistence_apt_package_manager_netcon.toml +++ b/rules/linux/persistence_apt_package_manager_netcon.toml @@ -1,16 +1,14 @@ [metadata] creation_date = "2024/02/01" -maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" integration = ["endpoint"] +maturity = "production" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Detects suspicious network events executed by the APT package manager, potentially indicating persistence through an -APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based +Detects suspicious network events executed by the APT package manager, potentially indicating persistence through an APT +backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management. @@ -50,15 +48,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Command and Control", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Command and Control", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id with maxspan=5s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -70,9 +69,9 @@ sequence by host.id with maxspan=5s ] by process.parent.entity_id ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -83,11 +82,11 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -95,7 +94,6 @@ framework = "MITRE ATT&CK" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -103,3 +101,4 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/persistence_chkconfig_service_add.toml b/rules/linux/persistence_chkconfig_service_add.toml index a5905a23379..040bc52f6ed 100644 --- a/rules/linux/persistence_chkconfig_service_add.toml +++ b/rules/linux/persistence_chkconfig_service_add.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2022/07/22" -maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/13" integration = ["endpoint"] +maturity = "production" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -14,20 +12,11 @@ query = "SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/etc/ [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT - f.path, - u.username AS file_owner, - g.groupname AS group_owner, - datetime(f.atime, 'unixepoch') AS file_last_access_time, - datetime(f.mtime, 'unixepoch') AS file_last_modified_time, - datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, - datetime(f.btime, 'unixepoch') AS file_created_time, - f.size AS size_bytes -FROM - file f - LEFT JOIN users u ON f.uid = u.uid - LEFT JOIN groups g ON f.gid = g.gid -WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/etc/rc%.d/%') +SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS +file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS +file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT +JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/init.d/%' OR path LIKE +'/etc/rc%.d/%') """ [[transform.osquery]] @@ -54,12 +43,13 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + [rule] author = ["Elastic"] description = """ Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has -either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run +either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence. """ from = "now-9m" @@ -142,9 +132,7 @@ This rule monitors the usage of the `chkconfig` binary to manually add a service - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -references = [ - "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" -] +references = ["https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"] risk_score = 47 rule_id = "b910f25a-2d44-47f2-a873-aabdc0d355e6" setup = """## Setup @@ -174,14 +162,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Threat: Lightning Framework", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Threat: Lightning Framework", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -195,20 +183,22 @@ not process.parent.name in ("rpm", "qualys-scan-util", "qualys-cloud-agent", "up not process.parent.args : ("/var/tmp/rpm*", "/var/lib/waagent/*") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml index d50db9ab003..7a8e8107c31 100644 --- a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml +++ b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + [rule] author = ["Elastic"] description = """ @@ -147,17 +146,18 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Persistence", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Persistence", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" + query = ''' event.category:file and host.os.type:linux and event.type:change and process.name:(* and not (dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron or platform-python)) and @@ -169,56 +169,56 @@ event.category:file and host.os.type:linux and event.type:change and not process.executable:/usr/share/elasticsearch/* ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [[rule.threat.technique.subtechnique]] id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" + [[rule.threat.technique]] id = "T1563" name = "Remote Service Session Hijacking" reference = "https://attack.mitre.org/techniques/T1563/" - [[rule.threat.technique.subtechnique]] id = "T1563.001" name = "SSH Hijacking" reference = "https://attack.mitre.org/techniques/T1563/001/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/linux/persistence_cron_job_creation.toml b/rules/linux/persistence_cron_job_creation.toml index 8f52ebce84e..875666ccf5a 100644 --- a/rules/linux/persistence_cron_job_creation.toml +++ b/rules/linux/persistence_cron_job_creation.toml @@ -2,59 +2,33 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" -min_stack_version = "8.6.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [transform] [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" query = """ -SELECT * FROM file WHERE ( - path LIKE '/etc/cron.allow.d/%' OR - path LIKE '/etc/cron.d/%' OR - path LIKE '/etc/cron.hourly/%' OR - path LIKE '/etc/cron.daily/%' OR - path LIKE '/etc/cron.weekly/%' OR - path LIKE '/etc/cron.monthly/%' -) +SELECT * FROM file WHERE ( path LIKE '/etc/cron.allow.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE +'/etc/cron.hourly/%' OR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR path LIKE +'/etc/cron.monthly/%' ) """ + [[transform.osquery]] label = "Osquery - Retrieve rc-local.service File Information" query = """ -SELECT * FROM file WHERE ( - path = '/etc/cron.allow' OR - path = '/etc/cron.deny' OR - path = '/etc/crontab' OR - path = '/usr/sbin/cron' OR - path = '/usr/sbin/anacron' -) +SELECT * FROM file WHERE ( path = '/etc/cron.allow' OR path = '/etc/cron.deny' OR path = '/etc/crontab' OR path = +'/usr/sbin/cron' OR path = '/usr/sbin/anacron' ) """ [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT - f.path, - u.username AS file_owner, - g.groupname AS group_owner, - datetime(f.atime, 'unixepoch') AS file_last_access_time, - datetime(f.mtime, 'unixepoch') AS file_last_modified_time, - datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, - datetime(f.btime, 'unixepoch') AS file_created_time, - f.size AS size_bytes -FROM - file f - LEFT JOIN users u ON f.uid = u.uid - LEFT JOIN groups g ON f.gid = g.gid -WHERE ( - path LIKE '/etc/cron.allow.d/%' OR - path LIKE '/etc/cron.d/%' OR - path LIKE '/etc/cron.hourly/%' OR - path LIKE '/etc/cron.daily/%' OR - path LIKE '/etc/cron.weekly/%' OR - path LIKE '/etc/cron.monthly/%' -) +SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS +file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS +file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT +JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/cron.allow.d/%' OR path LIKE +'/etc/cron.d/%' OR path LIKE '/etc/cron.hourly/%' OR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR +path LIKE '/etc/cron.monthly/%' ) """ [[transform.osquery]] @@ -77,6 +51,7 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + [rule] author = ["Elastic"] description = """ @@ -160,7 +135,7 @@ This rule monitors the creation of previously unknown cron jobs by monitoring fo - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = [ - "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" + "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/", ] risk_score = 47 rule_id = "ff10d4d8-fea7-422d-afb1-e5a2702369a9" @@ -191,17 +166,18 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' host.os.type : "linux" and event.action : ("change" or "file_modify_event" or "creation" or "file_create_event") and file.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or @@ -216,55 +192,54 @@ and not ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -273,7 +248,8 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "file.path", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" + + diff --git a/rules/linux/persistence_dynamic_linker_backup.toml b/rules/linux/persistence_dynamic_linker_backup.toml index ff7bf2fbdf8..bc8cf7caff4 100644 --- a/rules/linux/persistence_dynamic_linker_backup.toml +++ b/rules/linux/persistence_dynamic_linker_backup.toml @@ -1,48 +1,27 @@ [metadata] creation_date = "2022/07/12" -maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/19" integration = ["endpoint"] - +maturity = "production" +updated_date = "2024/05/21" [transform] [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" query = """ -SELECT * FROM file WHERE ( - path = '/etc/ld.so.preload' OR - path = '/lib64/ld-linux-x86-64.so.2' OR - path = '/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR - path = '/usr/lib64/ld-linux-x86-64.so.2' OR - path = '/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' -) +SELECT * FROM file WHERE ( path = '/etc/ld.so.preload' OR path = '/lib64/ld-linux-x86-64.so.2' OR path = +'/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR path = '/usr/lib64/ld-linux-x86-64.so.2' OR path = +'/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' ) """ [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT - f.path, - u.username AS file_owner, - g.groupname AS group_owner, - datetime(f.atime, 'unixepoch') AS file_last_access_time, - datetime(f.mtime, 'unixepoch') AS file_last_modified_time, - datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, - datetime(f.btime, 'unixepoch') AS file_created_time, - f.size AS size_bytes -FROM - file f - LEFT JOIN users u ON f.uid = u.uid - LEFT JOIN groups g ON f.gid = g.gid -WHERE ( - path = '/etc/ld.so.preload' OR - path = '/lib64/ld-linux-x86-64.so.2' OR - path = '/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR - path = '/usr/lib64/ld-linux-x86-64.so.2' OR - path = '/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' -) +SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS +file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS +file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT +JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path = '/etc/ld.so.preload' OR path = +'/lib64/ld-linux-x86-64.so.2' OR path = '/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR path = +'/usr/lib64/ld-linux-x86-64.so.2' OR path = '/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' ) """ [[transform.osquery]] @@ -65,13 +44,14 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + [rule] author = ["Elastic"] description = """ -Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a -backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in -order to inject and preload a malicious shared object file. This activity should never occur and if it does then it -should be considered highly suspicious or malicious. +Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup +copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to +inject and preload a malicious shared object file. This activity should never occur and if it does then it should be +considered highly suspicious or malicious. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -145,9 +125,7 @@ The detection rule 'Dynamic Linker Copy' is designed to identify such abuse by m - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -references = [ - "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/" -] +references = ["https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/"] risk_score = 73 rule_id = "df6f62d9-caab-4b88-affa-044f4395a1e0" setup = """## Setup @@ -177,13 +155,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Threat: Orbit", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Threat: Orbit", + "Data Source: Elastic Defend", +] type = "eql" query = ''' @@ -196,19 +174,20 @@ sequence by process.entity_id with maxspan=1m [file where host.os.type == "linux" and event.action == "creation" and file.extension == "so"] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_etc_file_creation.toml b/rules/linux/persistence_etc_file_creation.toml index a8f67c739c7..36ed51d363e 100644 --- a/rules/linux/persistence_etc_file_creation.toml +++ b/rules/linux/persistence_etc_file_creation.toml @@ -2,49 +2,26 @@ creation_date = "2022/07/22" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [transform] [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" query = """ -SELECT * FROM file WHERE ( - path LIKE '/etc/ld.so.conf.d/%' OR - path LIKE '/etc/cron.d/%' OR - path LIKE '/etc/sudoers.d/%' OR - path LIKE '/etc/rc%.d/%' OR - path LIKE '/etc/init.d/%' OR - path LIKE '/etc/systemd/system/%' OR - path LIKE '/usr/lib/systemd/system/%' -) +SELECT * FROM file WHERE ( path LIKE '/etc/ld.so.conf.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE '/etc/sudoers.d/%' +OR path LIKE '/etc/rc%.d/%' OR path LIKE '/etc/init.d/%' OR path LIKE '/etc/systemd/system/%' OR path LIKE +'/usr/lib/systemd/system/%' ) """ + [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT - f.path, - u.username AS file_owner, - g.groupname AS group_owner, - datetime(f.atime, 'unixepoch') AS file_last_access_time, - datetime(f.mtime, 'unixepoch') AS file_last_modified_time, - datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, - datetime(f.btime, 'unixepoch') AS file_created_time, - f.size AS size_bytes -FROM - file f - LEFT JOIN users u ON f.uid = u.uid - LEFT JOIN groups g ON f.gid = g.gid -WHERE ( - path LIKE '/etc/ld.so.conf.d/%' OR - path LIKE '/etc/cron.d/%' OR - path LIKE '/etc/sudoers.d/%' OR - path LIKE '/etc/rc%.d/%' OR - path LIKE '/etc/init.d/%' OR - path LIKE '/etc/systemd/system/%' OR - path LIKE '/usr/lib/systemd/system/%' -) +SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS +file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS +file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT +JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/ld.so.conf.d/%' OR path LIKE +'/etc/cron.d/%' OR path LIKE '/etc/sudoers.d/%' OR path LIKE '/etc/rc%.d/%' OR path LIKE '/etc/init.d/%' OR path LIKE +'/etc/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' ) """ [[transform.osquery]] @@ -71,6 +48,7 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + [rule] author = ["Elastic"] description = """ @@ -157,7 +135,7 @@ This rule monitors for the creation of the most common system-wide configuration """ references = [ "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", - "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" + "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/", ] risk_score = 47 rule_id = "1c84dd64-7e6c-4bad-ac73-a5014ee37042" @@ -188,17 +166,18 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Threat: Orbit", - "Threat: Lightning Framework", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Threat: Orbit", + "Threat: Lightning Framework", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.type in ("creation", "file_create_event") and user.id == "0" and file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*", @@ -213,76 +192,76 @@ file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/r ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.002" +name = "Systemd Service" +reference = "https://attack.mitre.org/techniques/T1543/002/" + + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1543.002" -name = "Systemd Service" -reference = "https://attack.mitre.org/techniques/T1543/002/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/persistence_init_d_file_creation.toml b/rules/linux/persistence_init_d_file_creation.toml index 1af1b17782b..6bded3ec8e1 100644 --- a/rules/linux/persistence_init_d_file_creation.toml +++ b/rules/linux/persistence_init_d_file_creation.toml @@ -2,9 +2,7 @@ creation_date = "2023/03/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -18,20 +16,11 @@ query = "SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/ [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT - f.path, - u.username AS file_owner, - g.groupname AS group_owner, - datetime(f.atime, 'unixepoch') AS file_last_access_time, - datetime(f.mtime, 'unixepoch') AS file_last_modified_time, - datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, - datetime(f.btime, 'unixepoch') AS file_created_time, - f.size AS size_bytes -FROM - file f - LEFT JOIN users u ON f.uid = u.uid - LEFT JOIN groups g ON f.gid = g.gid -WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%') +SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS +file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS +file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT +JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/init.d/%' OR path LIKE +'/run/systemd/generator.late/%') """ [[transform.osquery]] @@ -42,14 +31,14 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" + [rule] author = ["Elastic"] description = """ Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts -or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the -"systemd-sysv-generator" can convert init.d files to service unit files that run at boot. Adversaries may add or -alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence -on the system. +or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the "systemd-sysv-generator" +can convert init.d files to service unit files that run at boot. Adversaries may add or alter files located in the +/etc/init.d/ directory to execute malicious code upon boot in order to gain persistence on the system. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -121,8 +110,7 @@ This rule looks for the creation of new files within the `/etc/init.d/` director references = [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", - "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/" - + "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/", ] risk_score = 47 rule_id = "474fd20e-14cc-49c5-8160-d9ab4ba16c8b" @@ -153,16 +141,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and file.path : /etc/init.d/* and not ( @@ -175,14 +164,15 @@ file.path : /etc/init.d/* and not ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -191,7 +181,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["file.path", "process.name", "host.id"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" + + diff --git a/rules/linux/persistence_insmod_kernel_module_load.toml b/rules/linux/persistence_insmod_kernel_module_load.toml index 866b0d00050..60f5ef56b26 100644 --- a/rules/linux/persistence_insmod_kernel_module_load.toml +++ b/rules/linux/persistence_insmod_kernel_module_load.toml @@ -2,9 +2,7 @@ creation_date = "2022/07/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + [rule] author = ["Elastic"] description = """ @@ -117,7 +116,7 @@ The detection rule 'Kernel module load via insmod' is designed to identify insta - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = [ - "https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/" + "https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/", ] risk_score = 47 rule_id = "2339f03c-f53f-40fa-834b-40c5983fc41f" @@ -148,35 +147,38 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Threat: Rootkit", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Threat: Rootkit", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index 34f92ac319f..bebb8f3e449 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -2,68 +2,51 @@ creation_date = "2021/01/06" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/19" +updated_date = "2024/05/21" [transform] [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" query = """ -SELECT * FROM file WHERE ( - path LIKE '/home/%/.config/autostart/%.sh' OR path LIKE '/home/%/.config/autostart/%.desktop' OR - path LIKE '/root/.config/autostart/%.sh' OR path LIKE '/root/.config/autostart/%.desktop' OR - path LIKE '/home/%/.kde/Autostart/%.sh' OR path LIKE '/home/%/.kde/Autostart/%.desktop' OR - path LIKE '/root/.kde/Autostart/%.sh' OR path LIKE '/root/.kde/Autostart/%.desktop' OR - path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE '/home/%/.kde4/Autostart/%.desktop' OR - path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE '/root/.kde4/Autostart/%.desktop' OR - path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE '/home/%/.kde/share/autostart/%.desktop' OR - path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE '/root/.kde/share/autostart/%.desktop' OR - path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE '/home/%/.kde4/share/autostart/%.desktop' OR - path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE '/root/.kde4/share/autostart/%.desktop' OR - path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE '/home/%/.local/share/autostart/%.desktop' OR - path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE '/root/.local/share/autostart/%.desktop' OR - path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE '/home/%/.config/autostart-scripts/%.desktop' OR - path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE '/root/.config/autostart-scripts/%.desktop' OR - path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE '/etc/xdg/autostart/%.desktop' OR - path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' -) +SELECT * FROM file WHERE ( path LIKE '/home/%/.config/autostart/%.sh' OR path LIKE '/home/%/.config/autostart/%.desktop' +OR path LIKE '/root/.config/autostart/%.sh' OR path LIKE '/root/.config/autostart/%.desktop' OR path LIKE +'/home/%/.kde/Autostart/%.sh' OR path LIKE '/home/%/.kde/Autostart/%.desktop' OR path LIKE '/root/.kde/Autostart/%.sh' +OR path LIKE '/root/.kde/Autostart/%.desktop' OR path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE +'/home/%/.kde4/Autostart/%.desktop' OR path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE +'/root/.kde4/Autostart/%.desktop' OR path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE +'/home/%/.kde/share/autostart/%.desktop' OR path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE +'/root/.kde/share/autostart/%.desktop' OR path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE +'/home/%/.kde4/share/autostart/%.desktop' OR path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE +'/root/.kde4/share/autostart/%.desktop' OR path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE +'/home/%/.local/share/autostart/%.desktop' OR path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE +'/root/.local/share/autostart/%.desktop' OR path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE +'/home/%/.config/autostart-scripts/%.desktop' OR path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE +'/root/.config/autostart-scripts/%.desktop' OR path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE +'/etc/xdg/autostart/%.desktop' OR path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' ) """ [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT - f.path, - u.username AS file_owner, - g.groupname AS group_owner, - datetime(f.atime, 'unixepoch') AS file_last_access_time, - datetime(f.mtime, 'unixepoch') AS file_last_modified_time, - datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, - datetime(f.btime, 'unixepoch') AS file_created_time, - f.size AS size_bytes -FROM - file f - LEFT JOIN users u ON f.uid = u.uid - LEFT JOIN groups g ON f.gid = g.gid -WHERE ( - path LIKE '/home/%/.config/autostart/%.sh' OR path LIKE '/home/%/.config/autostart/%.desktop' OR - path LIKE '/root/.config/autostart/%.sh' OR path LIKE '/root/.config/autostart/%.desktop' OR - path LIKE '/home/%/.kde/Autostart/%.sh' OR path LIKE '/home/%/.kde/Autostart/%.desktop' OR - path LIKE '/root/.kde/Autostart/%.sh' OR path LIKE '/root/.kde/Autostart/%.desktop' OR - path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE '/home/%/.kde4/Autostart/%.desktop' OR - path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE '/root/.kde4/Autostart/%.desktop' OR - path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE '/home/%/.kde/share/autostart/%.desktop' OR - path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE '/root/.kde/share/autostart/%.desktop' OR - path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE '/home/%/.kde4/share/autostart/%.desktop' OR - path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE '/root/.kde4/share/autostart/%.desktop' OR - path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE '/home/%/.local/share/autostart/%.desktop' OR - path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE '/root/.local/share/autostart/%.desktop' OR - path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE '/home/%/.config/autostart-scripts/%.desktop' OR - path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE '/root/.config/autostart-scripts/%.desktop' OR - path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE '/etc/xdg/autostart/%.desktop' OR - path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' -) +SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS +file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS +file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT +JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/home/%/.config/autostart/%.sh' OR +path LIKE '/home/%/.config/autostart/%.desktop' OR path LIKE '/root/.config/autostart/%.sh' OR path LIKE +'/root/.config/autostart/%.desktop' OR path LIKE '/home/%/.kde/Autostart/%.sh' OR path LIKE +'/home/%/.kde/Autostart/%.desktop' OR path LIKE '/root/.kde/Autostart/%.sh' OR path LIKE +'/root/.kde/Autostart/%.desktop' OR path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE +'/home/%/.kde4/Autostart/%.desktop' OR path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE +'/root/.kde4/Autostart/%.desktop' OR path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE +'/home/%/.kde/share/autostart/%.desktop' OR path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE +'/root/.kde/share/autostart/%.desktop' OR path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE +'/home/%/.kde4/share/autostart/%.desktop' OR path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE +'/root/.kde4/share/autostart/%.desktop' OR path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE +'/home/%/.local/share/autostart/%.desktop' OR path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE +'/root/.local/share/autostart/%.desktop' OR path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE +'/home/%/.config/autostart-scripts/%.desktop' OR path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE +'/root/.config/autostart-scripts/%.desktop' OR path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE +'/etc/xdg/autostart/%.desktop' OR path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' ) """ [[transform.osquery]] @@ -90,6 +73,7 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + [rule] author = ["Elastic"] description = """ @@ -212,13 +196,13 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -240,14 +224,15 @@ file where host.os.type == "linux" and event.type != "deletion" and "rpm", "pacman", "podman", "nautilus", "remmina", "cinnamon-settings.py") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_kernel_driver_load.toml b/rules/linux/persistence_kernel_driver_load.toml index e727ca8e00a..97ba74fa43d 100644 --- a/rules/linux/persistence_kernel_driver_load.toml +++ b/rules/linux/persistence_kernel_driver_load.toml @@ -2,17 +2,15 @@ creation_date = "2023/10/26" integration = ["auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Detects the loading of a Linux kernel module through system calls. Threat actors may leverage Linux kernel modules to +Detects the loading of a Linux kernel module through system calls. Threat actors may leverage Linux kernel modules to load a rootkit on a system providing them with complete control and the ability to hide from security products. As other -rules monitor for the addition of Linux kernel modules through system utilities or .ko files, this rule covers the gap -that evasive rootkits leverage by monitoring for kernel module additions on the lowest level through auditd_manager. +rules monitor for the addition of Linux kernel modules through system utilities or .ko files, this rule covers the gap +that evasive rootkits leverage by monitoring for kernel module additions on the lowest level through auditd_manager. """ from = "now-9m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -44,47 +42,49 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen """ severity = "low" tags = [ - "Data Source: Auditd Manager", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion" - ] + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "eql" + query = ''' driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and auditd.data.syscall in ("init_module", "finit_module") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat.technique]] -name = "Rootkit" -id = "T1014" -reference = "https://attack.mitre.org/techniques/T1014/" diff --git a/rules/linux/persistence_kernel_driver_load_by_non_root.toml b/rules/linux/persistence_kernel_driver_load_by_non_root.toml index 24f6c7291e5..216b6be53ed 100644 --- a/rules/linux/persistence_kernel_driver_load_by_non_root.toml +++ b/rules/linux/persistence_kernel_driver_load_by_non_root.toml @@ -2,9 +2,7 @@ creation_date = "2024/01/10" integration = ["auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,7 @@ Detects the loading of a Linux kernel module by a non-root user through system c kernel modules to load a rootkit on a system providing them with complete control and the ability to hide from security products. As other rules monitor for the addition of Linux kernel modules through system utilities or .ko files, this rule covers the gap that evasive rootkits leverage by monitoring for kernel module additions on the lowest level through -auditd_manager. +auditd_manager. """ from = "now-9m" index = ["logs-auditd_manager.auditd-*"] @@ -50,48 +48,49 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "medium" tags = [ - "Data Source: Auditd Manager", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion" - ] + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "eql" + query = ''' driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and auditd.data.syscall in ("init_module", "finit_module") and user.id != "0" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat.technique]] -name = "Rootkit" -id = "T1014" -reference = "https://attack.mitre.org/techniques/T1014/" - diff --git a/rules/linux/persistence_kworker_file_creation.toml b/rules/linux/persistence_kworker_file_creation.toml index bc4c38f8a4d..d9e80c23b3c 100644 --- a/rules/linux/persistence_kworker_file_creation.toml +++ b/rules/linux/persistence_kworker_file_creation.toml @@ -2,33 +2,20 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/17" +updated_date = "2024/05/21" [transform] [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" -query = """ -SELECT * FROM file WHERE path = {{file.path}} -""" +query = "SELECT * FROM file WHERE path = {{file.path}}\n" + [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT - f.path, - u.username AS file_owner, - g.groupname AS group_owner, - datetime(f.atime, 'unixepoch') AS file_last_access_time, - datetime(f.mtime, 'unixepoch') AS file_last_modified_time, - datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, - datetime(f.btime, 'unixepoch') AS file_created_time, - f.size AS size_bytes -FROM - file f - LEFT JOIN users u ON f.uid = u.uid - LEFT JOIN groups g ON f.gid = g.gid -WHERE path = {{file.path}} +SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS +file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS +file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT +JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path = {{file.path}} """ [[transform.osquery]] @@ -55,10 +42,11 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + [rule] author = ["Elastic"] description = """ -This rule monitors for a file creation event originating from a kworker parent process. kworker, or kernel worker, +This rule monitors for a file creation event originating from a kworker parent process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process. @@ -165,15 +153,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and process.name : "kworker*" and not ( @@ -182,29 +171,29 @@ file where host.os.type == "linux" and event.action in ("creation", "file_create ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat.technique]] -name = "Rootkit" -id = "T1014" -reference = "https://attack.mitre.org/techniques/T1014/" - diff --git a/rules/linux/persistence_linux_backdoor_user_creation.toml b/rules/linux/persistence_linux_backdoor_user_creation.toml index bb0e1ebe66b..cf4f8a430af 100644 --- a/rules/linux/persistence_linux_backdoor_user_creation.toml +++ b/rules/linux/persistence_linux_backdoor_user_creation.toml @@ -2,14 +2,15 @@ creation_date = "2023/03/07" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] label = "Osquery - Retrieve User Accounts with a UID of 0" -query = "SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE '0'" +query = """ +SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE +'0' +""" [[transform.osquery]] label = "Osquery - Retrieve Running Processes by User" @@ -27,10 +28,11 @@ query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" label = "Osquery - Retrieve Information for a Specific Group" query = "SELECT * FROM groups WHERE groupname = {{group.name}}" + [rule] author = ["Elastic"] description = """ -Identifies the attempt to create a new backdoor user by setting the user's UID to 0. Attackers may alter a user's UID to +Identifies the attempt to create a new backdoor user by setting the user's UID to 0. Attackers may alter a user's UID to 0 to establish persistence on a system. """ from = "now-9m" @@ -114,36 +116,39 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "usermod" and process.args : "-u" and process.args : "0" and process.args : "-o" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" - [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_linux_group_creation.toml b/rules/linux/persistence_linux_group_creation.toml index 8bdadc05c05..be5b7c048d5 100644 --- a/rules/linux/persistence_linux_group_creation.toml +++ b/rules/linux/persistence_linux_group_creation.toml @@ -2,9 +2,7 @@ creation_date = "2023/02/13" integration = ["system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -23,11 +21,10 @@ query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" label = "Osquery - Retrieve Running Processes by User" query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username" + [rule] author = ["Elastic"] -description = """ -Identifies attempts to create a new group. Attackers may create new groups to establish persistence on a system. -""" +description = "Identifies attempts to create a new group. Attackers may create new groups to establish persistence on a system.\n" from = "now-9m" index = ["filebeat-*", "logs-system.auth-*"] language = "eql" @@ -103,28 +100,37 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" + query = ''' iam where host.os.type == "linux" and (event.type == "group" and event.type == "creation") and process.name in ("groupadd", "addgroup") and group.name != null ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" - [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_linux_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml index eeb4603ab03..42ea56ee044 100644 --- a/rules/linux/persistence_linux_shell_activity_via_web_server.toml +++ b/rules/linux/persistence_linux_shell_activity_via_web_server.toml @@ -2,9 +2,7 @@ creation_date = "2023/03/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -27,11 +25,12 @@ query = "SELECT name, cmdline, parent, path, uid FROM processes WHERE uid = {{pr label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" + [rule] author = ["Elastic"] description = """ -Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. -Attackers may exploit a vulnerability in a web application to execute commands via a web server, or place a backdoor +Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. +Attackers may exploit a vulnerability in a web application to execute commands via a web server, or place a backdoor file that can be abused to gain code execution as a mechanism for persistence. """ false_positives = [ @@ -131,18 +130,19 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Initial Access", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Resources: Investigation Guide", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Initial Access", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.parent.executable : ( @@ -165,33 +165,34 @@ process.name : ( ) and not process.name == "phpquery" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" - [[rule.threat.technique.subtechnique]] id = "T1505.003" name = "Web Shell" reference = "https://attack.mitre.org/techniques/T1505/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/linux/persistence_linux_user_account_creation.toml b/rules/linux/persistence_linux_user_account_creation.toml index 18b5500253f..0806394a0dd 100644 --- a/rules/linux/persistence_linux_user_account_creation.toml +++ b/rules/linux/persistence_linux_user_account_creation.toml @@ -2,9 +2,7 @@ creation_date = "2023/02/13" integration = ["system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -23,11 +21,10 @@ query = "SELECT * FROM groups WHERE groupname = {{group.name}}" label = "Osquery - Retrieve Running Processes by User" query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username" + [rule] author = ["Elastic"] -description = """ -Identifies attempts to create new users. Attackers may add new users to establish persistence on a system. -""" +description = "Identifies attempts to create new users. Attackers may add new users to establish persistence on a system.\n" from = "now-9m" index = ["filebeat-*", "logs-system.auth-*"] language = "eql" @@ -102,28 +99,37 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" + query = ''' iam where host.os.type == "linux" and (event.type == "user" and event.type == "creation") and process.name in ("useradd", "adduser") and user.name != null ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" - [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_linux_user_added_to_privileged_group.toml b/rules/linux/persistence_linux_user_added_to_privileged_group.toml index 2528e50c246..d08a4139b9d 100644 --- a/rules/linux/persistence_linux_user_added_to_privileged_group.toml +++ b/rules/linux/persistence_linux_user_added_to_privileged_group.toml @@ -2,9 +2,7 @@ creation_date = "2023/02/13" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -23,10 +21,11 @@ query = "SELECT * FROM groups WHERE groupname = {{group.name}}" label = "Osquery - Retrieve Running Processes by User" query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username" + [rule] author = ["Elastic"] description = """ -Identifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to +Identifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to establish persistence on a system. """ from = "now-9m" @@ -109,17 +108,18 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.args in ( @@ -132,20 +132,22 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" - [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_message_of_the_day_creation.toml b/rules/linux/persistence_message_of_the_day_creation.toml index 7afb4ae59ec..85e05d4e851 100644 --- a/rules/linux/persistence_message_of_the_day_creation.toml +++ b/rules/linux/persistence_message_of_the_day_creation.toml @@ -2,9 +2,7 @@ creation_date = "2023/02/28" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -18,20 +16,11 @@ query = "SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT - f.path, - u.username AS file_owner, - g.groupname AS group_owner, - datetime(f.atime, 'unixepoch') AS file_last_access_time, - datetime(f.mtime, 'unixepoch') AS file_last_modified_time, - datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, - datetime(f.btime, 'unixepoch') AS file_created_time, - f.size AS size_bytes -FROM - file f - LEFT JOIN users u ON f.uid = u.uid - LEFT JOIN groups g ON f.gid = g.gid -WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%') +SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS +file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS +file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT +JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE +'/usr/lib/update-notifier/%') """ [[transform.osquery]] @@ -42,6 +31,7 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" + [rule] author = ["Elastic"] description = """ @@ -116,7 +106,7 @@ This rule identifies the creation of new files within the `/etc/update-motd.d/` - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = [ - "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" + "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd", ] risk_score = 47 rule_id = "96d11d31-9a79-480f-8401-da28b194608f" @@ -147,16 +137,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend" - ] -type = "new_terms" + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" +type = "new_terms" + query = ''' host.os.type :linux and event.action:(creation or file_create_event or rename or file_rename_event) and file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not process.name : ( @@ -167,14 +158,15 @@ file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not process ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -183,7 +175,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "file.path", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" + + diff --git a/rules/linux/persistence_message_of_the_day_execution.toml b/rules/linux/persistence_message_of_the_day_execution.toml index 219b88f9fc3..ca3cb5b9b2c 100644 --- a/rules/linux/persistence_message_of_the_day_execution.toml +++ b/rules/linux/persistence_message_of_the_day_execution.toml @@ -2,9 +2,7 @@ creation_date = "2023/02/28" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/17" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -18,20 +16,11 @@ query = "SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT - f.path, - u.username AS file_owner, - g.groupname AS group_owner, - datetime(f.atime, 'unixepoch') AS file_last_access_time, - datetime(f.mtime, 'unixepoch') AS file_last_modified_time, - datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, - datetime(f.btime, 'unixepoch') AS file_created_time, - f.size AS size_bytes -FROM - file f - LEFT JOIN users u ON f.uid = u.uid - LEFT JOIN groups g ON f.gid = g.gid -WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%') +SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS +file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS +file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT +JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE +'/usr/lib/update-notifier/%') """ [[transform.osquery]] @@ -41,15 +30,17 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u [[transform.osquery]] label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" + + [rule] author = ["Elastic"] description = """ -Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH -or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" and -"/usr/lib/update-notifier/" directories. These scripts run as the root user every time a user connects over SSH or a -serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a -user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially -malicious processes through the MOTD utility. +Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or +a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" and +"/usr/lib/update-notifier/" directories. These scripts run as the root user every time a user connects over SSH or a +serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a +user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially +malicious processes through the MOTD utility. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -115,7 +106,7 @@ This rule identifies the execution of potentially malicious processes from a MOT - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = [ - "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" + "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd", ] risk_score = 73 rule_id = "4ec47004-b34a-42e6-8003-376a123ea447" @@ -146,16 +137,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where event.type == "start" and host.os.type == "linux" and event.action : ("exec", "exec_event") and process.parent.executable : ("/etc/update-motd.d/*", "/usr/lib/update-notifier/*") and ( @@ -186,15 +178,17 @@ not ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_rc_script_creation.toml b/rules/linux/persistence_rc_script_creation.toml index ce7a4a9ae82..e9177e41c18 100644 --- a/rules/linux/persistence_rc_script_creation.toml +++ b/rules/linux/persistence_rc_script_creation.toml @@ -2,9 +2,7 @@ creation_date = "2023/02/28" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/01/05" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -17,21 +15,24 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u [[transform.osquery]] label = "Osquery - Retrieve rc-local.service File Information" -query = "SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = '/run/systemd/generator/multi-user.target.wants/rc-local.service')" +query = """ +SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = +'/run/systemd/generator/multi-user.target.wants/rc-local.service') +""" [[transform.osquery]] label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" + [rule] author = ["Elastic"] description = """ -This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable -through the use of the new terms rule type. The /etc/rc.local file is used to start custom applications, -services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. -However, through the "systemd-rc-local-generator", rc.local files can be converted to services that run at -boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the -system. +This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable through the +use of the new terms rule type. The /etc/rc.local file is used to start custom applications, services, scripts or +commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the +"systemd-rc-local-generator", rc.local files can be converted to services that run at boot. Adversaries may alter +rc.local to execute malicious code at start-up, and gain persistence onto the system. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -100,8 +101,7 @@ Detection alerts from this rule indicate the creation of a new `/etc/rc.local` f references = [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", - "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/" - + "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/", ] risk_score = 47 rule_id = "0f4d35e4-925e-4959-ab24-911be207ee6f" @@ -132,16 +132,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend" - ] -type = "new_terms" + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" +type = "new_terms" + query = ''' host.os.type : "linux" and event.category : "file" and event.type : ("change" or "file_modify_event" or "creation" or "file_create_event") and @@ -150,19 +151,20 @@ file.path : "/etc/rc.local" and not process.name : ( ) and not file.extension : ("swp" or "swpx") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -171,7 +173,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "user.id"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" + + diff --git a/rules/linux/persistence_setuid_setgid_capability_set.toml b/rules/linux/persistence_setuid_setgid_capability_set.toml index c99e8b13ed1..0aa61d6bc1f 100644 --- a/rules/linux/persistence_setuid_setgid_capability_set.toml +++ b/rules/linux/persistence_setuid_setgid_capability_set.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/05" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + [rule] author = ["Elastic"] description = """ @@ -133,20 +132,22 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "setcap" and process.args : "cap_set?id+ep" and not process.parent.name in ("jem", "vzctl") ''' + [[rule.threat]] framework = "MITRE ATT&CK" @@ -154,21 +155,21 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.001" name = "Setuid and Setgid" reference = "https://attack.mitre.org/techniques/T1548/001/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/persistence_shared_object_creation.toml b/rules/linux/persistence_shared_object_creation.toml index b9da05228d2..72faf4eb4fe 100644 --- a/rules/linux/persistence_shared_object_creation.toml +++ b/rules/linux/persistence_shared_object_creation.toml @@ -2,33 +2,20 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" -min_stack_version = "8.6.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [transform] [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" -query = """ -SELECT * FROM file WHERE path = {{file.path}} -""" +query = "SELECT * FROM file WHERE path = {{file.path}}\n" + [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT - f.path, - u.username AS file_owner, - g.groupname AS group_owner, - datetime(f.atime, 'unixepoch') AS file_last_access_time, - datetime(f.mtime, 'unixepoch') AS file_last_modified_time, - datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, - datetime(f.btime, 'unixepoch') AS file_created_time, - f.size AS size_bytes -FROM - file f - LEFT JOIN users u ON f.uid = u.uid - LEFT JOIN groups g ON f.gid = g.gid -WHERE path = {{file.path}} +SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS +file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS +file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT +JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path = {{file.path}} """ [[transform.osquery]] @@ -55,6 +42,7 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + [rule] author = ["Elastic"] description = """ @@ -167,10 +155,11 @@ tags = [ "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* and not ( @@ -180,19 +169,20 @@ file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* an ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -201,7 +191,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "file.path", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" + + diff --git a/rules/linux/persistence_shell_configuration_modification.toml b/rules/linux/persistence_shell_configuration_modification.toml index 9f5571f1fc0..bbdb5484c9f 100644 --- a/rules/linux/persistence_shell_configuration_modification.toml +++ b/rules/linux/persistence_shell_configuration_modification.toml @@ -2,9 +2,7 @@ creation_date = "2024/04/30" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/04/30" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -50,15 +48,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] -type = "new_terms" + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" +type = "new_terms" + query = ''' event.category:file and host.os.type:linux and event.action:(creation or file_create_event or rename or file_rename_event) and file.path:( @@ -80,19 +79,20 @@ event.action:(creation or file_create_event or rename or file_rename_event) and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.004" name = "Unix Shell Configuration Modification" reference = "https://attack.mitre.org/techniques/T1546/004/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -100,8 +100,9 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "user.id", "process.executable"] - +value = ["host.id", "user.id", "process.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" + + diff --git a/rules/linux/persistence_suspicious_file_opened_through_editor.toml b/rules/linux/persistence_suspicious_file_opened_through_editor.toml index 88458c64bc3..21922814d76 100644 --- a/rules/linux/persistence_suspicious_file_opened_through_editor.toml +++ b/rules/linux/persistence_suspicious_file_opened_through_editor.toml @@ -1,19 +1,17 @@ [metadata] creation_date = "2023/07/25" -maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/17" integration = ["endpoint"] +maturity = "production" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors for the potential edit of a suspicious file. In Linux, when editing a file through an editor, a +This rule monitors for the potential edit of a suspicious file. In Linux, when editing a file through an editor, a temporary .swp file is created. By monitoring for the creation of this .swp file, we can detect potential file edits of -suspicious files. The execution of this rule is not a clear sign of the file being edited, as just opening the file +suspicious files. The execution of this rule is not a clear sign of the file being edited, as just opening the file through an editor will trigger this event. Attackers may alter any of the files added in this rule to establish -persistence, escalate privileges or perform reconnaisance on the system. +persistence, escalate privileges or perform reconnaisance on the system. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -25,16 +23,17 @@ risk_score = 21 rule_id = "3728c08d-9b70-456b-b6b8-007c7d246128" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and file.extension == "swp" and file.path : ( @@ -57,58 +56,59 @@ file.path : ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.002" +name = "Systemd Service" +reference = "https://attack.mitre.org/techniques/T1543/002/" + + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1543.002" -name = "Systemd Service" -reference = "https://attack.mitre.org/techniques/T1543/002/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml b/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml index 61823f66e80..77654c11f70 100644 --- a/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml +++ b/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml @@ -2,10 +2,7 @@ creation_date = "2024/04/01" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/01" - +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -18,21 +15,22 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Execution via XZBackdoor" -references =["https://github.com/amlweems/xzbot", "https://access.redhat.com/security/cve/CVE-2024-3094"] +references = ["https://github.com/amlweems/xzbot", "https://access.redhat.com/security/cve/CVE-2024-3094"] risk_score = 73 rule_id = "7afc6cc9-8800-4c7f-be6b-b688d2dea248" severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Persistence", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Persistence", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' sequence by host.id, user.id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "sshd" and @@ -43,56 +41,56 @@ sequence by host.id, user.id with maxspan=1s [network where host.os.type == "linux" and event.type == "end" and event.action == "disconnect_received" and process.name == "sshd"] by process.pid, process.entity_id ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [[rule.threat.technique.subtechnique]] id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" + [[rule.threat.technique]] id = "T1563" name = "Remote Service Session Hijacking" reference = "https://attack.mitre.org/techniques/T1563/" - [[rule.threat.technique.subtechnique]] id = "T1563.001" name = "SSH Hijacking" reference = "https://attack.mitre.org/techniques/T1563/001/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/linux/persistence_systemd_netcon.toml b/rules/linux/persistence_systemd_netcon.toml index 45d82726185..fba0565d1e0 100644 --- a/rules/linux/persistence_systemd_netcon.toml +++ b/rules/linux/persistence_systemd_netcon.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2024/02/01" -maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" integration = ["endpoint"] +maturity = "production" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -50,15 +48,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Command and Control", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Command and Control", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id with maxspan=5s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -70,29 +69,29 @@ sequence by host.id with maxspan=5s ] by process.parent.entity_id ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -100,7 +99,6 @@ framework = "MITRE ATT&CK" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -108,3 +106,4 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/persistence_systemd_scheduled_timer_created.toml b/rules/linux/persistence_systemd_scheduled_timer_created.toml index 02f86919669..b021569a802 100644 --- a/rules/linux/persistence_systemd_scheduled_timer_created.toml +++ b/rules/linux/persistence_systemd_scheduled_timer_created.toml @@ -2,9 +2,7 @@ creation_date = "2023/02/24" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/12/13" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -14,38 +12,19 @@ query = "SELECT * FROM file WHERE path = {{file.path}}" [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" query = """ -SELECT * FROM file WHERE ( -path LIKE '/etc/systemd/system/%' OR -path LIKE '/usr/local/lib/systemd/system/%' OR -path LIKE '/lib/systemd/system/%' OR -path LIKE '/usr/lib/systemd/system/%' OR -path LIKE '/home/user/.config/systemd/user/%' -) +SELECT * FROM file WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE +'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE '/home/user/.config/systemd/user/%' ) """ [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT - f.path, - u.username AS file_owner, - g.groupname AS group_owner, - datetime(f.atime, 'unixepoch') AS file_last_access_time, - datetime(f.mtime, 'unixepoch') AS file_last_modified_time, - datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, - datetime(f.btime, 'unixepoch') AS file_created_time, - f.size AS size_bytes -FROM - file f - LEFT JOIN users u ON f.uid = u.uid - LEFT JOIN groups g ON f.gid = g.gid -WHERE ( -path LIKE '/etc/systemd/system/%' OR -path LIKE '/usr/local/lib/systemd/system/%' OR -path LIKE '/lib/systemd/system/%' OR -path LIKE '/usr/lib/systemd/system/%' OR -path LIKE '/home/{{user.name}}/.config/systemd/user/%' -) +SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS +file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS +file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT +JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE +'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path +LIKE '/home/{{user.name}}/.config/systemd/user/%' ) """ [[transform.osquery]] @@ -56,13 +35,14 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" + [rule] author = ["Elastic"] description = """ -Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used -by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd -timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in -case the connection to the infected asset was lost. +Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used +by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd +timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in +case the connection to the infected asset was lost. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -130,7 +110,7 @@ This rule monitors the creation of new systemd timer files, potentially indicati """ references = [ "https://opensource.com/article/20/7/systemd-timers", - "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" + "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/", ] risk_score = 21 rule_id = "7fb500fa-8e24-4bd1-9480-2a819352602c" @@ -161,16 +141,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' host.os.type : "linux" and event.action : ("creation" or "file_create_event") and file.extension : "timer" and file.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or @@ -183,19 +164,20 @@ file.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/sy ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.006" name = "Systemd Timers" reference = "https://attack.mitre.org/techniques/T1053/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -204,7 +186,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "file.path", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" + + diff --git a/rules/linux/persistence_systemd_service_creation.toml b/rules/linux/persistence_systemd_service_creation.toml index a876bda2545..aeacc5b90d6 100644 --- a/rules/linux/persistence_systemd_service_creation.toml +++ b/rules/linux/persistence_systemd_service_creation.toml @@ -2,9 +2,7 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" -min_stack_version = "8.6.0" -updated_date = "2023/12/13" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -14,38 +12,19 @@ query = "SELECT * FROM file WHERE path = {{file.path}}" [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" query = """ -SELECT * FROM file WHERE ( -path LIKE '/etc/systemd/system/%' OR -path LIKE '/usr/local/lib/systemd/system/%' OR -path LIKE '/lib/systemd/system/%' OR -path LIKE '/usr/lib/systemd/system/%' OR -path LIKE '/home/user/.config/systemd/user/%' -) +SELECT * FROM file WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE +'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE '/home/user/.config/systemd/user/%' ) """ [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT - f.path, - u.username AS file_owner, - g.groupname AS group_owner, - datetime(f.atime, 'unixepoch') AS file_last_access_time, - datetime(f.mtime, 'unixepoch') AS file_last_modified_time, - datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, - datetime(f.btime, 'unixepoch') AS file_created_time, - f.size AS size_bytes -FROM - file f - LEFT JOIN users u ON f.uid = u.uid - LEFT JOIN groups g ON f.gid = g.gid -WHERE ( -path LIKE '/etc/systemd/system/%' OR -path LIKE '/usr/local/lib/systemd/system/%' OR -path LIKE '/lib/systemd/system/%' OR -path LIKE '/usr/lib/systemd/system/%' OR -path LIKE '/home/{{user.name}}/.config/systemd/user/%' -) +SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS +file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS +file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT +JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE +'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path +LIKE '/home/{{user.name}}/.config/systemd/user/%' ) """ [[transform.osquery]] @@ -72,12 +51,13 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + [rule] author = ["Elastic"] description = """ -Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious -actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute -malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute +Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious +actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute +malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection. """ from = "now-9m" @@ -159,7 +139,7 @@ This rule monitors the creation of new systemd service files, potentially indica """ references = [ "https://opensource.com/article/20/7/systemd-timers", - "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" + "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/", ] risk_score = 47 rule_id = "17b0a495-4d9f-414c-8ad0-92f018b8e001" @@ -190,14 +170,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" @@ -219,37 +199,37 @@ not ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" @@ -258,7 +238,8 @@ reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "file.path", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" + + diff --git a/rules/linux/persistence_tainted_kernel_module_load.toml b/rules/linux/persistence_tainted_kernel_module_load.toml index b9bc99d6679..6cabc894a4d 100644 --- a/rules/linux/persistence_tainted_kernel_module_load.toml +++ b/rules/linux/persistence_tainted_kernel_module_load.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/23" integration = ["system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -44,46 +42,48 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" + query = ''' host.os.type:linux and event.dataset:"system.syslog" and process.name:kernel and message:"module verification failed: signature and/or required key missing - tainting kernel" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat.technique]] -name = "Rootkit" -id = "T1014" -reference = "https://attack.mitre.org/techniques/T1014/" diff --git a/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml b/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml index 784a655fa49..57ff1986c23 100644 --- a/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml +++ b/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml @@ -2,14 +2,12 @@ creation_date = "2023/10/26" integration = ["system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors the syslog log file for messages related to instances of a out-of-tree kernel module load, indicating +This rule monitors the syslog log file for messages related to instances of a out-of-tree kernel module load, indicating the taining of the kernel. Rootkits often leverage kernel modules as their main defense evasion technique. Detecting tainted kernel module loads is crucial for ensuring system security and integrity, as malicious or unauthorized modules can compromise the kernel and lead to system vulnerabilities or unauthorized access. @@ -44,46 +42,48 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" + query = ''' host.os.type:linux and event.dataset:"system.syslog" and process.name:kernel and message:"loading out-of-tree module taints kernel." ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -name = "Rootkit" id = "T1014" +name = "Rootkit" reference = "https://attack.mitre.org/techniques/T1014/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/persistence_udev_rule_creation.toml b/rules/linux/persistence_udev_rule_creation.toml index 219dc0dc583..bcd0e28ad73 100644 --- a/rules/linux/persistence_udev_rule_creation.toml +++ b/rules/linux/persistence_udev_rule_creation.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/02/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,15 +47,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] -type = "new_terms" + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" +type = "new_terms" + query = ''' host.os.type:"linux" and event.category:"file" and event.type:("change" or "file_modify_event" or "creation" or "file_create_event") and @@ -67,14 +66,15 @@ file.path:/lib/udev/* and process.executable:* and not ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -83,7 +83,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "file.path"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml index c631a2d3ba7..6582e466312 100644 --- a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml +++ b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml @@ -2,15 +2,13 @@ creation_date = "2023/07/28" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ This rule monitors for the execution of the "chown" and "chmod" commands with command line flags that could indicate a -wildcard injection attack. Linux wildcard injection is a type of security vulnerability where attackers manipulate +wildcard injection attack. Linux wildcard injection is a type of security vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways. """ @@ -49,49 +47,51 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name in ("chown", "chmod") and process.args == "-R" and process.args : "--reference=*" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique.subtechnique]] id = "T1003.008" name = "/etc/passwd and /etc/shadow" reference = "https://attack.mitre.org/techniques/T1003/008/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/linux/privilege_escalation_container_util_misconfiguration.toml b/rules/linux/privilege_escalation_container_util_misconfiguration.toml index 0084ab81f9a..b5167a53e88 100644 --- a/rules/linux/privilege_escalation_container_util_misconfiguration.toml +++ b/rules/linux/privilege_escalation_container_util_misconfiguration.toml @@ -2,18 +2,16 @@ creation_date = "2023/07/31" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors for the execution of processes that interact with Linux containers through an interactive shell -without root permissions. Utilities such as runc and ctr are universal command-line utilities leveraged to interact -with containers via root permissions. On systems where the access to these utilities are misconfigured, attackers might -be able to create and run a container that mounts the root folder or spawn a privileged container vulnerable to a -container escape attack, which might allow them to escalate privileges and gain further access onto the host file system. +This rule monitors for the execution of processes that interact with Linux containers through an interactive shell +without root permissions. Utilities such as runc and ctr are universal command-line utilities leveraged to interact with +containers via root permissions. On systems where the access to these utilities are misconfigured, attackers might be +able to create and run a container that mounts the root folder or spawn a privileged container vulnerable to a container +escape attack, which might allow them to escalate privileges and gain further access onto the host file system. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -22,8 +20,8 @@ license = "Elastic License v2" name = "Potential Privilege Escalation via Container Misconfiguration" references = [ "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation", - "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation" - ] + "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation", +] risk_score = 47 rule_id = "afe6b0eb-dd9d-4922-b08a-1910124d524d" setup = """## Setup @@ -61,9 +59,17 @@ Session View uses process data collected by the Elastic Defend integration, but For more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Domain: Container", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( (process.name == "runc" and process.args == "run") or @@ -72,15 +78,17 @@ process where host.os.type == "linux" and event.type == "start" and event.action process.interactive == true and process.parent.interactive == true ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1611" name = "Escape to Host" reference = "https://attack.mitre.org/techniques/T1611/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml b/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml index dadfea9010f..f3fc23dbe44 100644 --- a/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml +++ b/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml @@ -2,16 +2,14 @@ creation_date = "2024/01/15" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ Monitors for the execution of a file system mount followed by a chroot execution. Given enough permissions, a user within a container is capable of mounting the root file system of the host, and leveraging chroot to escape its -containarized environment. This behavior pattern is very uncommon and should be investigated. +containarized environment. This behavior pattern is very uncommon and should be investigated. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -19,8 +17,8 @@ language = "eql" license = "Elastic License v2" name = "Potential Chroot Container Escape via Mount" references = [ - "https://book.hacktricks.xyz/v/portugues-ht/linux-hardening/privilege-escalation/escaping-from-limited-bash" - ] + "https://book.hacktricks.xyz/v/portugues-ht/linux-hardening/privilege-escalation/escaping-from-limited-bash", +] risk_score = 47 rule_id = "5ae02ebc-a5de-4eac-afe6-c88de696477d" setup = """## Setup @@ -60,14 +58,15 @@ For more information about the additional fields collected when this setting is """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Domain: Container", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Domain: Container", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.parent.entity_id with maxspan=5m [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -77,15 +76,17 @@ sequence by host.id, process.parent.entity_id with maxspan=5m process.name == "chroot"] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1611" name = "Escape to Host" reference = "https://attack.mitre.org/techniques/T1611/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/privilege_escalation_kworker_uid_elevation.toml b/rules/linux/privilege_escalation_kworker_uid_elevation.toml index 60863460f2e..f17fb467fd1 100644 --- a/rules/linux/privilege_escalation_kworker_uid_elevation.toml +++ b/rules/linux/privilege_escalation_kworker_uid_elevation.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -51,48 +49,50 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.action == "session_id_change" and process.name : "kworker*" and user.id == "0" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique.subtechnique]] id = "T1574.013" name = "KernelCallbackTable" reference = "https://attack.mitre.org/techniques/T1574/013/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat.technique]] -name = "Rootkit" -id = "T1014" -reference = "https://attack.mitre.org/techniques/T1014/" diff --git a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml index 52c674200bb..c1188e26d75 100644 --- a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml +++ b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/27" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -61,33 +59,35 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' host.os.type:linux and event.category:file and event.action:(updated or renamed or rename or file_rename_event) and not event.type:deletion and file.path:/etc/ld.so.preload and not process.name:(wine or oneagentinstallaction) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" @@ -96,7 +96,8 @@ reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" + + diff --git a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml index a7983629c05..17842881d45 100644 --- a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml +++ b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/27" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,16 +47,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "ln" and process.args in ("-s", "-sf") and @@ -81,33 +80,34 @@ process.name == "ln" and process.args in ("-s", "-sf") and not user.Ext.real.id == "0" and not group.Ext.real.id == "0" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique.subtechnique]] id = "T1003.008" name = "/etc/passwd and /etc/shadow" reference = "https://attack.mitre.org/techniques/T1003/008/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml b/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml index 26f8283c90b..3cef1b9dacb 100644 --- a/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml +++ b/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml @@ -2,16 +2,14 @@ creation_date = "2023/07/27" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors for the execution of the systemd-run command by a user with a UID that is larger than the maximum -allowed UID size (INT_MAX). Some older Linux versions were affected by a bug which allows user accounts with a UID -greater than INT_MAX to escalate privileges by spawning a shell through systemd-run. +This rule monitors for the execution of the systemd-run command by a user with a UID that is larger than the maximum +allowed UID size (INT_MAX). Some older Linux versions were affected by a bug which allows user accounts with a UID +greater than INT_MAX to escalate privileges by spawning a shell through systemd-run. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -19,9 +17,10 @@ language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via UID INT_MAX Bug Detected" references = [ - "https://twitter.com/paragonsec/status/1071152249529884674", + "https://twitter.com/paragonsec/status/1071152249529884674", "https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh", - "https://gitlab.freedesktop.org/polkit/polkit/-/issues/74"] + "https://gitlab.freedesktop.org/polkit/polkit/-/issues/74", +] risk_score = 47 rule_id = "d55436a8-719c-445f-92c4-c113ff2f9ba5" setup = """## Setup @@ -51,29 +50,32 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "systemd-run" and process.args == "-t" and process.args_count >= 3 and user.id >= "1000000000" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml index c45f0267678..9a7f5068b7e 100644 --- a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml +++ b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml @@ -1,19 +1,17 @@ [metadata] creation_date = "2023/06/09" -maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" integration = ["endpoint", "auditd_manager"] +maturity = "production" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential -compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different -kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, -escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to -tamper with the system's trusted state, allowing e.g. a VM Escape. +This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential +compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different +kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, +escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to +tamper with the system's trusted state, allowing e.g. a VM Escape. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -23,7 +21,7 @@ name = "Kernel Load or Unload via Kexec Detected" references = [ "https://www.crowdstrike.com/blog/venom-vulnerability-details/", "https://www.makeuseof.com/what-is-venom-vulnerability/", - "https://madaidans-insecurities.github.io/guides/linux-hardening.html" + "https://madaidans-insecurities.github.io/guides/linux-hardening.html", ] risk_score = 47 rule_id = "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957" @@ -54,68 +52,69 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "kexec" and process.args in ("--exec", "-e", "--load", "-l", "--unload", "-u") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1611" name = "Escape to Host" reference = "https://attack.mitre.org/techniques/T1611/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1601" name = "Modify System Image" reference = "https://attack.mitre.org/techniques/T1601/" - [[rule.threat.technique.subtechnique]] id = "T1601.001" name = "Patch System Image" reference = "https://attack.mitre.org/techniques/T1601/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml b/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml index 30b4f2fcdb0..75d12aa5a97 100644 --- a/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml +++ b/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/05" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Linux environment variable capture feature via the Elastic Defend Integration was added in 8.6." -min_stack_version = "8.6.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -17,7 +15,9 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via CVE-2023-4911" -references = ["https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so"] +references = [ + "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so", +] risk_score = 73 rule_id = "6d8685a1-94fa-4ef7-83de-59302e7c4ca8" setup = """## Setup @@ -60,29 +60,32 @@ For more information on capturing environment variables refer to the [helper gui """ severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Use Case: Vulnerability", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.parent.entity_id, process.executable with maxspan=5s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.env_vars : "*GLIBC_TUNABLES=glibc.*=glibc.*=*"] with runs=5 ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml b/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml index b9d7cdcdfda..eeade4b3a0b 100644 --- a/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml +++ b/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml @@ -2,16 +2,14 @@ creation_date = "2024/01/15" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ Detects network connections initiated by the "sudo" binary. This behavior is uncommon and may occur in instances where reverse shell shellcode is injected into a process run with elevated permissions via "sudo". Attackers may attempt to -inject shellcode into processes running as root, to escalate privileges. +inject shellcode into processes running as root, to escalate privileges. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -47,45 +45,48 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "ipv4_connection_attempt_event") and process.name == "sudo" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [[rule.threat.technique.subtechnique]] id = "T1055.008" name = "Ptrace System Calls" reference = "https://attack.mitre.org/techniques/T1055/008/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml index 8c5e04a7581..a62129ec619 100644 --- a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml +++ b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml @@ -2,16 +2,14 @@ creation_date = "2023/07/28" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ Identifies an attempt to exploit a local privilege escalation (CVE-2023-2640 and CVE-2023-32629) via a flaw in Ubuntu's modifications to OverlayFS. These flaws allow the creation of specialized executables, which, upon execution, grant the -ability to escalate privileges to root on the affected machine. +ability to escalate privileges to root on the affected machine. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -20,7 +18,8 @@ license = "Elastic License v2" name = "Potential Privilege Escalation via OverlayFS" references = [ "https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability", - "https://twitter.com/liadeliyahu/status/1684841527959273472"] + "https://twitter.com/liadeliyahu/status/1684841527959273472", +] risk_score = 73 rule_id = "b51dbc92-84e2-4af1-ba47-65183fcd0c57" setup = """## Setup @@ -49,8 +48,16 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by process.parent.entity_id, host.id with maxspan=5s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -59,15 +66,17 @@ sequence by process.parent.entity_id, host.id with maxspan=5s user.id == "0"] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml index e8467a59525..ca808d17266 100644 --- a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml +++ b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -46,7 +44,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml b/rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml index 3bd20841255..d0bdbf799f4 100644 --- a/rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml +++ b/rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml @@ -1,9 +1,7 @@ [metadata] creation_date = "2023/12/11" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/17" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -30,41 +28,42 @@ As a higher-order rule (based on other detections), this rule also requires the """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Initial Access", - "Use Case: Vulnerability", - "Rule Type: Higher-Order Rule" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Initial Access", + "Use Case: Vulnerability", + "Rule Type: Higher-Order Rule", +] timestamp_override = "event.ingested" type = "threshold" + query = ''' kibana.alert.rule.rule_id:"5c81fc9d-1eae-437f-ba07-268472967013" and host.os.type:linux and event.kind:signal ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" diff --git a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml index 8353f4f697e..3e3d1dbd146 100644 --- a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml +++ b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/28" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -48,8 +46,16 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Execution", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -61,28 +67,29 @@ sequence by host.id with maxspan=1s process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] by process.parent.entity_id ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml index 7a36055d1a7..ab68d5dbf49 100644 --- a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml +++ b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml @@ -2,17 +2,15 @@ creation_date = "2023/08/30" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors for the usage of the built-in Linux DebugFS utility to access a disk device without root permissions. -Linux users that are part of the "disk" group have sufficient privileges to access all data inside of the machine through -DebugFS. Attackers may leverage DebugFS in conjunction with "disk" permissions to read sensitive files owned by root, -such as the shadow file, root ssh private keys or other sensitive files that may allow them to further escalate +This rule monitors for the usage of the built-in Linux DebugFS utility to access a disk device without root permissions. +Linux users that are part of the "disk" group have sufficient privileges to access all data inside of the machine +through DebugFS. Attackers may leverage DebugFS in conjunction with "disk" permissions to read sensitive files owned by +root, such as the shadow file, root ssh private keys or other sensitive files that may allow them to further escalate privileges. """ from = "now-9m" @@ -20,7 +18,9 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Suspicious DebugFS Root Device Access" -references = ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#disk-group"] +references = [ + "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#disk-group", +] risk_score = 21 rule_id = "2605aa59-29ac-4662-afad-8d86257c7c91" setup = """## Setup @@ -49,29 +49,39 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "debugfs" and process.args : "/dev/sd*" and not process.args == "-R" and not user.Ext.real.id == "0" and not group.Ext.real.id == "0" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/privilege_escalation_shadow_file_read.toml b/rules/linux/privilege_escalation_shadow_file_read.toml index ff3852135da..52293c9bd1f 100644 --- a/rules/linux/privilege_escalation_shadow_file_read.toml +++ b/rules/linux/privilege_escalation_shadow_file_read.toml @@ -2,9 +2,7 @@ creation_date = "2022/09/01" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -48,14 +46,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" @@ -66,32 +64,32 @@ host.os.type : "linux" and event.category : "process" and event.action : ("exec" (process.executable : ("/bin/chmod" or "/usr/bin/chmod") and process.args : "640") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique.subtechnique]] id = "T1003.008" name = "/etc/passwd and /etc/shadow" reference = "https://attack.mitre.org/techniques/T1003/008/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" @@ -100,7 +98,8 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [rule.new_terms] field = "new_terms_fields" value = ["process.command_line", "host.id", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" + + diff --git a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml index a5a59552ec0..757994326b9 100644 --- a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml +++ b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml @@ -2,16 +2,14 @@ creation_date = "2023/08/30" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors for the execution of a suspicious sudo command that is leveraged in CVE-2019-14287 to escalate +This rule monitors for the execution of a suspicious sudo command that is leveraged in CVE-2019-14287 to escalate privileges to root. Sudo does not verify the presence of the designated user ID and proceeds to execute using a user ID -that can be chosen arbitrarily. By using the sudo privileges, the command "sudo -u#-1" translates to an ID of 0, +that can be chosen arbitrarily. By using the sudo privileges, the command "sudo -u#-1" translates to an ID of 0, representing the root user. This exploit may work for sudo versions prior to v1.28. """ from = "now-9m" @@ -49,31 +47,34 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", - "Use Case: Vulnerability", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Use Case: Vulnerability", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "sudo" and process.args == "-u#-1" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/privilege_escalation_sudo_hijacking.toml b/rules/linux/privilege_escalation_sudo_hijacking.toml index d87321780f1..cc224a4bab0 100644 --- a/rules/linux/privilege_escalation_sudo_hijacking.toml +++ b/rules/linux/privilege_escalation_sudo_hijacking.toml @@ -2,15 +2,13 @@ creation_date = "2023/07/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and -replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or +Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and +replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or enable persistence onto the system every time the sudo binary is executed. """ from = "now-9m" @@ -54,41 +52,42 @@ tags = [ "Tactic: Privilege Escalation", "Tactic: Persistence", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' host.os.type:linux and event.category:file and event.type:("creation" or "file_create_event") and file.path:("/usr/bin/sudo" or "/bin/sudo") and not process.name:(docker or dockerd or pacman) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -97,7 +96,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" + + diff --git a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml index e748504ac7c..83436532a85 100644 --- a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml +++ b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml @@ -2,18 +2,16 @@ creation_date = "2023/07/31" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule detects potential sudo token manipulation attacks through process injection by monitoring the use of a -debugger (gdb) process followed by a successful uid change event during the execution of the sudo process. A sudo token +This rule detects potential sudo token manipulation attacks through process injection by monitoring the use of a +debugger (gdb) process followed by a successful uid change event during the execution of the sudo process. A sudo token manipulation attack is performed by injecting into a process that has a valid sudo token, which can then be used by -attackers to activate their own sudo token. This attack requires ptrace to be enabled in conjunction with the existence -of a living process that has a valid sudo token with the same uid as the current user. +attackers to activate their own sudo token. This attack requires ptrace to be enabled in conjunction with the existence +of a living process that has a valid sudo token with the same uid as the current user. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -49,8 +47,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.session_leader.entity_id with maxspan=15s [ process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -59,30 +64,32 @@ sequence by host.id, process.session_leader.entity_id with maxspan=15s process.name == "sudo" and process.user.id == "0" and process.group.id == "0" ] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [[rule.threat.technique.subtechnique]] id = "T1055.008" name = "Ptrace System Calls" reference = "https://attack.mitre.org/techniques/T1055/008/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml b/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml index 5e32f77fff6..099c3d7462e 100644 --- a/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml +++ b/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml @@ -2,18 +2,16 @@ creation_date = "2023/09/05" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This detection rule monitors for the execution of a system command with setuid or setgid capabilities via Python, +This detection rule monitors for the execution of a system command with setuid or setgid capabilities via Python, followed by a uid or gid change to the root user. This sequence of events may indicate successful privilege escalation. -Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated -privileges, based on the file owner or group. Threat actors can exploit these attributes to escalate privileges to the -privileges that are set on the binary that is being executed. +Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated +privileges, based on the file owner or group. Threat actors can exploit these attributes to escalate privileges to the +privileges that are set on the binary that is being executed. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -49,8 +47,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.entity_id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -59,9 +64,9 @@ sequence by host.id, process.entity_id with maxspan=1s (user.id == "0" or group.id == "0")] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -71,12 +76,13 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.001" name = "Setuid and Setgid" reference = "https://attack.mitre.org/techniques/T1548/001/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml b/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml index ab23c2c4825..0b8d920fccf 100644 --- a/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml +++ b/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml @@ -2,9 +2,7 @@ creation_date = "2024/01/22" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -71,14 +69,15 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "medium" tags = [ - "Data Source: Auditd Manager", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend" - ] + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.parent.pid with maxspan=1m [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -87,15 +86,17 @@ sequence by host.id, process.parent.pid with maxspan=1m not auditd.data.a2 == "80000" and event.outcome == "success" and user.id != "0"] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/privilege_escalation_uid_change_post_compilation.toml b/rules/linux/privilege_escalation_uid_change_post_compilation.toml index 9f8d47e5a87..64e954706a1 100644 --- a/rules/linux/privilege_escalation_uid_change_post_compilation.toml +++ b/rules/linux/privilege_escalation_uid_change_post_compilation.toml @@ -2,15 +2,13 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent -alteration of UID permissions to root privileges. This behavior can potentially indicate the execution of a kernel or +This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent +alteration of UID permissions to root privileges. This behavior can potentially indicate the execution of a kernel or software privilege escalation exploit. """ from = "now-9m" @@ -46,8 +44,16 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id with maxspan=1m [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -60,15 +66,17 @@ sequence by host.id with maxspan=1m user.id == "0"] by process.name ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml b/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml index 91c4d09bf06..f7b1532585e 100644 --- a/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml +++ b/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/02/21" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -48,15 +46,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' host.os.type:"linux" and event.category:"process" and event.action:"uid_change" and event.type:"change" and user.id:"0" and process.parent.name:("bash" or "dash" or "sh" or "tcsh" or "csh" or "zsh" or "ksh" or "fish") and not ( @@ -72,42 +71,42 @@ and process.parent.name:("bash" or "dash" or "sh" or "tcsh" or "csh" or "zsh" or ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique.subtechnique]] id = "T1574.013" name = "KernelCallbackTable" reference = "https://attack.mitre.org/techniques/T1574/013/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat.technique]] -name = "Rootkit" -id = "T1014" -reference = "https://attack.mitre.org/techniques/T1014/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "process.command_line"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + diff --git a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml index c27fcc55b06..bf460f0459c 100644 --- a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml +++ b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/30" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -63,15 +61,16 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "exec_event") and process.executable: "/usr/bin/unshare" and @@ -79,15 +78,17 @@ not process.parent.executable: ("/usr/bin/udevadm", "*/lib/systemd/systemd-udevd not process.args == "/usr/bin/snap" and not process.parent.name in ("zz-proxmox-boot", "java") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/privilege_escalation_writable_docker_socket.toml b/rules/linux/privilege_escalation_writable_docker_socket.toml index 66a4907ba56..be6a9360a51 100644 --- a/rules/linux/privilege_escalation_writable_docker_socket.toml +++ b/rules/linux/privilege_escalation_writable_docker_socket.toml @@ -2,16 +2,14 @@ creation_date = "2023/07/25" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule monitors for the usage of Docker runtime sockets to escalate privileges on Linux systems. Docker sockets by -default are only be writable by the root user and docker group. Attackers that have permissions to write to these -sockets may be able to create and run a container that allows them to escalate privileges and gain further access onto +This rule monitors for the usage of Docker runtime sockets to escalate privileges on Linux systems. Docker sockets by +default are only be writable by the root user and docker group. Attackers that have permissions to write to these +sockets may be able to create and run a container that allows them to escalate privileges and gain further access onto the host file system. """ from = "now-9m" @@ -19,7 +17,9 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation through Writable Docker Socket" -references = ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#automatic-enumeration-and-escape"] +references = [ + "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#automatic-enumeration-and-escape", +] risk_score = 47 rule_id = "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8" setup = """## Setup @@ -48,7 +48,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Domain: Container", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -61,15 +68,17 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) and not user.Ext.real.id : "0" and not group.Ext.real.id : "0" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1611" name = "Escape to Host" reference = "https://attack.mitre.org/techniques/T1611/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/macos/credential_access_credentials_keychains.toml b/rules/macos/credential_access_credentials_keychains.toml index ba6e92684fb..10a16206576 100644 --- a/rules/macos/credential_access_credentials_keychains.toml +++ b/rules/macos/credential_access_credentials_keychains.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: process.Ext.effective_parent" -min_stack_version = "8.7.0" -updated_date = "2024/03/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -50,7 +48,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml index 36af1b87a67..4eea3dcd5ff 100644 --- a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml +++ b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/25" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -50,7 +48,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/credential_access_dumping_keychain_security.toml b/rules/macos/credential_access_dumping_keychain_security.toml index c437c128e2c..e9e879c94a9 100644 --- a/rules/macos/credential_access_dumping_keychain_security.toml +++ b/rules/macos/credential_access_dumping_keychain_security.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -18,6 +16,9 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Dumping of Keychain Content via Security Command" +references = ["https://ss64.com/osx/security.html"] +risk_score = 73 +rule_id = "565d6ca5-75ba-4c82-9b13-add25353471c" setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -43,11 +44,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = ["https://ss64.com/osx/security.html"] -risk_score = 73 -rule_id = "565d6ca5-75ba-4c82-9b13-add25353471c" severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/credential_access_kerberosdump_kcc.toml b/rules/macos/credential_access_kerberosdump_kcc.toml index 91fb75396f6..ef37c8198c4 100644 --- a/rules/macos/credential_access_kerberosdump_kcc.toml +++ b/rules/macos/credential_access_kerberosdump_kcc.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,7 +47,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml index f0e7ef6fcea..fc4b71083a3 100644 --- a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml +++ b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/06" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/06" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -53,7 +51,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/credential_access_mitm_localhost_webproxy.toml b/rules/macos/credential_access_mitm_localhost_webproxy.toml index 1378d970acf..6e915a16c92 100644 --- a/rules/macos/credential_access_mitm_localhost_webproxy.toml +++ b/rules/macos/credential_access_mitm_localhost_webproxy.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/05" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: process.Ext.effective_parent" -min_stack_version = "8.7.0" -updated_date = "2024/03/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -50,7 +48,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml b/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml index 31068ac424d..40b3b2d181e 100644 --- a/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml +++ b/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/16" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/01/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -46,9 +44,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] -type = "threshold" +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" +type = "threshold" query = ''' event.category:process and host.os.type:macos and event.type:start and process.name:"sshd-keygen-wrapper" and process.parent.name:launchd diff --git a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml index 2ed4b55b6fb..ac83ec10af5 100644 --- a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml +++ b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/16" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: process.Ext.effective_parent" -min_stack_version = "8.7.0" -updated_date = "2024/05/17" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,7 +47,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/credential_access_systemkey_dumping.toml b/rules/macos/credential_access_systemkey_dumping.toml index f61a002dced..01434aa4c83 100644 --- a/rules/macos/credential_access_systemkey_dumping.toml +++ b/rules/macos/credential_access_systemkey_dumping.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: process.Ext.effective_parent" -min_stack_version = "8.7.0" -updated_date = "2024/02/06" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -47,7 +45,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_apple_softupdates_modification.toml b/rules/macos/defense_evasion_apple_softupdates_modification.toml index d4ff6923175..44a47192117 100644 --- a/rules/macos/defense_evasion_apple_softupdates_modification.toml +++ b/rules/macos/defense_evasion_apple_softupdates_modification.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/15" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -47,7 +45,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml index 5d8a845c8e8..651cb2eae28 100644 --- a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml +++ b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml @@ -2,16 +2,14 @@ creation_date = "2020/08/14" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/17" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Detects deletion of the quarantine attribute by an unusual process (xattr). In macOS, when applications or programs are downloaded from -the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. -An adversary may disable this attribute to evade defenses. +Detects deletion of the quarantine attribute by an unusual process (xattr). In macOS, when applications or programs are +downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper +defense program at execution time. An adversary may disable this attribute to evade defenses. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -50,7 +48,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml index 9371e7606cc..9cf185bb72a 100644 --- a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml +++ b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,7 +47,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_install_root_certificate.toml b/rules/macos/defense_evasion_install_root_certificate.toml index d2063929773..c4d2d688080 100644 --- a/rules/macos/defense_evasion_install_root_certificate.toml +++ b/rules/macos/defense_evasion_install_root_certificate.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/13" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,7 +47,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml index 5323edd7f46..044d6b27ab3 100644 --- a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml +++ b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -51,7 +49,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml index 73685fd4de8..0e9e1000b8e 100644 --- a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml +++ b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/11" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,7 +47,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/defense_evasion_safari_config_change.toml b/rules/macos/defense_evasion_safari_config_change.toml index d17b16d0b50..599eef17f93 100644 --- a/rules/macos/defense_evasion_safari_config_change.toml +++ b/rules/macos/defense_evasion_safari_config_change.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/14" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -47,7 +45,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml index 5fe54a81d59..0c821e217e4 100644 --- a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml +++ b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -51,7 +49,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml index 7b51eb13802..8accc83b579 100644 --- a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml +++ b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -47,7 +45,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Use Case: Vulnerability", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml index dfe03dda702..332860d1f4b 100644 --- a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml +++ b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -42,7 +40,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index 5d903cf4d7a..bc38d1d3874 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/12" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: process.Ext.effective_parent" -min_stack_version = "8.7.0" -updated_date = "2024/02/06" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -45,7 +43,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -84,6 +88,7 @@ id = "T1069.001" name = "Local Groups" reference = "https://attack.mitre.org/techniques/T1069/001/" + [[rule.threat.technique]] id = "T1087" name = "Account Discovery" @@ -93,6 +98,8 @@ id = "T1087.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1087/001/" + + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml index 01c2ed6cfcb..37396801ec4 100644 --- a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml +++ b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -50,7 +48,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml index 698e23e3087..a0c384dc8ef 100644 --- a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml +++ b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/07" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -50,7 +48,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/execution_installer_package_spawned_network_event.toml b/rules/macos/execution_installer_package_spawned_network_event.toml index 1638639bbfe..2e53cc22289 100644 --- a/rules/macos/execution_installer_package_spawned_network_event.toml +++ b/rules/macos/execution_installer_package_spawned_network_event.toml @@ -2,9 +2,7 @@ creation_date = "2021/02/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/07" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -59,7 +57,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Command and Control", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Command and Control", + "Data Source: Elastic Defend", +] type = "eql" query = ''' diff --git a/rules/macos/execution_script_via_automator_workflows.toml b/rules/macos/execution_script_via_automator_workflows.toml index 136bfe59059..55faccc4136 100644 --- a/rules/macos/execution_script_via_automator_workflows.toml +++ b/rules/macos/execution_script_via_automator_workflows.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -47,7 +45,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", +] type = "eql" query = ''' diff --git a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml index b1f11d979d8..d643bd904f1 100644 --- a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml +++ b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,7 +47,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Tactic: Execution", + "Data Source: Elastic Defend", +] type = "eql" query = ''' diff --git a/rules/macos/execution_shell_execution_via_apple_scripting.toml b/rules/macos/execution_shell_execution_via_apple_scripting.toml index a7a99bdb56d..c0c517e9ea0 100644 --- a/rules/macos/execution_shell_execution_via_apple_scripting.toml +++ b/rules/macos/execution_shell_execution_via_apple_scripting.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/07" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,7 +47,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", +] type = "eql" query = ''' diff --git a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml index 5d97ac0117c..9013d41a7ab 100644 --- a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml +++ b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/12" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -46,7 +44,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/lateral_movement_mounting_smb_share.toml b/rules/macos/lateral_movement_mounting_smb_share.toml index 226042e1403..567c47b2457 100644 --- a/rules/macos/lateral_movement_mounting_smb_share.toml +++ b/rules/macos/lateral_movement_mounting_smb_share.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/25" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -46,7 +44,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml index 3e6f70a9794..c312d9699ad 100644 --- a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml +++ b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -47,7 +45,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/lateral_movement_vpn_connection_attempt.toml b/rules/macos/lateral_movement_vpn_connection_attempt.toml index f54ba8e7070..6388074a40d 100644 --- a/rules/macos/lateral_movement_vpn_connection_attempt.toml +++ b/rules/macos/lateral_movement_vpn_connection_attempt.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/25" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -50,7 +48,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_account_creation_hide_at_logon.toml b/rules/macos/persistence_account_creation_hide_at_logon.toml index 841b7e47907..88551bdc5f7 100644 --- a/rules/macos/persistence_account_creation_hide_at_logon.toml +++ b/rules/macos/persistence_account_creation_hide_at_logon.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -46,7 +44,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_creation_change_launch_agents_file.toml b/rules/macos/persistence_creation_change_launch_agents_file.toml index 1b0f3cb86ea..043c9618c04 100644 --- a/rules/macos/persistence_creation_change_launch_agents_file.toml +++ b/rules/macos/persistence_creation_change_launch_agents_file.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,7 +47,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] type = "eql" query = ''' diff --git a/rules/macos/persistence_creation_hidden_login_item_osascript.toml b/rules/macos/persistence_creation_hidden_login_item_osascript.toml index 776e5346745..1b48ca3d708 100644 --- a/rules/macos/persistence_creation_hidden_login_item_osascript.toml +++ b/rules/macos/persistence_creation_hidden_login_item_osascript.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -45,7 +43,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml index a6aeb4b2850..0c3009d0cc4 100644 --- a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml +++ b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,7 +47,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] type = "eql" query = ''' diff --git a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml index 7b3faa66c76..86b2ab22a1b 100644 --- a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml +++ b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/13" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/07" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -50,7 +48,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_crontab_creation.toml b/rules/macos/persistence_crontab_creation.toml index d0f9b622d31..b8396765b58 100644 --- a/rules/macos/persistence_crontab_creation.toml +++ b/rules/macos/persistence_crontab_creation.toml @@ -2,9 +2,7 @@ creation_date = "2022/04/25" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,7 +47,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml index dde96a35b72..66941650995 100644 --- a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml +++ b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -50,7 +48,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_directory_services_plugins_modification.toml b/rules/macos/persistence_directory_services_plugins_modification.toml index 18298068747..6212dfc742d 100644 --- a/rules/macos/persistence_directory_services_plugins_modification.toml +++ b/rules/macos/persistence_directory_services_plugins_modification.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/13" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -47,7 +45,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_docker_shortcuts_plist_modification.toml b/rules/macos/persistence_docker_shortcuts_plist_modification.toml index 06cb5f257f1..25ac05e33e9 100644 --- a/rules/macos/persistence_docker_shortcuts_plist_modification.toml +++ b/rules/macos/persistence_docker_shortcuts_plist_modification.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/18" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/07" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -48,7 +46,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_emond_rules_file_creation.toml b/rules/macos/persistence_emond_rules_file_creation.toml index 98d49da565b..e6bbcdc0bd2 100644 --- a/rules/macos/persistence_emond_rules_file_creation.toml +++ b/rules/macos/persistence_emond_rules_file_creation.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,7 +47,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_emond_rules_process_execution.toml b/rules/macos/persistence_emond_rules_process_execution.toml index 54d9a27965f..c597f0d3fe8 100644 --- a/rules/macos/persistence_emond_rules_process_execution.toml +++ b/rules/macos/persistence_emond_rules_process_execution.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -47,7 +45,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_enable_root_account.toml b/rules/macos/persistence_enable_root_account.toml index 071bdeec631..47a4bdcfee6 100644 --- a/rules/macos/persistence_enable_root_account.toml +++ b/rules/macos/persistence_enable_root_account.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -46,7 +44,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml index 91ca171a562..0b84f1c374e 100644 --- a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml +++ b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -48,7 +46,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_folder_action_scripts_runtime.toml b/rules/macos/persistence_folder_action_scripts_runtime.toml index 2ab48693331..18b114cfaf4 100644 --- a/rules/macos/persistence_folder_action_scripts_runtime.toml +++ b/rules/macos/persistence_folder_action_scripts_runtime.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/07" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -47,7 +45,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_login_logout_hooks_defaults.toml b/rules/macos/persistence_login_logout_hooks_defaults.toml index 27b66280de9..b0ef9cdda7d 100644 --- a/rules/macos/persistence_login_logout_hooks_defaults.toml +++ b/rules/macos/persistence_login_logout_hooks_defaults.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,7 +47,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_loginwindow_plist_modification.toml b/rules/macos/persistence_loginwindow_plist_modification.toml index 7abf4edf782..f75f8d19192 100644 --- a/rules/macos/persistence_loginwindow_plist_modification.toml +++ b/rules/macos/persistence_loginwindow_plist_modification.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,7 +47,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml index 2a42dcc351a..b83bfe38aae 100644 --- a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml +++ b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -46,7 +44,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml index b27ce05a75d..fda11158c76 100644 --- a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml +++ b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -50,7 +48,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml index 7509ec421b4..c2c9d4d7c3b 100644 --- a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml +++ b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/05" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -58,7 +56,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_screensaver_plist_file_modification.toml b/rules/macos/persistence_screensaver_plist_file_modification.toml index 09eaadca5ea..f7280bcfa47 100644 --- a/rules/macos/persistence_screensaver_plist_file_modification.toml +++ b/rules/macos/persistence_screensaver_plist_file_modification.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/05" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -56,7 +54,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_suspicious_calendar_modification.toml b/rules/macos/persistence_suspicious_calendar_modification.toml index 11859698a7d..d9e648f11f1 100644 --- a/rules/macos/persistence_suspicious_calendar_modification.toml +++ b/rules/macos/persistence_suspicious_calendar_modification.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -51,7 +49,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_via_atom_init_file_modification.toml b/rules/macos/persistence_via_atom_init_file_modification.toml index 47d8aa87af7..f281678818e 100644 --- a/rules/macos/persistence_via_atom_init_file_modification.toml +++ b/rules/macos/persistence_via_atom_init_file_modification.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,7 +47,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml index 5cd2ed8d6ec..b05b7f04238 100644 --- a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml +++ b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -50,7 +48,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml index 62f86ac76f3..2fbd033a24f 100644 --- a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml +++ b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -56,7 +54,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/privilege_escalation_root_crontab_filemod.toml b/rules/macos/privilege_escalation_root_crontab_filemod.toml index 619fe287223..3e51714cdd2 100644 --- a/rules/macos/privilege_escalation_root_crontab_filemod.toml +++ b/rules/macos/privilege_escalation_root_crontab_filemod.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/27" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -49,7 +47,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml index 757b1664cbe..11ced2586f4 100644 --- a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml +++ b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/27" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -30,9 +28,13 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "91f02f01-969f-4167-8f66-07827ac3bdd9" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"] +tags = [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Command and Control", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,3 +47,4 @@ reference = "https://attack.mitre.org/techniques/T1572/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml index 43d92a09915..7a933193649 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/27" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -33,23 +31,28 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "746edc4c-c54c-49c6-97a1-651223819448" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"] +tags = [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Command and Control", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.004" +name = "DNS" +reference = "https://attack.mitre.org/techniques/T1071/004/" - [[rule.threat.technique.subtechnique]] - id = "T1071.004" - name = "DNS" - reference = "https://attack.mitre.org/techniques/T1071/004/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml index c68d24c0453..f5f645da58c 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/27" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -36,22 +34,25 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "91f02f01-969f-4167-8f55-07827ac3acc9" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"] +tags = [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Command and Control", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" - [[rule.threat.technique.subtechnique]] - id = "T1071.001" - name = "Web Protocols" - reference = "https://attack.mitre.org/techniques/T1071/001/" - [rule.threat.tactic] id = "TA0011" diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml b/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml index 449a6ff3eb4..80d1ea8c12a 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/27" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -34,22 +32,25 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "91f02f01-969f-4167-8d77-07827ac4cee0" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"] +tags = [ + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Command and Control", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" - [[rule.threat.technique.subtechnique]] - id = "T1071.001" - name = "Web Protocols" - reference = "https://attack.mitre.org/techniques/T1071/001/" - [rule.threat.tactic] id = "TA0011" diff --git a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml index 7d5f0f82db8..b1686ca28d2 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml @@ -2,9 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -60,9 +58,15 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "99dcf974-6587-4f65-9252-d866a3fdfd9c" severity = "low" -tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Credential Access", + "Resources: Investigation Guide", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -74,4 +78,5 @@ reference = "https://attack.mitre.org/techniques/T1110/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml index 108d1f6a6d8..7bef2ab7db8 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml @@ -2,9 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -28,9 +26,14 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9" severity = "low" -tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"] +tags = [ + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Credential Access", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -42,4 +45,5 @@ reference = "https://attack.mitre.org/techniques/T1110/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml index 5a7340a19d0..a7db1669252 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml @@ -2,16 +2,14 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job found an unusually large spike in successful authentication events from a particular -source IP address. This can be due to password spraying, user enumeration or brute force activity. +A machine learning job found an unusually large spike in successful authentication events from a particular source IP +address. This can be due to password spraying, user enumeration or brute force activity. """ false_positives = [ """ @@ -53,9 +51,16 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "e26aed74-c816-40d3-a810-48d6fbd8b2fd" severity = "low" -tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -78,11 +83,14 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" + [[rule.threat.technique.subtechnique]] id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml index 208bb5ed2c4..99b868e36b7 100644 --- a/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/22" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -27,20 +25,26 @@ name = "Unusual Linux Process Calling the Metadata Service" risk_score = 21 rule_id = "9d302377-d226-4e12-b54c-1906b5aec4f6" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Credential Access", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" +[[rule.threat.technique.subtechnique]] +id = "T1552.005" +name = "Cloud Instance Metadata API" +reference = "https://attack.mitre.org/techniques/T1552/005/" - [[rule.threat.technique.subtechnique]] - id = "T1552.005" - name = "Cloud Instance Metadata API" - reference = "https://attack.mitre.org/techniques/T1552/005/" [rule.threat.tactic] diff --git a/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml b/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml index 70948500db1..c9b15fd4751 100644 --- a/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml +++ b/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/22" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -27,23 +25,30 @@ name = "Unusual Linux User Calling the Metadata Service" risk_score = 21 rule_id = "1faec04b-d902-4f89-8aff-92cd9043c16f" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Credential Access", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" +[[rule.threat.technique.subtechnique]] +id = "T1552.005" +name = "Cloud Instance Metadata API" +reference = "https://attack.mitre.org/techniques/T1552/005/" - [[rule.threat.technique.subtechnique]] - id = "T1552.005" - name = "Cloud Instance Metadata API" - reference = "https://attack.mitre.org/techniques/T1552/005/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/ml/credential_access_ml_suspicious_login_activity.toml b/rules/ml/credential_access_ml_suspicious_login_activity.toml index 3520d541d95..ce9acc37043 100644 --- a/rules/ml/credential_access_ml_suspicious_login_activity.toml +++ b/rules/ml/credential_access_ml_suspicious_login_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -25,9 +23,14 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "4330272b-9724-4bc6-a3ca-f1532b81e5c2" severity = "low" -tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"] +tags = [ + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Credential Access", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml index 2885596e757..708f48dd65d 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/22" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -27,24 +25,30 @@ name = "Unusual Windows Process Calling the Metadata Service" risk_score = 21 rule_id = "abae61a8-c560-4dbd-acca-1e1438bff36b" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Credential Access", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" +[[rule.threat.technique.subtechnique]] +id = "T1552.005" +name = "Cloud Instance Metadata API" +reference = "https://attack.mitre.org/techniques/T1552/005/" - [[rule.threat.technique.subtechnique]] - id = "T1552.005" - name = "Cloud Instance Metadata API" - reference = "https://attack.mitre.org/techniques/T1552/005/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml index 4ef68ed7067..783424170e7 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/22" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -27,24 +25,30 @@ name = "Unusual Windows User Calling the Metadata Service" risk_score = 21 rule_id = "df197323-72a8-46a9-a08e-3f5b04a4a97a" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Credential Access", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" +[[rule.threat.technique.subtechnique]] +id = "T1552.005" +name = "Cloud Instance Metadata API" +reference = "https://attack.mitre.org/techniques/T1552/005/" - [[rule.threat.technique.subtechnique]] - id = "T1552.005" - name = "Cloud Instance Metadata API" - reference = "https://attack.mitre.org/techniques/T1552/005/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/ml/discovery_ml_linux_system_information_discovery.toml b/rules/ml/discovery_ml_linux_system_information_discovery.toml index ed009b8739c..c796520526c 100644 --- a/rules/ml/discovery_ml_linux_system_information_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_information_discovery.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -29,7 +27,14 @@ name = "Unusual Linux System Information Discovery Activity" risk_score = 21 rule_id = "d4af3a06-1e0a-48ec-b96a-faf2309fae46" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Discovery", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml b/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml index 8dde1a9c8a4..016916bf3cc 100644 --- a/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/27" +updated_date = "2024/05/21" [rule] anomaly_threshold = 25 @@ -29,7 +27,14 @@ name = "Unusual Linux Network Configuration Discovery" risk_score = 21 rule_id = "f9590f47-6bd5-4a49-bd49-a2f886476fb9" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Discovery", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml b/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml index d92e316c95f..240ea84f8e6 100644 --- a/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 25 @@ -29,7 +27,14 @@ name = "Unusual Linux Network Connection Discovery" risk_score = 21 rule_id = "c28c4d8c-f014-40ef-88b6-79a1d67cd499" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Discovery", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/discovery_ml_linux_system_process_discovery.toml b/rules/ml/discovery_ml_linux_system_process_discovery.toml index 13dc6631526..236077e3190 100644 --- a/rules/ml/discovery_ml_linux_system_process_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_process_discovery.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -29,7 +27,14 @@ name = "Unusual Linux Process Discovery Activity" risk_score = 21 rule_id = "5c983105-4681-46c3-9890-0c66d05e776b" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Discovery", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/discovery_ml_linux_system_user_discovery.toml b/rules/ml/discovery_ml_linux_system_user_discovery.toml index 8ef0695868e..fedcc03086d 100644 --- a/rules/ml/discovery_ml_linux_system_user_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_user_discovery.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -29,7 +27,14 @@ name = "Unusual Linux User Discovery Activity" risk_score = 21 rule_id = "59756272-1998-4b8c-be14-e287035c4d10" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Discovery", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/execution_ml_windows_anomalous_script.toml b/rules/ml/execution_ml_windows_anomalous_script.toml index 9d4ac076c7f..6818f720d45 100644 --- a/rules/ml/execution_ml_windows_anomalous_script.toml +++ b/rules/ml/execution_ml_windows_anomalous_script.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -26,28 +24,35 @@ machine_learning_job_id = ["v3_windows_anomalous_script"] name = "Suspicious Powershell Script" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"] + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] risk_score = 21 rule_id = "1781d055-5c66-4adf-9d60-fc0fa58337b6" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Execution"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Execution", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique.subtechnique]] - id = "T1059.001" - name = "PowerShell" - reference = "https://attack.mitre.org/techniques/T1059/001/" - [rule.threat.tactic] id = "TA0002" name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml b/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml index 62b9e5aa4e5..5c318758f9f 100644 --- a/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml +++ b/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml @@ -2,9 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -47,9 +45,15 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "745b0119-0560-43ba-860a-7235dd8cee8d" severity = "low" -tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Initial Access", + "Resources: Investigation Guide", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -62,3 +66,4 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml index 8246bb11033..5a1520d9f3b 100644 --- a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml +++ b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml @@ -2,9 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -25,9 +23,14 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "d4b73fa0-9d43-465e-b8bf-50230da6718b" severity = "low" -tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"] +tags = [ + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Initial Access", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -40,3 +43,4 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/ml/initial_access_ml_auth_rare_user_logon.toml b/rules/ml/initial_access_ml_auth_rare_user_logon.toml index d8d0e3fb33c..18af4302fd7 100644 --- a/rules/ml/initial_access_ml_auth_rare_user_logon.toml +++ b/rules/ml/initial_access_ml_auth_rare_user_logon.toml @@ -2,17 +2,15 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ A machine learning job found an unusual user name in the authentication logs. An unusual user name is one way of -detecting credentialed access by means of a new or dormant user account. An inactive user account (because the user -has left the organization) that becomes active may be due to credentialed access using a compromised account password. +detecting credentialed access by means of a new or dormant user account. An inactive user account (because the user has +left the organization) that becomes active may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application. """ false_positives = [ @@ -54,9 +52,15 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "138c5dd5-838b-446e-b1ac-c995c7f8108a" severity = "low" -tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Initial Access", + "Resources: Investigation Guide", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -67,12 +71,16 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" + [[rule.threat.technique.subtechnique]] id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/ml/initial_access_ml_linux_anomalous_user_name.toml b/rules/ml/initial_access_ml_linux_anomalous_user_name.toml index 686ef15bb28..bc5582d144b 100644 --- a/rules/ml/initial_access_ml_linux_anomalous_user_name.toml +++ b/rules/ml/initial_access_ml_linux_anomalous_user_name.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -41,9 +39,15 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "b347b919-665f-4aac-b9e8-68369bf2340c" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Initial Access", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml index ffd6ad72338..7bae0eb9882 100644 --- a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml +++ b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -42,9 +40,15 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "1781d055-5c66-4adf-9c59-fc0fa58336a5" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Initial Access", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -55,11 +59,14 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" + [[rule.threat.technique.subtechnique]] id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" diff --git a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml index b5289e0ad42..66e6ed0a0d2 100644 --- a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml +++ b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -35,9 +33,15 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "1781d055-5c66-4adf-9e93-fc0fa69550c9" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Initial Access", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -49,4 +53,5 @@ reference = "https://attack.mitre.org/techniques/T1078/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/ml/ml_high_count_network_denies.toml b/rules/ml/ml_high_count_network_denies.toml index 22fb46f5804..e953addcff0 100644 --- a/rules/ml/ml_high_count_network_denies.toml +++ b/rules/ml/ml_high_count_network_denies.toml @@ -2,25 +2,23 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/27" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job detected an unusually large spike in network traffic that was -denied by network access control lists (ACLs) or firewall rules. Such a burst of denied traffic is usually caused by -either 1) a mis-configured application or firewall or 2) suspicious or malicious activity. -Unsuccessful attempts at network transit, in order to connect to command-and-control (C2), -or engage in data exfiltration, may produce a burst of failed connections. This could also -be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service -attacks or traffic floods may also produce such a surge in traffic. +A machine learning job detected an unusually large spike in network traffic that was denied by network access control +lists (ACLs) or firewall rules. Such a burst of denied traffic is usually caused by either 1) a mis-configured +application or firewall or 2) suspicious or malicious activity. Unsuccessful attempts at network transit, in order to +connect to command-and-control (C2), or engage in data exfiltration, may produce a burst of failed connections. This +could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or +traffic floods may also produce such a surge in traffic. """ false_positives = [ """ - A misconfgured network application or firewall may trigger this alert. Security scans or test cycles may trigger this alert. + A misconfgured network application or firewall may trigger this alert. Security scans or test cycles may trigger + this alert. """, ] from = "now-30m" @@ -32,5 +30,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "eaa77d63-9679-4ce3-be25-3ba8b795e5fa" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"] type = "machine_learning" + diff --git a/rules/ml/ml_high_count_network_events.toml b/rules/ml/ml_high_count_network_events.toml index 6679f414745..1218c64e54e 100644 --- a/rules/ml/ml_high_count_network_events.toml +++ b/rules/ml/ml_high_count_network_events.toml @@ -2,25 +2,22 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/27" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, -if not caused by a surge in business activity, can be due to suspicious or malicious activity. -Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually -large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may -also produce such a surge in traffic. +A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, if not caused by a +surge in business activity, can be due to suspicious or malicious activity. Large-scale data exfiltration may produce a +burst of network traffic; this could also be due to unusually large amounts of reconnaissance or enumeration traffic. +Denial-of-service attacks or traffic floods may also produce such a surge in traffic. """ false_positives = [ """ - Business workflows that occur very occasionally, and involve an unusual surge in network traffic, - can trigger this alert. A new business workflow or a surge in business activity may trigger this alert. - A misconfigured network application or firewall may trigger this alert. + Business workflows that occur very occasionally, and involve an unusual surge in network traffic, can trigger this + alert. A new business workflow or a surge in business activity may trigger this alert. A misconfigured network + application or firewall may trigger this alert. """, ] from = "now-30m" @@ -32,5 +29,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "b240bfb8-26b7-4e5e-924e-218144a3fa71" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"] type = "machine_learning" + diff --git a/rules/ml/ml_linux_anomalous_network_activity.toml b/rules/ml/ml_linux_anomalous_network_activity.toml index b1e96b6762a..97ddd9a53ec 100644 --- a/rules/ml/ml_linux_anomalous_network_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -34,6 +32,12 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "52afbdc5-db15-485e-bc24-f5707f820c4b" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", +] type = "machine_learning" diff --git a/rules/ml/ml_linux_anomalous_network_port_activity.toml b/rules/ml/ml_linux_anomalous_network_port_activity.toml index c27a15a5c57..8b0838f66cb 100644 --- a/rules/ml/ml_linux_anomalous_network_port_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_port_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -24,6 +22,12 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "3c7e32e6-6104-46d9-a06e-da0f8b5795a0" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", +] type = "machine_learning" diff --git a/rules/ml/ml_packetbeat_rare_server_domain.toml b/rules/ml/ml_packetbeat_rare_server_domain.toml index 4dcc51b2f79..f8623cc1f77 100644 --- a/rules/ml/ml_packetbeat_rare_server_domain.toml +++ b/rules/ml/ml_packetbeat_rare_server_domain.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/27" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -33,6 +31,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "17e68559-b274-4948-ad0b-f8415bb31126" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"] type = "machine_learning" diff --git a/rules/ml/ml_rare_destination_country.toml b/rules/ml/ml_rare_destination_country.toml index 875c9fe0987..b496dfbd435 100644 --- a/rules/ml/ml_rare_destination_country.toml +++ b/rules/ml/ml_rare_destination_country.toml @@ -2,30 +2,26 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/27" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job detected a rare destination country name in the network logs. -This can be due to initial access, persistence, command-and-control, or exfiltration activity. -For example, when a user clicks on a link in a phishing email or opens a malicious document, -a request may be sent to download and run a payload from a server in a country which does not -normally appear in network traffic or business work-flows. Malware instances and persistence -mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, -which may be an unusual destination country for the source network. +A machine learning job detected a rare destination country name in the network logs. This can be due to initial access, +persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing +email or opens a malicious document, a request may be sent to download and run a payload from a server in a country +which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms +may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual +destination country for the source network. """ false_positives = [ """ - Business workflows that occur very occasionally, and involve a business relationship with an - organization in a country that does not routinely appear in network events, can trigger this alert. - A new business workflow with an organization in a country with which no workflows previously - existed may trigger this alert - although the model will learn that the new destination country - is no longer anomalous as the activity becomes ongoing. Business travelers who roam to many - countries for brief periods may trigger this alert. + Business workflows that occur very occasionally, and involve a business relationship with an organization in a + country that does not routinely appear in network events, can trigger this alert. A new business workflow with an + organization in a country with which no workflows previously existed may trigger this alert - although the model + will learn that the new destination country is no longer anomalous as the activity becomes ongoing. Business + travelers who roam to many countries for brief periods may trigger this alert. """, ] from = "now-30m" @@ -37,5 +33,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "35f86980-1fb1-4dff-b311-3be941549c8d" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"] type = "machine_learning" + diff --git a/rules/ml/ml_spike_in_traffic_to_a_country.toml b/rules/ml/ml_spike_in_traffic_to_a_country.toml index 7e7d8b45901..9066dda2475 100644 --- a/rules/ml/ml_spike_in_traffic_to_a_country.toml +++ b/rules/ml/ml_spike_in_traffic_to_a_country.toml @@ -2,9 +2,7 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/27" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -18,10 +16,10 @@ infrastructure in their country of origin, which may be an unusual destination c """ false_positives = [ """ - Business workflows that occur very occasionally, and involve an unusual surge in network traffic - to one destination country, can trigger this alert. A new business workflow or a surge in business - activity in a particular country may trigger this alert. Business travelers who roam to many - countries for brief periods may trigger this alert if they engage in volumetric network activity. + Business workflows that occur very occasionally, and involve an unusual surge in network traffic to one destination + country, can trigger this alert. A new business workflow or a surge in business activity in a particular country may + trigger this alert. Business travelers who roam to many countries for brief periods may trigger this alert if they + engage in volumetric network activity. """, ] from = "now-30m" @@ -70,5 +68,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "c7db5533-ca2a-41f6-a8b0-ee98abe0f573" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"] type = "machine_learning" + diff --git a/rules/ml/ml_windows_anomalous_network_activity.toml b/rules/ml/ml_windows_anomalous_network_activity.toml index 33889273961..56b7637a327 100644 --- a/rules/ml/ml_windows_anomalous_network_activity.toml +++ b/rules/ml/ml_windows_anomalous_network_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -37,6 +35,12 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "ba342eb2-583c-439f-b04d-1fdd7c1417cc" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", +] type = "machine_learning" diff --git a/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml index 75f0ca41666..8de5f286491 100644 --- a/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -66,24 +64,31 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "647fc812-7996-4795-8869-9c4ea595fe88" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Persistence", + "Resources: Investigation Guide", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" - [[rule.threat.technique.subtechnique]] - id = "T1543.003" - name = "Windows Service" - reference = "https://attack.mitre.org/techniques/T1543/003/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/ml/persistence_ml_rare_process_by_host_linux.toml b/rules/ml/persistence_ml_rare_process_by_host_linux.toml index a5e44c9f7f6..224077d6f73 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_linux.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_linux.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -66,24 +64,30 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "46f804f5-b289-43d6-a881-9387cf594f75" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Persistence", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.002" +name = "Systemd Service" +reference = "https://attack.mitre.org/techniques/T1543/002/" - [[rule.threat.technique.subtechnique]] - id = "T1543.002" - name = "Systemd Service" - reference = "https://attack.mitre.org/techniques/T1543/002/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/ml/persistence_ml_rare_process_by_host_windows.toml b/rules/ml/persistence_ml_rare_process_by_host_windows.toml index 93bfc627f4e..280215b6f2f 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_windows.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_windows.toml @@ -2,26 +2,33 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] - [[transform.osquery]] - label = "Osquery - Retrieve DNS Cache" - query = "SELECT * FROM dns_cache" - - [[transform.osquery]] - label = "Osquery - Retrieve All Services" - query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" - [[transform.osquery]] - label = "Osquery - Retrieve Services Running on User Accounts" - query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)" +[[transform.osquery]] +label = "Retrieve Service Unisgned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" - [[transform.osquery]] - label = "Retrieve Service Unisgned Executables with Virustotal Link" - query = "SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'" [rule] anomaly_threshold = 50 @@ -107,22 +114,28 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "6d448b96-c922-4adb-b51c-b767f1ea5b76" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Persistence", + "Resources: Investigation Guide", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" - [[rule.threat.technique.subtechnique]] - id = "T1543.003" - name = "Windows Service" - reference = "https://attack.mitre.org/techniques/T1543/003/" - [rule.threat.tactic] id = "TA0003" diff --git a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml index b326a14ace5..dbcb5d48cfd 100644 --- a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml +++ b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -31,22 +29,28 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "445a342e-03fb-42d0-8656-0367eb2dead5" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Execution"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Persistence", + "Tactic: Execution", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" - [[rule.threat.technique.subtechnique]] - id = "T1543.003" - name = "Windows Service" - reference = "https://attack.mitre.org/techniques/T1543/003/" - [rule.threat.tactic] id = "TA0003" @@ -58,13 +62,12 @@ framework = "MITRE ATT&CK" id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" - [[rule.threat.technique.subtechnique]] - id = "T1204.002" - name = "Malicious File" - reference = "https://attack.mitre.org/techniques/T1204/002/" - [rule.threat.tactic] id = "TA0002" diff --git a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml index dd5bcb42486..b3a28a2b751 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -116,7 +114,15 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "6e40d56f-5c0e-4ac6-aece-bee96645b172" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Execution"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Persistence", + "Tactic: Execution", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml index f6c91534371..e7d43de5ed1 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -119,7 +117,15 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Persistence", + "Resources: Investigation Guide", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/persistence_ml_windows_anomalous_service.toml b/rules/ml/persistence_ml_windows_anomalous_service.toml index 301458aaeb3..ebd2420f362 100644 --- a/rules/ml/persistence_ml_windows_anomalous_service.toml +++ b/rules/ml/persistence_ml_windows_anomalous_service.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -29,24 +27,30 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "1781d055-5c66-4adf-9c71-fc0fa58338c7" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Persistence", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" - [[rule.threat.technique.subtechnique]] - id = "T1543.003" - name = "Windows Service" - reference = "https://attack.mitre.org/techniques/T1543/003/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml index 93d94089aa8..adc9dacabe5 100644 --- a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml +++ b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 75 @@ -27,7 +25,14 @@ name = "Unusual Sudo Activity" risk_score = 21 rule_id = "1e9fc667-9ff1-4b33-9f40-fefca8537eb0" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Privilege Escalation"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", +] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml index 9aa047528d8..62175943783 100644 --- a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml +++ b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -29,12 +27,20 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "1781d055-5c66-4adf-9d82-fc0fa58449c8" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Privilege Escalation"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml index 03c4d43ef56..ca7bed0a274 100644 --- a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml +++ b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/07/27" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] anomaly_threshold = 50 @@ -28,22 +26,30 @@ name = "Anomalous Linux Compiler Activity" risk_score = 21 rule_id = "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Resource Development"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Resource Development", +] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1588" name = "Obtain Capabilities" reference = "https://attack.mitre.org/techniques/T1588/" +[[rule.threat.technique.subtechnique]] +id = "T1588.001" +name = "Malware" +reference = "https://attack.mitre.org/techniques/T1588/001/" + - [[rule.threat.technique.subtechnique]] - id = "T1588.001" - name = "Malware" - reference = "https://attack.mitre.org/techniques/T1588/001/" [rule.threat.tactic] id = "TA0042" name = "Resource Development" -reference = "https://attack.mitre.org/tactics/TA0042/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0042/" + diff --git a/rules/network/command_and_control_accepted_default_telnet_port_connection.toml b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml index 276db49d014..832e6fb03bd 100644 --- a/rules/network/command_and_control_accepted_default_telnet_port_connection.toml +++ b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/01" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_cobalt_strike_beacon.toml b/rules/network/command_and_control_cobalt_strike_beacon.toml index de552073757..be14096630a 100644 --- a/rules/network/command_and_control_cobalt_strike_beacon.toml +++ b/rules/network/command_and_control_cobalt_strike_beacon.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/06" integration = ["network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml index facaf30f05a..6086b36e1b0 100644 --- a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml +++ b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/05" integration = ["network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/01" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_download_rar_powershell_from_internet.toml b/rules/network/command_and_control_download_rar_powershell_from_internet.toml index fbade0aa655..22f2f919a57 100644 --- a/rules/network/command_and_control_download_rar_powershell_from_internet.toml +++ b/rules/network/command_and_control_download_rar_powershell_from_internet.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/02" integration = ["network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/01" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_fin7_c2_behavior.toml b/rules/network/command_and_control_fin7_c2_behavior.toml index f4e43921e1c..5766270a1ac 100644 --- a/rules/network/command_and_control_fin7_c2_behavior.toml +++ b/rules/network/command_and_control_fin7_c2_behavior.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/06" integration = ["network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/11/21" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_halfbaked_beacon.toml b/rules/network/command_and_control_halfbaked_beacon.toml index 3cbbd7070eb..db956efc006 100644 --- a/rules/network/command_and_control_halfbaked_beacon.toml +++ b/rules/network/command_and_control_halfbaked_beacon.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/06" integration = ["network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml index 8c76d249a3d..94a0c475033 100644 --- a/rules/network/command_and_control_nat_traversal_port_activity.toml +++ b/rules/network/command_and_control_nat_traversal_port_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/17" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml index 8f2fdafa60d..d25a8aeb18b 100644 --- a/rules/network/command_and_control_port_26_activity.toml +++ b/rules/network/command_and_control_port_26_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/18" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml index 1b1cc835db8..6cfbbf0697e 100644 --- a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml +++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/17" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml index 5c07d16045f..d410f7aaafd 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/17" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml index 450ea79d329..09da32e8eed 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/17" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/network/discovery_potential_network_sweep_detected.toml b/rules/network/discovery_potential_network_sweep_detected.toml index 856e8943d86..2fc61ba3226 100644 --- a/rules/network/discovery_potential_network_sweep_detected.toml +++ b/rules/network/discovery_potential_network_sweep_detected.toml @@ -2,21 +2,19 @@ creation_date = "2023/05/17" integration = ["endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/01/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = ''' -This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target -network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and -weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized -access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts -from one source host to 10 or more destination hosts on commonly used network services. -''' +description = """ +This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, +identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. +This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data +theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one +source host to 10 or more destination hosts on commonly used network services. +""" from = "now-9m" -index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*",] +index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*"] language = "kuery" license = "Elastic License v2" max_signals = 5 @@ -24,44 +22,46 @@ name = "Potential Network Sweep Detected" risk_score = 21 rule_id = "781f8746-2180-4691-890c-4c96d11ca91d" severity = "low" -tags = ["Domain: Network", - "Tactic: Discovery", - "Tactic: Reconnaissance", - "Use Case: Network Security Monitoring" - ] -type = "threshold" +tags = [ + "Domain: Network", + "Tactic: Discovery", + "Tactic: Reconnaissance", + "Use Case: Network Security Monitoring", +] timestamp_override = "event.ingested" +type = "threshold" query = ''' destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1595" name = "Active Scanning" reference = "https://attack.mitre.org/techniques/T1595/" - [[rule.threat.technique.subtechnique]] id = "T1595.001" name = "Scanning IP Blocks" reference = "https://attack.mitre.org/techniques/T1595/001/" + + [rule.threat.tactic] id = "TA0043" name = "Reconnaissance" @@ -71,6 +71,7 @@ reference = "https://attack.mitre.org/tactics/TA0043/" field = ["source.ip"] value = 1 [[rule.threshold.cardinality]] - field = "destination.ip" value = 100 + + diff --git a/rules/network/discovery_potential_port_scan_detected.toml b/rules/network/discovery_potential_port_scan_detected.toml index fb8c8d8566d..1593f34d2f3 100644 --- a/rules/network/discovery_potential_port_scan_detected.toml +++ b/rules/network/discovery_potential_port_scan_detected.toml @@ -2,20 +2,18 @@ creation_date = "2023/05/17" integration = ["endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/01/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = ''' +description = """ This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a -target system or network for open ports, allowing them to identify available services and potential vulnerabilities. -By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining +target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By +mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further -exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts -from one source host to 20 or more destination ports. -''' +exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from +one source host to 20 or more destination ports. +""" from = "now-9m" index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "filebeat-*", "auditbeat-*"] language = "kuery" @@ -25,44 +23,45 @@ name = "Potential Network Scan Detected" risk_score = 21 rule_id = "0171f283-ade7-4f87-9521-ac346c68cc9b" severity = "low" -tags = ["Domain: Network", - "Tactic: Discovery", - "Tactic: Reconnaissance", - "Use Case: Network Security Monitoring" - ] -type = "threshold" +tags = [ + "Domain: Network", + "Tactic: Discovery", + "Tactic: Reconnaissance", + "Use Case: Network Security Monitoring", +] timestamp_override = "event.ingested" +type = "threshold" query = ''' destination.port : * and event.action : "network_flow" and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1595" name = "Active Scanning" reference = "https://attack.mitre.org/techniques/T1595/" - [[rule.threat.technique.subtechnique]] id = "T1595.001" name = "Scanning IP Blocks" reference = "https://attack.mitre.org/techniques/T1595/001/" + + [rule.threat.tactic] id = "TA0043" name = "Reconnaissance" @@ -71,7 +70,8 @@ reference = "https://attack.mitre.org/tactics/TA0043/" [rule.threshold] field = ["destination.ip", "source.ip"] value = 1 - [[rule.threshold.cardinality]] field = "destination.port" value = 250 + + diff --git a/rules/network/discovery_potential_syn_port_scan_detected.toml b/rules/network/discovery_potential_syn_port_scan_detected.toml index 2ad59638ed8..f5a5dca5273 100644 --- a/rules/network/discovery_potential_syn_port_scan_detected.toml +++ b/rules/network/discovery_potential_syn_port_scan_detected.toml @@ -2,20 +2,18 @@ creation_date = "2023/05/17" integration = ["endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/01/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = ''' +description = """ This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a -target network for open ports by sending SYN packets to multiple ports and observing the response. -Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, -allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its -security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic -to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port. -''' +target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this +method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch +targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading +to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts +from one source host to 10 or more destination ports using 2 or less packets per port. +""" from = "now-9m" index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "auditbeat-*", "filebeat-*"] language = "kuery" @@ -25,44 +23,45 @@ name = "Potential SYN-Based Network Scan Detected" risk_score = 21 rule_id = "bbaa96b9-f36c-4898-ace2-581acb00a409" severity = "low" -tags = ["Domain: Network", - "Tactic: Discovery", - "Tactic: Reconnaissance", - "Use Case: Network Security Monitoring" - ] -type = "threshold" +tags = [ + "Domain: Network", + "Tactic: Discovery", + "Tactic: Reconnaissance", + "Use Case: Network Security Monitoring", +] timestamp_override = "event.ingested" +type = "threshold" query = ''' destination.port : * and network.packets <= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1595" name = "Active Scanning" reference = "https://attack.mitre.org/techniques/T1595/" - [[rule.threat.technique.subtechnique]] id = "T1595.001" name = "Scanning IP Blocks" reference = "https://attack.mitre.org/techniques/T1595/001/" + + [rule.threat.tactic] id = "TA0043" name = "Reconnaissance" @@ -71,7 +70,8 @@ reference = "https://attack.mitre.org/tactics/TA0043/" [rule.threshold] field = ["destination.ip", "source.ip"] value = 1 - [[rule.threshold.cardinality]] field = "destination.port" value = 250 + + diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml index 3dcd1d6438f..1d7743ba002 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/17" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml index ce2e6f9b0c3..0f11c90843c 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml @@ -2,10 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/17" - +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml index 78207358281..cdb0744ec99 100644 --- a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml +++ b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml @@ -2,10 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/17" - +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/network/initial_access_unsecure_elasticsearch_node.toml b/rules/network/initial_access_unsecure_elasticsearch_node.toml index fa1a06c6aba..8f51cb76b9c 100644 --- a/rules/network/initial_access_unsecure_elasticsearch_node.toml +++ b/rules/network/initial_access_unsecure_elasticsearch_node.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/11" integration = ["network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/network/lateral_movement_dns_server_overflow.toml b/rules/network/lateral_movement_dns_server_overflow.toml index ad311c66b4c..38b0ec200b3 100644 --- a/rules/network/lateral_movement_dns_server_overflow.toml +++ b/rules/network/lateral_movement_dns_server_overflow.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/16" integration = ["network_traffic"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/01" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml index d643f37fbe6..a438cc58550 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml @@ -1,16 +1,14 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link -in the rule.reference column for additional information. +Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in +the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -32,24 +30,26 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access"] -type = "query" timestamp_override = "event.ingested" +type = "query" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.001" +name = "LSASS Memory" +reference = "https://attack.mitre.org/techniques/T1003/001/" + - [[rule.threat.technique.subtechnique]] - id = "T1003.001" - name = "LSASS Memory" - reference = "https://attack.mitre.org/techniques/T1003/001/" [rule.threat.tactic] id = "TA0006" diff --git a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml index 08734f9dda1..54622033143 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml @@ -1,16 +1,14 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link -in the rule.reference column for additional information. +Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in +the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -32,26 +30,29 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access"] -type = "query" timestamp_override = "event.ingested" +type = "query" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.001" +name = "LSASS Memory" +reference = "https://attack.mitre.org/techniques/T1003/001/" + - [[rule.threat.technique.subtechnique]] - id = "T1003.001" - name = "LSASS Memory" - reference = "https://attack.mitre.org/techniques/T1003/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/promotions/endgame_adversary_behavior_detected.toml b/rules/promotions/endgame_adversary_behavior_detected.toml index 8866e3f788d..37dae90c425 100644 --- a/rules/promotions/endgame_adversary_behavior_detected.toml +++ b/rules/promotions/endgame_adversary_behavior_detected.toml @@ -1,16 +1,14 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the -link in the rule.reference column for additional information. +Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in +the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -32,8 +30,8 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Endgame"] -type = "query" timestamp_override = "event.ingested" +type = "query" query = ''' event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event) diff --git a/rules/promotions/endgame_malware_detected.toml b/rules/promotions/endgame_malware_detected.toml index c8865ab255e..cbf07ce6b21 100644 --- a/rules/promotions/endgame_malware_detected.toml +++ b/rules/promotions/endgame_malware_detected.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,8 +30,8 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "critical" tags = ["Data Source: Elastic Endgame"] -type = "query" timestamp_override = "event.ingested" +type = "query" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) diff --git a/rules/promotions/endgame_malware_prevented.toml b/rules/promotions/endgame_malware_prevented.toml index 22c4fdbc579..d00be854558 100644 --- a/rules/promotions/endgame_malware_prevented.toml +++ b/rules/promotions/endgame_malware_prevented.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,8 +30,8 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame"] -type = "query" timestamp_override = "event.ingested" +type = "query" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) diff --git a/rules/promotions/endgame_ransomware_detected.toml b/rules/promotions/endgame_ransomware_detected.toml index 58870383f83..917f0ab088b 100644 --- a/rules/promotions/endgame_ransomware_detected.toml +++ b/rules/promotions/endgame_ransomware_detected.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,8 +30,8 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "critical" tags = ["Data Source: Elastic Endgame"] -type = "query" timestamp_override = "event.ingested" +type = "query" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) diff --git a/rules/promotions/endgame_ransomware_prevented.toml b/rules/promotions/endgame_ransomware_prevented.toml index f8509c3a851..d6e5e4b7667 100644 --- a/rules/promotions/endgame_ransomware_prevented.toml +++ b/rules/promotions/endgame_ransomware_prevented.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,8 +30,8 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame"] -type = "query" timestamp_override = "event.ingested" +type = "query" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) diff --git a/rules/promotions/execution_endgame_exploit_detected.toml b/rules/promotions/execution_endgame_exploit_detected.toml index fff5c779778..891c48a3e07 100644 --- a/rules/promotions/execution_endgame_exploit_detected.toml +++ b/rules/promotions/execution_endgame_exploit_detected.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,14 +29,20 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" -tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"] -type = "query" +tags = [ + "Data Source: Elastic Endgame", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Privilege Escalation", +] timestamp_override = "event.ingested" +type = "query" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) ''' + [[rule.threat]] framework = "MITRE ATT&CK" @@ -46,7 +50,6 @@ framework = "MITRE ATT&CK" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -54,7 +57,9 @@ id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/promotions/execution_endgame_exploit_prevented.toml b/rules/promotions/execution_endgame_exploit_prevented.toml index b9e85a7bde9..8d924b7e725 100644 --- a/rules/promotions/execution_endgame_exploit_prevented.toml +++ b/rules/promotions/execution_endgame_exploit_prevented.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,14 +29,20 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" -tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"] -type = "query" +tags = [ + "Data Source: Elastic Endgame", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Privilege Escalation", +] timestamp_override = "event.ingested" +type = "query" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) ''' + [[rule.threat]] framework = "MITRE ATT&CK" @@ -46,7 +50,6 @@ framework = "MITRE ATT&CK" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -54,7 +57,9 @@ id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/promotions/external_alerts.toml b/rules/promotions/external_alerts.toml index 8f657c450fb..1eb2d1a0d7d 100644 --- a/rules/promotions/external_alerts.toml +++ b/rules/promotions/external_alerts.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2020/07/08" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -12,7 +10,15 @@ description = """ Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app. """ -index = ["apm-*-transaction*", "traces-apm*", "auditbeat-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"] +index = [ + "apm-*-transaction*", + "traces-apm*", + "auditbeat-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*", +] language = "kuery" license = "Elastic License v2" max_signals = 10000 @@ -47,25 +53,25 @@ value = "" [[rule.severity_mapping]] field = "event.severity" operator = "equals" -value = "21" severity = "low" +value = "21" [[rule.severity_mapping]] field = "event.severity" operator = "equals" -value = "47" severity = "medium" +value = "47" [[rule.severity_mapping]] field = "event.severity" operator = "equals" -value = "73" severity = "high" +value = "73" [[rule.severity_mapping]] field = "event.severity" operator = "equals" -value = "99" severity = "critical" +value = "99" diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml index caef5f6abe9..8155bb2f92e 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml @@ -1,16 +1,14 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the -link in the rule.reference column for additional information. +Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link +in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -32,13 +30,14 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] -type = "query" timestamp_override = "event.ingested" +type = "query" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -46,9 +45,9 @@ id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml index b9ddee16d41..3d28513a582 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml @@ -1,16 +1,14 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the -link in the rule.reference column for additional information. +Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link +in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -32,13 +30,14 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] -type = "query" timestamp_override = "event.ingested" +type = "query" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -46,7 +45,9 @@ id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml index 0a81cdd2fe7..2e8870a4bed 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml @@ -1,16 +1,14 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in -the rule.reference column for additional information. +Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the +rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -32,13 +30,14 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] -type = "query" timestamp_override = "event.ingested" +type = "query" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -46,7 +45,9 @@ id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml index 5c4cd362f22..24e914d7863 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml @@ -1,16 +1,14 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in -the rule.reference column for additional information. +Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the +rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -32,13 +30,14 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] -type = "query" timestamp_override = "event.ingested" +type = "query" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -46,7 +45,9 @@ id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml index 430a3a2c8ae..1eea20d6f70 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml @@ -1,16 +1,14 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in -the rule.reference column for additional information. +Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the +rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -32,13 +30,14 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] -type = "query" timestamp_override = "event.ingested" +type = "query" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -46,7 +45,9 @@ id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml index 3451dafac36..8b96514519b 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml @@ -1,16 +1,14 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/13" promotion = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link -in the rule.reference column for additional information. +Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in +the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -32,13 +30,14 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] -type = "query" timestamp_override = "event.ingested" +type = "query" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -46,7 +45,9 @@ id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/collection_email_outlook_mailbox_via_com.toml b/rules/windows/collection_email_outlook_mailbox_via_com.toml index b035f8891dc..6999edfe0cc 100644 --- a/rules/windows/collection_email_outlook_mailbox_via_com.toml +++ b/rules/windows/collection_email_outlook_mailbox_via_com.toml @@ -2,15 +2,13 @@ creation_date = "2023/01/11" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.4.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may target user email to collect -sensitive information or send email on their behalf via API. +Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may +target user email to collect sensitive information or send email on their behalf via API. """ from = "now-9m" index = ["logs-endpoint.events.process*"] @@ -23,7 +21,13 @@ references = [ risk_score = 47 rule_id = "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Data Source: Elastic Defend", +] type = "eql" query = ''' @@ -51,34 +55,32 @@ framework = "MITRE ATT&CK" id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" - [[rule.threat.technique.subtechnique]] id = "T1114.001" name = "Local Email Collection" reference = "https://attack.mitre.org/techniques/T1114/001/" + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1559" name = "Inter-Process Communication" reference = "https://attack.mitre.org/techniques/T1559/" - [[rule.threat.technique.subtechnique]] id = "T1559.001" name = "Component Object Model" reference = "https://attack.mitre.org/techniques/T1559/001/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml index cf05245b64e..83b9dd436a5 100644 --- a/rules/windows/collection_posh_audio_capture.toml +++ b/rules/windows/collection_posh_audio_capture.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -75,7 +73,14 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/collection_posh_keylogger.toml b/rules/windows/collection_posh_keylogger.toml index b6f3ca45e0c..31e807680ad 100644 --- a/rules/windows/collection_posh_keylogger.toml +++ b/rules/windows/collection_posh_keylogger.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -80,7 +78,14 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/collection_posh_mailbox.toml b/rules/windows/collection_posh_mailbox.toml index 55925895ec6..b0ce9e211c5 100644 --- a/rules/windows/collection_posh_mailbox.toml +++ b/rules/windows/collection_posh_mailbox.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/11" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -81,7 +79,14 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/collection_posh_screen_grabber.toml b/rules/windows/collection_posh_screen_grabber.toml index ac8582774c2..bf6cba3bc82 100644 --- a/rules/windows/collection_posh_screen_grabber.toml +++ b/rules/windows/collection_posh_screen_grabber.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -76,7 +74,14 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/collection_posh_webcam_video_capture.toml b/rules/windows/collection_posh_webcam_video_capture.toml index f695abe94bf..1def216d61c 100644 --- a/rules/windows/collection_posh_webcam_video_capture.toml +++ b/rules/windows/collection_posh_webcam_video_capture.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/18" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -17,7 +15,9 @@ index = ["winlogbeat-*", "logs-windows.powershell*"] language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Webcam Video Capture Capabilities" -references = ["https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py"] +references = [ + "https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py", +] risk_score = 47 rule_id = "eb44611f-62a8-4036-a5ef-587098be6c43" setup = """## Setup @@ -39,7 +39,13 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index 723a176a9ac..9c69091a8f2 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -61,7 +59,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -91,6 +97,11 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" @@ -100,11 +111,6 @@ id = "T1560.001" name = "Archive via Utility" reference = "https://attack.mitre.org/techniques/T1560/001/" -[[rule.threat.technique]] -id = "T1005" -name = "Data from Local System" -reference = "https://attack.mitre.org/techniques/T1005/" - [rule.threat.tactic] diff --git a/rules/windows/command_and_control_certreq_postdata.toml b/rules/windows/command_and_control_certreq_postdata.toml index 81677f328ac..ceaf3e4b869 100644 --- a/rules/windows/command_and_control_certreq_postdata.toml +++ b/rules/windows/command_and_control_certreq_postdata.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,13 +29,21 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ -Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to download files or upload data to a remote URL. +Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to download files or upload data to a +remote URL. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Potential File Transfer via Certreq" @@ -98,7 +104,16 @@ references = ["https://lolbas-project.github.io/lolbas/Binaries/Certreq/"] risk_score = 47 rule_id = "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Command and Control", + "Tactic: Exfiltration", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -120,8 +135,6 @@ reference = "https://attack.mitre.org/techniques/T1105/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -134,7 +147,6 @@ reference = "https://attack.mitre.org/techniques/T1218/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -142,6 +154,7 @@ id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index d7592550d09..f294ae46563 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/10" +updated_date = "2024/05/21" [transform] [[transform.osquery]] diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml index d16761b8f6e..0c1b178a324 100644 --- a/rules/windows/command_and_control_dns_tunneling_nslookup.toml +++ b/rules/windows/command_and_control_dns_tunneling_nslookup.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/11" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ This rule identifies a large number (15) of nslookup.exe executions with an expl may indicate command and control activity utilizing the DNS protocol. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Potential DNS Tunneling via NsLookup" @@ -62,7 +66,7 @@ tags = [ "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] type = "eql" @@ -84,11 +88,13 @@ id = "T1071.004" name = "DNS" reference = "https://attack.mitre.org/techniques/T1071/004/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml index de1adf85abd..798d6db68e5 100644 --- a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml +++ b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -28,7 +26,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_headless_browser.toml b/rules/windows/command_and_control_headless_browser.toml index 8c844b616e4..f435dd9dd0a 100644 --- a/rules/windows/command_and_control_headless_browser.toml +++ b/rules/windows/command_and_control_headless_browser.toml @@ -2,10 +2,7 @@ creation_date = "2024/05/10" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/10" - +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +11,13 @@ Identifies the use of a browser to download a file from a remote URL and from a may use browsers to avoid ingress tool transfer restrictions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Potential File Download via a Headless Browser" @@ -46,7 +49,16 @@ references = ["https://lolbas-project.github.io/lolbas/Binaries/Msedge/"] risk_score = 73 rule_id = "5f2f463e-6997-478c-8405-fb41cc283281" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Windows", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Windows", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -73,3 +85,4 @@ reference = "https://attack.mitre.org/techniques/T1105/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/windows/command_and_control_iexplore_via_com.toml b/rules/windows/command_and_control_iexplore_via_com.toml index 7c6e094806e..79424244132 100644 --- a/rules/windows/command_and_control_iexplore_via_com.toml +++ b/rules/windows/command_and_control_iexplore_via_com.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/28" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -22,7 +20,13 @@ name = "Potential Command and Control via Internet Explorer" risk_score = 47 rule_id = "acd611f3-2b93-47b3-a0a3-7723bcc46f6d" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", +] type = "eql" query = ''' diff --git a/rules/windows/command_and_control_ingress_transfer_bits.toml b/rules/windows/command_and_control_ingress_transfer_bits.toml index 372f5589dbc..d0be4efa74a 100644 --- a/rules/windows/command_and_control_ingress_transfer_bits.toml +++ b/rules/windows/command_and_control_ingress_transfer_bits.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,10 +29,11 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ -Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). +Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). Adversaries could leverage Windows BITS transfer jobs to download remote payloads. """ from = "now-9m" @@ -115,7 +114,14 @@ references = ["https://attack.mitre.org/techniques/T1197/"] risk_score = 21 rule_id = "f95972d3-c23b-463b-89a8-796b3f369b49" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Command and Control", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -151,8 +157,6 @@ reference = "https://attack.mitre.org/techniques/T1105/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -165,3 +169,4 @@ reference = "https://attack.mitre.org/techniques/T1197/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml index a317700b84c..c4ba502002c 100644 --- a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml +++ b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml @@ -2,9 +2,7 @@ creation_date = "2023/04/03" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" -min_stack_version = "8.4.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -15,12 +13,17 @@ when a process is started whose name or code signature resembles commonly abused indicating the host has not seen this RAT process started before within the last 30 days. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "endgame-*", "winlogbeat-*", "logs-windows.*", "logs-system.security*"] +index = [ + "logs-endpoint.events.process-*", + "endgame-*", + "winlogbeat-*", + "logs-windows.*", + "logs-system.security*", +] language = "kuery" license = "Elastic License v2" name = "First Time Seen Commonly Abused Remote Access Tool Execution" -note = """ -## Triage and analysis +note = """## Triage and analysis ### Investigating First Time Seen Commonly Abused Remote Access Tool Execution @@ -56,12 +59,20 @@ This rule detects when a remote access tool is seen in the environment for the f references = [ "https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/", "https://attack.mitre.org/techniques/T1219/", - "https://github.com/redcanaryco/surveyor/blob/master/definitions/remote-admin.json" + "https://github.com/redcanaryco/surveyor/blob/master/definitions/remote-admin.json", ] risk_score = 47 rule_id = "6e1a2cc4-d260-11ed-8829-f661ea17fbcc" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index 1ebdb84c2b9..80a061822cb 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index 42c16fe3f07..96ac992cd70 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] diff --git a/rules/windows/command_and_control_remote_file_copy_powershell.toml b/rules/windows/command_and_control_remote_file_copy_powershell.toml index 092dbd69dd2..27a223a2d66 100644 --- a/rules/windows/command_and_control_remote_file_copy_powershell.toml +++ b/rules/windows/command_and_control_remote_file_copy_powershell.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/30" integration = ["endpoint"] maturity = "production" -updated_date = "2024/04/08" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml index 26e228aa908..40905e4241c 100644 --- a/rules/windows/command_and_control_remote_file_copy_scripts.toml +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/04/08" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -39,7 +37,12 @@ Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) bei from a remote destination. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.network-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.network-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Remote File Download via Script Interpreter" @@ -96,7 +99,16 @@ This rule looks for DLLs and executables downloaded using `cscript.exe` or `wscr risk_score = 47 rule_id = "1d276579-3380-4095-ad38-e596a01bc64f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -120,7 +132,6 @@ reference = "https://attack.mitre.org/techniques/T1105/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml index d1c62d1fc43..fd34ad33bac 100644 --- a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml +++ b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -99,7 +97,14 @@ references = [ risk_score = 73 rule_id = "22599847-5d13-48cb-8872-5796fee8692b" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index b5c92ad1e3b..d7526688acf 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -90,7 +88,9 @@ TeamViewer is a remote access and remote control tool used by helpdesks and syst - Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -references = ["http://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"] +references = [ + "http://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html", +] risk_score = 47 rule_id = "b25a7df2-120a-4db2-bd3f-3e4b86b24bee" setup = """## Setup @@ -109,7 +109,7 @@ tags = [ "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_adidns_wildcard.toml b/rules/windows/credential_access_adidns_wildcard.toml index 2efd54755c8..c917c234ff0 100644 --- a/rules/windows/credential_access_adidns_wildcard.toml +++ b/rules/windows/credential_access_adidns_wildcard.toml @@ -2,9 +2,7 @@ creation_date = "2024/03/26" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/26" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,8 @@ Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues, such as wildcard records, mainly because of the default permission (Any authenticated users) to create DNS-named records. Attackers can create wildcard records to redirect traffic that doesn't explicitly match -records contained in the zone, becoming the Man-in-the-Middle and being able to abuse DNS similarly to LLMNR/NBNS spoofing. +records contained in the zone, becoming the Man-in-the-Middle and being able to abuse DNS similarly to LLMNR/NBNS +spoofing. """ from = "now-9m" index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] @@ -22,7 +21,7 @@ license = "Elastic License v2" name = "Potential ADIDNS Poisoning via Wildcard Record Creation" references = [ "https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/", - "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/adidns-spoofing" + "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/adidns-spoofing", ] risk_score = 73 rule_id = "8f242ffb-b191-4803-90ec-0f19942e17fd" @@ -55,7 +54,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", - "Use Case: Active Directory Monitoring" + "Use Case: Active Directory Monitoring", ] timestamp_override = "event.ingested" type = "eql" @@ -74,7 +73,6 @@ name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_bruteforce_admin_account.toml b/rules/windows/credential_access_bruteforce_admin_account.toml index 1862372c9e1..3fbdbc21801 100644 --- a/rules/windows/credential_access_bruteforce_admin_account.toml +++ b/rules/windows/credential_access_bruteforce_admin_account.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/29" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -105,7 +103,13 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", +] type = "eql" query = ''' diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml index 72152568381..401b9edca43 100644 --- a/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml +++ b/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/29" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -109,7 +107,13 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", +] type = "eql" query = ''' diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml index ec73c39053f..008bf363ef3 100644 --- a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml +++ b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/29" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -98,10 +97,10 @@ This rule identifies potential password guessing/brute force activity from a sin - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624", - "https://social.technet.microsoft.com/Forums/ie/en-US/c82ac4f3-a235-472c-9fd3-53aa646cfcfd/network-information-missing-in-event-id-4624?forum=winserversecurity", - "https://serverfault.com/questions/379092/remote-desktop-failed-logon-event-4625-not-logging-ip-address-on-2008-terminal-s/403638#403638", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624", + "https://social.technet.microsoft.com/Forums/ie/en-US/c82ac4f3-a235-472c-9fd3-53aa646cfcfd/network-information-missing-in-event-id-4624?forum=winserversecurity", + "https://serverfault.com/questions/379092/remote-desktop-failed-logon-event-4625-not-logging-ip-address-on-2008-terminal-s/403638#403638", ] risk_score = 47 rule_id = "48b6edfc-079d-4907-b43c-baffa243270d" @@ -110,7 +109,13 @@ setup = """## Setup - In some cases the source network address in Windows events 4625/4624 is not populated due to Microsoft logging limitations (examples in the references links). This edge case will break the rule condition and it won't trigger an alert. """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", +] type = "eql" query = ''' diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index ae6317cf163..bf507361849 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies the execution of known Windows utilities often abused to dump LSASS m (NTDS.dit) in preparation for credential access. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Potential Credential Access via Windows Utilities" @@ -71,7 +75,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" @@ -134,7 +138,6 @@ reference = "https://attack.mitre.org/techniques/T1003/003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index c456ca719ca..adeb495cf61 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic", "Austin Songer"] description = """ @@ -38,7 +37,13 @@ Identifies a copy operation of the Active Directory Domain Database (ntds.dit) o Those files contain sensitive information including hashed domain and/or local credentials. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" max_signals = 33 @@ -115,7 +120,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index 31b2b52835a..55c55eb6b13 100644 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/04/08" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -40,7 +38,12 @@ credential management. This technique is sometimes used for credential dumping. """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.library-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Potential Credential Access via Trusted Developer Utility" @@ -100,7 +103,16 @@ This rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, risk_score = 73 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -117,7 +129,6 @@ framework = "MITRE ATT&CK" id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique.subtechnique]] id = "T1003.002" name = "Security Account Manager" @@ -133,11 +144,12 @@ id = "T1555.004" name = "Windows Credential Manager" reference = "https://attack.mitre.org/techniques/T1555/004/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml index 920ae22025c..02e0d783a19 100644 --- a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml +++ b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml @@ -2,16 +2,14 @@ creation_date = "2022/12/19" integration = ["windows"] maturity = "production" -min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" -min_stack_version = "8.4.0" -updated_date = "2024/01/29" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule identifies when a User Account starts the Active Directory Replication Process for the first time. -Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, -thus compromising the entire domain. +This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers +can use the DCSync technique to get credential information of individual accounts or the entire domain, thus +compromising the entire domain. """ from = "now-9m" index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] @@ -82,7 +80,16 @@ Audit Directory Service Access (Success,Failure) ``` """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Privilege Escalation", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" @@ -97,26 +104,23 @@ event.action:("Directory Service Access" or "object-operation-performed") and ev [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" -reference = "https://attack.mitre.org/techniques/T1003/" name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.006" +name = "DCSync" +reference = "https://attack.mitre.org/techniques/T1003/006/" - [[rule.threat.technique.subtechnique]] - id = "T1003.006" - reference = "https://attack.mitre.org/techniques/T1003/006/" - name = "DCSync" [rule.threat.tactic] id = "TA0006" -reference = "https://attack.mitre.org/tactics/TA0006/" name = "Credential Access" - +reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -136,7 +140,8 @@ reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["winlog.event_data.SubjectUserName"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-15d" + + diff --git a/rules/windows/credential_access_dcsync_replication_rights.toml b/rules/windows/credential_access_dcsync_replication_rights.toml index d5123d71fdf..8fbe4cfa043 100644 --- a/rules/windows/credential_access_dcsync_replication_rights.toml +++ b/rules/windows/credential_access_dcsync_replication_rights.toml @@ -2,9 +2,7 @@ creation_date = "2022/02/08" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/01/29" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -90,7 +88,7 @@ tags = [ "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring" + "Use Case: Active Directory Monitoring", ] timestamp_override = "event.ingested" type = "eql" @@ -140,11 +138,8 @@ reference = "https://attack.mitre.org/techniques/T1003/006/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" diff --git a/rules/windows/credential_access_disable_kerberos_preauth.toml b/rules/windows/credential_access_disable_kerberos_preauth.toml index 0d845d4645b..c181c9b2483 100644 --- a/rules/windows/credential_access_disable_kerberos_preauth.toml +++ b/rules/windows/credential_access_disable_kerberos_preauth.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/24" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -70,7 +68,17 @@ Audit User Account Management (Success,Failure) ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", +] timestamp_override = "event.ingested" type = "query" @@ -96,11 +104,8 @@ reference = "https://attack.mitre.org/techniques/T1558/004/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" @@ -111,11 +116,8 @@ reference = "https://attack.mitre.org/techniques/T1562/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" diff --git a/rules/windows/credential_access_dnsnode_creation.toml b/rules/windows/credential_access_dnsnode_creation.toml index 2f42ee0b833..38220bc9131 100644 --- a/rules/windows/credential_access_dnsnode_creation.toml +++ b/rules/windows/credential_access_dnsnode_creation.toml @@ -2,9 +2,7 @@ creation_date = "2024/03/26" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/26" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -23,7 +21,7 @@ license = "Elastic License v2" name = "Creation of a DNS-Named Record" references = [ "https://www.netspi.com/blog/technical/network-penetration-testing/adidns-revisited/", - "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wpad-spoofing" + "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wpad-spoofing", ] risk_score = 21 rule_id = "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc" @@ -56,7 +54,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", - "Use Case: Active Directory Monitoring" + "Use Case: Active Directory Monitoring", ] timestamp_override = "event.ingested" type = "eql" @@ -76,7 +74,6 @@ name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_dump_registry_hives.toml b/rules/windows/credential_access_dump_registry_hives.toml index 93eeb99a1b4..4af9d346d8e 100644 --- a/rules/windows/credential_access_dump_registry_hives.toml +++ b/rules/windows/credential_access_dump_registry_hives.toml @@ -2,15 +2,19 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Credential Acquisition via Registry Hive Dumping" @@ -75,7 +79,7 @@ tags = [ "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_generic_localdumps.toml b/rules/windows/credential_access_generic_localdumps.toml index 016c83147fe..8705924470f 100644 --- a/rules/windows/credential_access_generic_localdumps.toml +++ b/rules/windows/credential_access_generic_localdumps.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/28" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -28,7 +26,15 @@ references = [ risk_score = 47 rule_id = "220be143-5c67-4fdb-b6ce-dd6826d024fd" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml index 8bb38df6f9b..cfc6135483a 100644 --- a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies the Internet Information Services (IIS) command-line tool, AppCmd, be with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" max_signals = 33 @@ -30,7 +34,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index 6dfa8a0d359..cf304647967 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ access via a webshell or alike can decrypt and dump any hardcoded connection str password using aspnet_regiis command. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" max_signals = 33 @@ -34,7 +38,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml index bf21ea7518b..9b74a09385e 100644 --- a/rules/windows/credential_access_kerberoasting_unusual_process.toml +++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -112,7 +110,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_ldap_attributes.toml b/rules/windows/credential_access_ldap_attributes.toml index 74860002414..7e9ca44a12d 100644 --- a/rules/windows/credential_access_ldap_attributes.toml +++ b/rules/windows/credential_access_ldap_attributes.toml @@ -2,9 +2,7 @@ creation_date = "2022/11/09" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -41,7 +39,15 @@ Audit Directory Service Access (Success,Failure) ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Privilege Escalation", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", +] timestamp_override = "event.ingested" type = "eql" @@ -89,11 +95,12 @@ id = "T1552.004" name = "Private Keys" reference = "https://attack.mitre.org/techniques/T1552/004/" + + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml index 823684db598..414ba86564e 100644 --- a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml +++ b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml @@ -2,9 +2,7 @@ creation_date = "2022/06/29" integration = ["windows"] maturity = "production" -min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." -min_stack_version = "8.8.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -30,7 +28,13 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_lsass_loaded_susp_dll.toml b/rules/windows/credential_access_lsass_loaded_susp_dll.toml index 3a59f2ce86d..dcb0c455ce6 100644 --- a/rules/windows/credential_access_lsass_loaded_susp_dll.toml +++ b/rules/windows/credential_access_lsass_loaded_susp_dll.toml @@ -1,10 +1,8 @@ [metadata] creation_date = "2022/12/28" -maturity = "production" integration = ["endpoint"] -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +maturity = "production" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -18,10 +16,7 @@ index = ["logs-endpoint.events.library-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Module Loaded by LSASS" -references = [ - "https://blog.xpnsec.com/exploring-mimikatz-part-2/", - "https://github.com/jas502n/mimikat_ssp" -] +references = ["https://blog.xpnsec.com/exploring-mimikatz-part-2/", "https://github.com/jas502n/mimikat_ssp"] risk_score = 47 rule_id = "3a6001a0-0939-4bbe-86f4-47d8faeb7b97" setup = """## Setup @@ -33,7 +28,13 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -126,3 +127,4 @@ reference = "https://attack.mitre.org/techniques/T1003/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_lsass_memdump_file_created.toml b/rules/windows/credential_access_lsass_memdump_file_created.toml index 8fe7c70f118..a982b362c06 100644 --- a/rules/windows/credential_access_lsass_memdump_file_created.toml +++ b/rules/windows/credential_access_lsass_memdump_file_created.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -115,7 +113,7 @@ tags = [ "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", - "Data Source: Sysmon" + "Data Source: Sysmon", ] timeline_id = "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c" timeline_title = "Comprehensive File Timeline" diff --git a/rules/windows/credential_access_lsass_memdump_handle_access.toml b/rules/windows/credential_access_lsass_memdump_handle_access.toml index 955bd499781..ce971d46956 100644 --- a/rules/windows/credential_access_lsass_memdump_handle_access.toml +++ b/rules/windows/credential_access_lsass_memdump_handle_access.toml @@ -2,9 +2,7 @@ creation_date = "2022/02/16" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -132,9 +130,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest `event.ingested` to @timestamp. For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ - severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_lsass_openprocess_api.toml b/rules/windows/credential_access_lsass_openprocess_api.toml index 97c80885a40..7a3135c6e28 100644 --- a/rules/windows/credential_access_lsass_openprocess_api.toml +++ b/rules/windows/credential_access_lsass_openprocess_api.toml @@ -2,9 +2,7 @@ creation_date = "2023/03/02" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: Lsass access events added in Elastic Endpoint 8.7." -min_stack_version = "8.7.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,18 +29,16 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] -description = """ -Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory. -""" +description = "Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.\n" from = "now-9m" index = ["logs-endpoint.events.api-*"] language = "eql" license = "Elastic License v2" name = "LSASS Process Access via Windows API" -note = """ -## Triage and analysis +note = """## Triage and analysis ### Investigating LSASS Process Access via Windows API @@ -109,7 +105,14 @@ references = ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomic risk_score = 47 rule_id = "ff4599cb-409f-4910-a239-52e4e6f532ff" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Execution", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -177,10 +180,8 @@ reference = "https://attack.mitre.org/techniques/T1003/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1106" name = "Native API" @@ -191,3 +192,4 @@ reference = "https://attack.mitre.org/techniques/T1106/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/credential_access_mimikatz_powershell_module.toml b/rules/windows/credential_access_mimikatz_powershell_module.toml index 512134c1e76..03a0f56c4dd 100644 --- a/rules/windows/credential_access_mimikatz_powershell_module.toml +++ b/rules/windows/credential_access_mimikatz_powershell_module.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/07" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -91,7 +89,14 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index 0e64e8c5fcf..4ae9a8e2014 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -87,7 +85,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Sysmon" + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_moving_registry_hive_via_smb.toml b/rules/windows/credential_access_moving_registry_hive_via_smb.toml index 0ab094362f5..7c1240d4bea 100644 --- a/rules/windows/credential_access_moving_registry_hive_via_smb.toml +++ b/rules/windows/credential_access_moving_registry_hive_via_smb.toml @@ -2,9 +2,7 @@ creation_date = "2022/02/16" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -63,7 +61,7 @@ tags = [ "Tactic: Lateral Movement", "Tactic: Credential Access", "Resources: Investigation Guide", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml index 94bacc832fc..2a95513aae3 100644 --- a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml +++ b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml @@ -2,9 +2,7 @@ creation_date = "2021/03/18" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -106,7 +105,16 @@ references = [ risk_score = 47 rule_id = "54c3d186-0461-4dc3-9b33-2dc5c7473936" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_posh_invoke_ninjacopy.toml b/rules/windows/credential_access_posh_invoke_ninjacopy.toml index 1b9c456659c..244493da593 100644 --- a/rules/windows/credential_access_posh_invoke_ninjacopy.toml +++ b/rules/windows/credential_access_posh_invoke_ninjacopy.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/23" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -50,12 +48,19 @@ Invoke-NinjaCopy is a PowerShell script capable of reading SYSTEM files that wer - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = [ - "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1" + "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1", ] risk_score = 47 rule_id = "b8386923-b02c-4b94-986a-d223d9b01f88" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -83,16 +88,15 @@ framework = "MITRE ATT&CK" id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.002" +name = "Security Account Manager" +reference = "https://attack.mitre.org/techniques/T1003/002/" - [[rule.threat.technique.subtechnique]] - id = "T1003.002" - name = "Security Account Manager" - reference = "https://attack.mitre.org/techniques/T1003/002/" - - [[rule.threat.technique.subtechnique]] - id = "T1003.003" - name = "NTDS" - reference = "https://attack.mitre.org/techniques/T1003/003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.003" +name = "NTDS" +reference = "https://attack.mitre.org/techniques/T1003/003/" @@ -100,26 +104,23 @@ reference = "https://attack.mitre.org/techniques/T1003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique.subtechnique]] - id = "T1059.001" - name = "PowerShell" - reference = "https://attack.mitre.org/techniques/T1059/001/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -127,7 +128,9 @@ id = "T1006" name = "Direct Volume Access" reference = "https://attack.mitre.org/techniques/T1006/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/credential_access_posh_kerb_ticket_dump.toml b/rules/windows/credential_access_posh_kerb_ticket_dump.toml index f2b68cfab2f..25c3693adec 100644 --- a/rules/windows/credential_access_posh_kerb_ticket_dump.toml +++ b/rules/windows/credential_access_posh_kerb_ticket_dump.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/26" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -62,9 +60,7 @@ This rule indicates the use of scripts that contain code capable of dumping Kerb - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -references = [ - "https://github.com/MzHmO/PowershellKerberos/blob/main/dumper.ps1", -] +references = ["https://github.com/MzHmO/PowershellKerberos/blob/main/dumper.ps1"] risk_score = 47 rule_id = "fddff193-48a3-484d-8d35-90bb3d323a56" setup = """## Setup @@ -86,7 +82,13 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" @@ -119,7 +121,6 @@ name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_posh_minidump.toml b/rules/windows/credential_access_posh_minidump.toml index f25b1457076..801b74645c3 100644 --- a/rules/windows/credential_access_posh_minidump.toml +++ b/rules/windows/credential_access_posh_minidump.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/05" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -80,7 +78,14 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_posh_relay_tools.toml b/rules/windows/credential_access_posh_relay_tools.toml index f3bf6ee056c..6b8c1c203c0 100644 --- a/rules/windows/credential_access_posh_relay_tools.toml +++ b/rules/windows/credential_access_posh_relay_tools.toml @@ -2,9 +2,7 @@ creation_date = "2024/03/27" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/27" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -22,7 +20,7 @@ references = [ "https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-SMBExec.ps1", "https://github.com/dafthack/Check-LocalAdminHash/blob/master/Check-LocalAdminHash.ps1", "https://github.com/nettitude/PoshC2/blob/master/resources/modules/Invoke-Tater.ps1", - "https://github.com/Kevin-Robertson/Inveigh/blob/master/Inveigh.ps1" + "https://github.com/Kevin-Robertson/Inveigh/blob/master/Inveigh.ps1", ] risk_score = 47 rule_id = "951779c2-82ad-4a6c-82b8-296c1f691449" @@ -45,7 +43,14 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" @@ -70,12 +75,10 @@ name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -93,7 +96,6 @@ reference = "https://attack.mitre.org/techniques/T1059/001/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/credential_access_posh_request_ticket.toml b/rules/windows/credential_access_posh_request_ticket.toml index 02d8a9a5896..1e24dacafd7 100644 --- a/rules/windows/credential_access_posh_request_ticket.toml +++ b/rules/windows/credential_access_posh_request_ticket.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/24" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -76,7 +74,14 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_posh_veeam_sql.toml b/rules/windows/credential_access_posh_veeam_sql.toml index 742e90e81ca..e7be3dd4ea0 100644 --- a/rules/windows/credential_access_posh_veeam_sql.toml +++ b/rules/windows/credential_access_posh_veeam_sql.toml @@ -2,9 +2,7 @@ creation_date = "2024/03/14" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -18,8 +16,8 @@ language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Veeam Credential Access Capabilities" references = [ - "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", - "https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/" + "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", + "https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/", ] risk_score = 47 rule_id = "5c602cba-ae00-4488-845d-24de2b6d8055" @@ -42,7 +40,13 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" @@ -64,13 +68,13 @@ framework = "MITRE ATT&CK" id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml index 86ab80c45de..f62f2f7b30b 100644 --- a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml +++ b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml @@ -2,9 +2,7 @@ creation_date = "2021/09/27" integration = ["windows"] maturity = "production" -min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." -min_stack_version = "8.8.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -29,7 +27,13 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml index 88573df524b..7198111d2e0 100644 --- a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml +++ b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml @@ -2,9 +2,7 @@ creation_date = "2022/04/30" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies attempt to coerce a local NTLM authentication via HTTP using the Wind An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Potential Local NTLM Relay via HTTP" @@ -25,7 +29,15 @@ references = [ risk_score = 73 rule_id = "4682fd2c-cfae-47ed-a543-9bed37657aa6" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion","Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -53,7 +65,6 @@ reference = "https://attack.mitre.org/techniques/T1212/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -65,6 +76,8 @@ id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/credential_access_remote_sam_secretsdump.toml b/rules/windows/credential_access_remote_sam_secretsdump.toml index 7219cc88bea..f3fde2b0828 100644 --- a/rules/windows/credential_access_remote_sam_secretsdump.toml +++ b/rules/windows/credential_access_remote_sam_secretsdump.toml @@ -2,9 +2,7 @@ creation_date = "2022/03/01" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -76,7 +74,7 @@ tags = [ "Tactic: Lateral Movement", "Tactic: Credential Access", "Resources: Investigation Guide", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_saved_creds_vault_winlog.toml b/rules/windows/credential_access_saved_creds_vault_winlog.toml index 73620d2f31b..0516afe2658 100644 --- a/rules/windows/credential_access_saved_creds_vault_winlog.toml +++ b/rules/windows/credential_access_saved_creds_vault_winlog.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_saved_creds_vaultcmd.toml b/rules/windows/credential_access_saved_creds_vaultcmd.toml index ac77a824edf..51f4b0da807 100644 --- a/rules/windows/credential_access_saved_creds_vaultcmd.toml +++ b/rules/windows/credential_access_saved_creds_vaultcmd.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ applications, and networks. An adversary may abuse this to list or dump credenti saved usernames and passwords. This may also be performed in preparation of lateral movement. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Searching for Saved Credentials via VaultCmd" @@ -34,7 +38,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml index 85a166a8569..14298cfb550 100644 --- a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml +++ b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/27" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -85,7 +83,7 @@ tags = [ "Tactic: Persistence", "Data Source: Active Directory", "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring" + "Use Case: Active Directory Monitoring", ] timestamp_override = "event.ingested" type = "query" @@ -98,24 +96,24 @@ event.action:"Authorization Policy Change" and event.code:4704 and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/credential_access_shadow_credentials.toml b/rules/windows/credential_access_shadow_credentials.toml index ae9a46865bd..80289225b8b 100644 --- a/rules/windows/credential_access_shadow_credentials.toml +++ b/rules/windows/credential_access_shadow_credentials.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/26" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -87,7 +85,15 @@ Set-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType W ``` """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_spn_attribute_modified.toml b/rules/windows/credential_access_spn_attribute_modified.toml index 0825930bdd0..08e8f50ed6e 100644 --- a/rules/windows/credential_access_spn_attribute_modified.toml +++ b/rules/windows/credential_access_spn_attribute_modified.toml @@ -2,9 +2,7 @@ creation_date = "2022/02/22" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -93,7 +91,7 @@ tags = [ "Tactic: Credential Access", "Data Source: Active Directory", "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring" + "Use Case: Active Directory Monitoring", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml index 5329acd6eb0..405ac2ab0a9 100644 --- a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml +++ b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/17" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -114,7 +113,14 @@ You will need to enable logging of ImageLoads in your Sysmon configuration to in File Name. """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -145,7 +151,6 @@ reference = "https://attack.mitre.org/techniques/T1003/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/credential_access_suspicious_lsass_access_generic.toml b/rules/windows/credential_access_suspicious_lsass_access_generic.toml index 97598b0946f..c01731dfb94 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_generic.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_generic.toml @@ -2,15 +2,11 @@ creation_date = "2023/01/22" integration = ["windows"] maturity = "production" -min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." -min_stack_version = "8.8.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = """ -Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory. -""" +description = "Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory.\n" from = "now-9m" index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" @@ -28,7 +24,13 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -77,3 +79,4 @@ reference = "https://attack.mitre.org/techniques/T1003/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml index 9aeda8961a0..ad39fc43cbb 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/07" integration = ["windows"] maturity = "production" -min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." -min_stack_version = "8.8.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,7 +30,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic:Execution", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic:Execution", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -69,10 +74,8 @@ reference = "https://attack.mitre.org/techniques/T1003/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1106" name = "Native API" diff --git a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml index 6d82c6c07cc..7b152155ce7 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/14" integration = ["windows"] maturity = "production" -min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." -min_stack_version = "8.8.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -30,7 +28,13 @@ This is meant to run only on datasources using Elastic Agent 7.14+ since version rule cardinality feature. """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "threshold" diff --git a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml index 6e9b8c90f7e..0e25e99f8c7 100644 --- a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml +++ b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml @@ -2,9 +2,7 @@ creation_date = "2022/02/16" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -84,7 +82,16 @@ Special Logon (Success) ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Credential Access", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", +] type = "eql" query = ''' @@ -115,6 +122,7 @@ name = "LSA Secrets" reference = "https://attack.mitre.org/techniques/T1003/004/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml index f53f4c36a00..3178c34a607 100644 --- a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml +++ b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml @@ -2,9 +2,7 @@ creation_date = "2021/12/25" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -14,7 +12,13 @@ copy, including sensitive files such as ntds.dit, System Boot Key and browser of """ false_positives = ["Legitimate administrative activity related to shadow copies."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Symbolic Link to Shadow Copy Created" @@ -98,7 +102,7 @@ tags = [ "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" @@ -132,6 +136,7 @@ name = "NTDS" reference = "https://attack.mitre.org/techniques/T1003/003/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_veeam_backup_dll_imageload.toml b/rules/windows/credential_access_veeam_backup_dll_imageload.toml index e34bf9c6e40..c22dbdbccee 100644 --- a/rules/windows/credential_access_veeam_backup_dll_imageload.toml +++ b/rules/windows/credential_access_veeam_backup_dll_imageload.toml @@ -2,9 +2,7 @@ creation_date = "2024/03/14" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -21,7 +19,13 @@ name = "Veeam Backup Library Loaded by Unusual Process" risk_score = 47 rule_id = "aaab30ec-b004-4191-95e1-4a14387ef6a6" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -42,13 +46,13 @@ framework = "MITRE ATT&CK" id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_veeam_commands.toml b/rules/windows/credential_access_veeam_commands.toml index 5ca51f71353..e1f9cda0301 100644 --- a/rules/windows/credential_access_veeam_commands.toml +++ b/rules/windows/credential_access_veeam_commands.toml @@ -2,9 +2,7 @@ creation_date = "2024/03/14" integration = ["windows", "endpoint", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,17 +11,29 @@ Identifies commands that can access and decrypt Veeam credentials stored in MSSQ Credentials to target backups as part of destructive operations such as Ransomware attacks. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Potential Veeam Credential Access Command" -references = [ - "https://thedfirreport.com/2021/12/13/diavol-ransomware/" -] +references = ["https://thedfirreport.com/2021/12/13/diavol-ransomware/"] risk_score = 47 rule_id = "b661f86d-1c23-4ce7-a59e-2edbdba28247" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -43,13 +53,13 @@ framework = "MITRE ATT&CK" id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml index 52f0314e2e7..a91ceeef23d 100644 --- a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml +++ b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml @@ -2,9 +2,7 @@ creation_date = "2021/11/27" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -34,7 +32,13 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_wireless_creds_dumping.toml b/rules/windows/credential_access_wireless_creds_dumping.toml index f8e76dc7d3c..a119ff10872 100644 --- a/rules/windows/credential_access_wireless_creds_dumping.toml +++ b/rules/windows/credential_access_wireless_creds_dumping.toml @@ -2,9 +2,7 @@ creation_date = "2022/11/01" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -36,7 +34,13 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu author = ["Elastic"] description = "Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Wireless Credential Dumping using Netsh Command" @@ -96,7 +100,7 @@ tags = [ "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index 131316e9398..d11eb4a9279 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,11 +29,18 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Adding Hidden File Attribute via Attrib" @@ -95,7 +100,16 @@ This rule looks for the execution of the `attrib.exe` utility with a command lin risk_score = 21 rule_id = "4630d948-40d4-4cef-ac69-4002e29bc3db" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" @@ -110,6 +124,16 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1222" +name = "File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/" +[[rule.threat.technique.subtechnique]] +id = "T1222.001" +name = "Windows File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/001/" + + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" @@ -119,15 +143,6 @@ id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" -[[rule.threat.technique]] -id = "T1222" -name = "File and Directory Permissions Modification" -reference = "https://attack.mitre.org/techniques/T1222/" - -[[rule.threat.technique.subtechnique]] -id = "T1222.001" -name = "Windows File and Directory Permissions Modification" -reference = "https://attack.mitre.org/techniques/T1222/001/" [rule.threat.tactic] diff --git a/rules/windows/defense_evasion_amsi_bypass_powershell.toml b/rules/windows/defense_evasion_amsi_bypass_powershell.toml index 426c4af7270..09965632f34 100644 --- a/rules/windows/defense_evasion_amsi_bypass_powershell.toml +++ b/rules/windows/defense_evasion_amsi_bypass_powershell.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -99,7 +97,14 @@ references = ["https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell"] risk_score = 73 rule_id = "1f0a69c0-3392-4adf-b7d5-6012fd292da8" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/defense_evasion_amsienable_key_mod.toml b/rules/windows/defense_evasion_amsienable_key_mod.toml index 179b65d04a0..c4c9d646380 100644 --- a/rules/windows/defense_evasion_amsienable_key_mod.toml +++ b/rules/windows/defense_evasion_amsienable_key_mod.toml @@ -2,9 +2,7 @@ creation_date = "2021/06/01" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -90,7 +88,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Sysmon" + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" @@ -108,6 +106,11 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" @@ -117,10 +120,6 @@ id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" [rule.threat.tactic] diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index 655e82fbc22..02cf01896c1 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -2,9 +2,7 @@ creation_date = "2021/11/22" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] @@ -13,7 +11,13 @@ Identifies when a user attempts to clear console history. An adversary may clear account to conceal the actions undertaken during an intrusion. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Clearing Windows Console History" @@ -72,7 +76,7 @@ tags = [ "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" @@ -103,8 +107,6 @@ reference = "https://attack.mitre.org/techniques/T1070/003/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index 57e7f048919..4f102d07c43 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies attempts to clear or disable Windows event log stores using Windows w attackers in an attempt to evade detection or destroy forensic evidence on a system. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Clearing Windows Event Logs" @@ -67,7 +71,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" @@ -104,6 +108,7 @@ name = "Disable Windows Event Logging" reference = "https://attack.mitre.org/techniques/T1562/002/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml index d3107aaaca2..00c645b62f7 100644 --- a/rules/windows/defense_evasion_clearing_windows_security_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_security_logs.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/12" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/14" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Anabella Cristaldi"] @@ -51,7 +49,13 @@ This rule looks for the occurrence of clear actions on the `security` event log. risk_score = 21 rule_id = "45ac4800-840f-414c-b221-53dd36a5aaf7" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml index 6115b3c49a0..6ab65745a84 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml @@ -2,32 +2,41 @@ creation_date = "2023/01/31" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] label = "Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, +issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = +authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") """ [[transform.osquery]] label = "Osquery - Retrieve All Unsigned Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, +issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = +authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" """ + [rule] author = ["Elastic"] description = """ -Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides -authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. -By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code. +Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides +authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By +allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Code Signing Policy Modification Through Built-in tools" @@ -89,7 +98,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" @@ -100,6 +109,7 @@ process where host.os.type == "windows" and event.type == "start" and process.args: ("TESTSIGNING", "nointegritychecks", "loadoptions", "DISABLE_INTEGRITY_CHECKS") ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -117,3 +127,4 @@ reference = "https://attack.mitre.org/techniques/T1553/006/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml index 83818ee7c4c..e78e90576e6 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml @@ -2,29 +2,32 @@ creation_date = "2023/01/31" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] label = "Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, +issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = +authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") """ [[transform.osquery]] label = "Osquery - Retrieve All Unsigned Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, +issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = +authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" """ + [rule] author = ["Elastic"] description = """ Identifies attempts to disable the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the -execution of unsigned or self-signed code, threat actors can craft and execute malicious code. +execution of unsigned or self-signed code, threat actors can craft and execute malicious code. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"] @@ -90,7 +93,7 @@ tags = [ "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", - "Data Source: Sysmon" + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" @@ -108,8 +111,14 @@ registry where host.os.type == "windows" and event.type : ("creation", "change") ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [[rule.threat.technique]] id = "T1553" name = "Subvert Trust Controls" @@ -119,12 +128,10 @@ id = "T1553.006" name = "Code Signing Policy Modification" reference = "https://attack.mitre.org/techniques/T1553/006/" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml index e04efcaf08a..dab7b4aa182 100644 --- a/rules/windows/defense_evasion_create_mod_root_certificate.toml +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -2,9 +2,7 @@ creation_date = "2021/02/01" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -87,7 +85,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Sysmon" + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_cve_2020_0601.toml b/rules/windows/defense_evasion_cve_2020_0601.toml index 1a8d0b4c3d2..c4c34892c00 100644 --- a/rules/windows/defense_evasion_cve_2020_0601.toml +++ b/rules/windows/defense_evasion_cve_2020_0601.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/19" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,7 +18,13 @@ name = "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)" risk_score = 21 rule_id = "56557cde-d923-4b88-adee-c61b3f3b5dc3" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Use Case: Vulnerability"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Use Case: Vulnerability", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml index 692f95c4541..7e37b32b77c 100644 --- a/rules/windows/defense_evasion_defender_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_defender_disabled_via_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -74,7 +72,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Sysmon" + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" @@ -111,6 +109,11 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" @@ -125,10 +128,6 @@ id = "T1562.006" name = "Indicator Blocking" reference = "https://attack.mitre.org/techniques/T1562/006/" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" [rule.threat.tactic] diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index 5153f7fac07..b85e2970d19 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/20" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies modifications to the Windows Defender configuration settings using Po directory or process level. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Windows Defender Exclusions Added via PowerShell" @@ -85,7 +89,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index d5f5f83718f..d124e4493e4 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is of files created during post-exploitation activities. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Delete Volume USN Journal with Fsutil" @@ -52,7 +56,15 @@ Consider using the Elastic Defend integration instead of USN Journal, as the Ela risk_score = 21 rule_id = "f675872f-6d85-40a3-b502-c0d2ef101e92" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_disable_nla.toml b/rules/windows/defense_evasion_disable_nla.toml index 3097f5234db..0ce5ab8084f 100644 --- a/rules/windows/defense_evasion_disable_nla.toml +++ b/rules/windows/defense_evasion_disable_nla.toml @@ -2,17 +2,16 @@ creation_date = "2023/08/25" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies the attempt to disable Network-Level Authentication (NLA) via registry modification. Network Level Authentication (NLA) is a feature on Windows -that provides an extra layer of security for Remote Desktop (RDP) connections, as it requires users to authenticate -before allowing a full RDP session. Attackers can disable NLA to enable persistence methods that require access to the -Windows sign-in screen without authenticating, such as Accessibility Features persistence methods, like Sticky Keys. +Identifies the attempt to disable Network-Level Authentication (NLA) via registry modification. Network Level +Authentication (NLA) is a feature on Windows that provides an extra layer of security for Remote Desktop (RDP) +connections, as it requires users to authenticate before allowing a full RDP session. Attackers can disable NLA to +enable persistence methods that require access to the Windows sign-in screen without authenticating, such as +Accessibility Features persistence methods, like Sticky Keys. """ from = "now-9m" index = ["logs-endpoint.events.registry-*", "endgame-*"] @@ -25,7 +24,14 @@ references = [ risk_score = 21 rule_id = "db65f5ba-d1ef-4944-b9e8-7e51060c2b42" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml index 1cd8b9166a3..1a44c9d572b 100644 --- a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml +++ b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/31" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -71,7 +69,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Sysmon" + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" @@ -87,6 +85,11 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" @@ -96,10 +99,6 @@ id = "T1562.002" name = "Disable Windows Event Logging" reference = "https://attack.mitre.org/techniques/T1562/002/" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" [rule.threat.tactic] diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index 9cf70208dbc..c9988732958 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies use of the netsh.exe to disable or weaken the local firewall. Attacke disable the firewall during troubleshooting or to enable network mobility. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Disable Windows Firewall Rules via Netsh" @@ -65,7 +69,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml index aaf6ed10787..9474e98a635 100644 --- a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml +++ b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml @@ -2,16 +2,20 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings." false_positives = ["Planned Windows Defender configuration changes."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Disabling Windows Defender Security Settings via PowerShell" @@ -74,7 +78,7 @@ tags = [ "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" @@ -106,7 +110,6 @@ reference = "https://attack.mitre.org/techniques/T1562/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index 88f47c9212f..a94a693fc6b 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/06" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Ivan Ninichuck", "Austin Songer"] @@ -13,7 +11,13 @@ Identifies attempts to disable EventLog via the logman Windows utility, PowerShe attackers in an attempt to evade detection on a system. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Disable Windows Event and Security Logs Using Built-in Tools" @@ -70,7 +74,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" @@ -106,7 +110,6 @@ reference = "https://attack.mitre.org/techniques/T1070/001/" id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.002" name = "Disable Windows Event Logging" diff --git a/rules/windows/defense_evasion_dns_over_https_enabled.toml b/rules/windows/defense_evasion_dns_over_https_enabled.toml index a209f05faca..b86746d1b16 100644 --- a/rules/windows/defense_evasion_dns_over_https_enabled.toml +++ b/rules/windows/defense_evasion_dns_over_https_enabled.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/22" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] @@ -33,7 +31,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -50,16 +56,16 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index d27ad7f9848..f1c529bde28 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -2,18 +2,22 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt -to compile code after delivery in order to bypass security mechanisms. +Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt to +compile code after delivery in order to bypass security mechanisms. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Suspicious .NET Code Compilation" @@ -28,7 +32,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -56,8 +68,6 @@ reference = "https://attack.mitre.org/techniques/T1027/004/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index 31981e2baf0..ef508310ced 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies use of the network shell utility (netsh.exe) to enable inbound Remote the Windows Firewall. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Remote Desktop Enabled in Windows Firewall by Netsh" @@ -71,7 +75,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml index a55b407c54d..55e86511a19 100644 --- a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ tool to weaken the host firewall settings. """ false_positives = ["Host Windows Firewall planned system administration changes."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Enable Host Network Discovery via Netsh" @@ -67,7 +71,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml index e0a6b81cda9..4a9253a1d6d 100644 --- a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml +++ b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml @@ -2,9 +2,7 @@ creation_date = "2021/09/08" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies unusual instances of Control Panel with suspicious keywords or paths Adversaries may abuse control.exe to proxy execution of malicious code. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Control Panel Process with Unusual Arguments" @@ -29,14 +33,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index ffffa6b44c0..08bbbf5abdf 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -38,7 +37,13 @@ Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load as a defense evasion technique to blend-in malicious activity with legitimate Windows software. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "ImageLoad via Windows Update Auto Update Client" @@ -105,14 +110,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index 3db2d939932..0eae0465c65 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -19,7 +17,13 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Microsoft Build Engine Started by an Office Application" @@ -93,7 +97,7 @@ tags = [ "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index 865691b8540..254454f013c 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -29,13 +27,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" @@ -46,26 +45,26 @@ host.os.type:windows and event.category:process and event.type:start and ( "wscript.exe" or "mshta.exe") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" - [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -74,10 +73,12 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" @@ -93,7 +94,8 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.name", "process.command_line"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index 23ac0085342..5ff9a093d59 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ Instrumentation) subsystem. This behavior is unusual and is sometimes used by ma """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Microsoft Build Engine Started by a System Process" @@ -29,14 +33,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index ce9964174c8..4be38308433 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -114,7 +112,7 @@ tags = [ "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", - "Data Source: Sysmon" + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" @@ -137,6 +135,7 @@ id = "T1036.003" name = "Rename System Utilities" reference = "https://attack.mitre.org/techniques/T1036/003/" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index 2a3f2bad364..2ad7460557b 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -35,14 +33,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend" - ] - +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" @@ -51,19 +49,19 @@ host.os.type:windows and event.category:process and event.type:start and process process.name:("csc.exe" or "iexplore.exe" or "powershell.exe") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" - [[rule.threat.technique.subtechnique]] id = "T1027.004" name = "Compile After Delivery" reference = "https://attack.mitre.org/techniques/T1027/004/" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" @@ -83,7 +81,8 @@ reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.name"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index 0cf09edbcd9..098ce048775 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -29,15 +27,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml index 974b024e38e..0b2228e7675 100644 --- a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Dennis Perto"] @@ -33,15 +31,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index 57046058566..e93afa811f8 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -29,7 +27,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_from_unusual_directory.toml b/rules/windows/defense_evasion_from_unusual_directory.toml index 4abc04cabd6..2c1f7f32972 100644 --- a/rules/windows/defense_evasion_from_unusual_directory.toml +++ b/rules/windows/defense_evasion_from_unusual_directory.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -38,7 +37,13 @@ Identifies process execution from suspicious default Windows directories. This i malware in trusted paths. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Process Execution from an Unusual Directory" @@ -108,7 +113,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index b22fb7fb37b..5f00f7e7fad 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -2,9 +2,7 @@ creation_date = "2020/04/14" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies when Internet Information Services (IIS) HTTP Logging is disabled on access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" max_signals = 33 @@ -63,7 +67,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_injection_msbuild.toml b/rules/windows/defense_evasion_injection_msbuild.toml index aa9e5675fa4..802025652d8 100755 --- a/rules/windows/defense_evasion_injection_msbuild.toml +++ b/rules/windows/defense_evasion_injection_msbuild.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/25" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,7 +18,14 @@ name = "Process Injection by the Microsoft Build Engine" risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "query" @@ -46,6 +51,7 @@ name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_installutil_beacon.toml b/rules/windows/defense_evasion_installutil_beacon.toml index 87b368d79ba..eca5aea1970 100644 --- a/rules/windows/defense_evasion_installutil_beacon.toml +++ b/rules/windows/defense_evasion_installutil_beacon.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,14 +11,26 @@ Identifies InstallUtil.exe making outbound network connections. This may indicat often leveraged by adversaries to execute code and evade detection. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] +index = [ + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "InstallUtil Process Making Network Connections" risk_score = 47 rule_id = "a13167f1-eec2-4015-9631-1fee60406dcf" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 81a5bced8a7..16de53c6416 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ A suspicious Endpoint Security parent process was detected. This may indicate a injection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Suspicious Endpoint Security Parent Process" @@ -28,7 +32,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -58,7 +69,6 @@ process where host.os.type == "windows" and event.type == "start" and "/enable" ) ) - ''' @@ -68,13 +78,13 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.005" name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_masquerading_business_apps_installer.toml b/rules/windows/defense_evasion_masquerading_business_apps_installer.toml index fcd53d91b5f..69125b3d1b2 100644 --- a/rules/windows/defense_evasion_masquerading_business_apps_installer.toml +++ b/rules/windows/defense_evasion_masquerading_business_apps_installer.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/01" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -24,7 +22,15 @@ references = [ risk_score = 21 rule_id = "feafdc51-c575-4ed2-89dd-8e20badc2d6c" severity = "low" -tags = ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Initial Access", "Tactic: Execution"] +tags = [ + "Domain: Endpoint", + "Data Source: Elastic Defend", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Initial Access", + "Tactic: Execution", +] timestamp_override = "event.ingested" type = "eql" @@ -165,7 +171,6 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -177,11 +182,11 @@ name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -194,7 +199,6 @@ reference = "https://attack.mitre.org/techniques/T1189/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_masquerading_communication_apps.toml b/rules/windows/defense_evasion_masquerading_communication_apps.toml index 160315743f2..cfb5fd3b6ee 100644 --- a/rules/windows/defense_evasion_masquerading_communication_apps.toml +++ b/rules/windows/defense_evasion_masquerading_communication_apps.toml @@ -2,9 +2,7 @@ creation_date = "2023/05/05" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,7 +18,13 @@ name = "Potential Masquerading as Communication Apps" risk_score = 47 rule_id = "c9482bfa-a553-4226-8ea2-4959bd4f7923" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -94,7 +98,6 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -106,12 +109,11 @@ name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -119,6 +121,7 @@ id = "T1554" name = "Compromise Client Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index d8cb62d5f9d..5aab79fc4d6 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/01" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -112,7 +110,7 @@ tags = [ "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", - "Data Source: Sysmon" + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index 51d4f068c3e..53359cc1b12 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ usually host trusted third party programs. An adversary may leverage masqueradin detections allowlisting those folders. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Program Files Directory Masquerading" @@ -29,7 +33,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_masquerading_werfault.toml b/rules/windows/defense_evasion_masquerading_werfault.toml index 10825bd5f14..c4832f2ec1e 100644 --- a/rules/windows/defense_evasion_masquerading_werfault.toml +++ b/rules/windows/defense_evasion_masquerading_werfault.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -41,7 +39,12 @@ masquerading attempt to evade suspicious child process behavior detections. """ false_positives = ["Legit Application Crash with rare Werfault commandline value"] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Potential Windows Error Manager Masquerading" @@ -103,7 +106,15 @@ references = [ risk_score = 47 rule_id = "6ea41894-66c3-4df7-ad6b-2c5074eb3df8" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -121,13 +132,13 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.005" name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml index 7a7fb3cdee1..013245ca23b 100644 --- a/rules/windows/defense_evasion_microsoft_defender_tampering.toml +++ b/rules/windows/defense_evasion_microsoft_defender_tampering.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] @@ -76,7 +74,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -115,15 +121,16 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index 23325449d83..a7c4a5a81e8 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -39,7 +38,12 @@ validation. Adversaries may use these binaries to 'live off the land' and execut application allowlists and signature validation. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Network Connection via Signed Binary" @@ -100,7 +104,15 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "63e65ec3-43b1-45b0-8f2d-45b34291dc44" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml index cd33fc5a3b2..7575aea342c 100644 --- a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml +++ b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/12" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -83,7 +81,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Sysmon" + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_msbuild_making_network_connections.toml b/rules/windows/defense_evasion_msbuild_making_network_connections.toml index 526bde67fab..ac7a2d07470 100644 --- a/rules/windows/defense_evasion_msbuild_making_network_connections.toml +++ b/rules/windows/defense_evasion_msbuild_making_network_connections.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -38,7 +37,12 @@ Identifies MsBuild.exe making outbound network connections. This may indicate ad leveraged by adversaries to execute code and evade detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "MsBuild Making Network Connections" @@ -100,7 +104,15 @@ This rule looks for the `Msbuild.exe` utility execution, followed by a network c risk_score = 47 rule_id = "0e79980b-4250-4a50-a509-69294c14e84b" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_mshta_beacon.toml b/rules/windows/defense_evasion_mshta_beacon.toml index 114d561f465..16ce875c645 100644 --- a/rules/windows/defense_evasion_mshta_beacon.toml +++ b/rules/windows/defense_evasion_mshta_beacon.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,14 +11,26 @@ Identifies Mshta.exe making outbound network connections. This may indicate adve leveraged by adversaries to execute malicious scripts and evade detection. """ from = "now-20m" -index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] +index = [ + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Mshta Making Network Connections" risk_score = 47 rule_id = "c2d90150-0133-451c-a783-533e736c12d7" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_msxsl_network.toml b/rules/windows/defense_evasion_msxsl_network.toml index 0835894f98d..714b2841761 100644 --- a/rules/windows/defense_evasion_msxsl_network.toml +++ b/rules/windows/defense_evasion_msxsl_network.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,12 @@ Identifies msxsl.exe making a network connection. This may indicate adversarial by adversaries to execute malicious scripts and evade detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Network Connection via MsXsl" @@ -21,7 +24,14 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "b86afe07-0d98-4738-b15d-8d7465f95ff5" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index b7a6daca884..d04c84fd647 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -39,7 +37,12 @@ Identifies network activity from unexpected system applications. This may indica applications are often leveraged by adversaries to execute code and evade detection. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] +index = [ + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Unusual Network Activity from a Windows System Binary" @@ -100,7 +103,15 @@ This rule identifies network connections established by trusted developer utilit risk_score = 47 rule_id = "1fe3b299-fbb5-4657-a937-1d746f2c711a" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -166,6 +177,16 @@ sequence by process.entity_id with maxspan=5m [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" @@ -180,15 +201,7 @@ id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" -[[rule.threat.technique.subtechnique]] -id = "T1036.005" -name = "Match Legitimate Name or Location" -reference = "https://attack.mitre.org/techniques/T1036/005/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml index 2314ec54c38..84aecaea7c3 100644 --- a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml +++ b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/14" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -21,7 +19,14 @@ references = ["https://blog.didierstevens.com/2017/03/20/"] risk_score = 73 rule_id = "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] type = "eql" query = ''' @@ -84,8 +89,6 @@ reference = "https://attack.mitre.org/techniques/T1134/004/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_posh_encryption.toml b/rules/windows/defense_evasion_posh_encryption.toml index 6dde3fa66a4..985ce93b11d 100644 --- a/rules/windows/defense_evasion_posh_encryption.toml +++ b/rules/windows/defense_evasion_posh_encryption.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/23" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -51,7 +49,14 @@ PowerShell offers encryption and decryption functionalities that attackers can a risk_score = 47 rule_id = "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/defense_evasion_posh_process_injection.toml b/rules/windows/defense_evasion_posh_process_injection.toml index 9ab8e5502fc..bac16ac4805 100644 --- a/rules/windows/defense_evasion_posh_process_injection.toml +++ b/rules/windows/defense_evasion_posh_process_injection.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/14" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -83,7 +81,15 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" @@ -122,7 +128,6 @@ reference = "https://attack.mitre.org/techniques/T1055/002/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index edafb0b5afb..abd9a87b464 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/15" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] @@ -82,7 +80,7 @@ tags = [ "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" @@ -113,7 +111,6 @@ reference = "https://attack.mitre.org/techniques/T1562/004/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml index 105d94c938b..5ed21ba1c98 100644 --- a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml +++ b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -95,7 +94,15 @@ This rule identifies an unsigned process termination event quickly followed by t risk_score = 47 rule_id = "09443c92-46b3-45a4-8f25-383b028b258d" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] type = "eql" query = ''' @@ -129,12 +136,12 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" diff --git a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml index e7df54ffaaf..debc6c67d72 100644 --- a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml +++ b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml @@ -2,9 +2,7 @@ creation_date = "2022/05/31" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,7 +30,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_root_dir_ads_creation.toml b/rules/windows/defense_evasion_root_dir_ads_creation.toml index f412479a242..f3e782745ed 100644 --- a/rules/windows/defense_evasion_root_dir_ads_creation.toml +++ b/rules/windows/defense_evasion_root_dir_ads_creation.toml @@ -2,18 +2,21 @@ creation_date = "2024/03/14" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies the creation of an Alternate Data Stream (ADS) at a volume root directory, which can indicate the -attempt to hide tools and malware, as ADSs created in this directory are not displayed by system utilities. +Identifies the creation of an Alternate Data Stream (ADS) at a volume root directory, which can indicate the attempt to +hide tools and malware, as ADSs created in this directory are not displayed by system utilities. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Alternate Data Stream Creation/Execution at Volume Root Directory" @@ -21,7 +24,14 @@ references = ["https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomwa risk_score = 47 rule_id = "ff6cf8b9-b76c-4cc1-ac1b-4935164d1029" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_rundll32_no_arguments.toml b/rules/windows/defense_evasion_rundll32_no_arguments.toml index 3905a429f1e..05f50273453 100644 --- a/rules/windows/defense_evasion_rundll32_no_arguments.toml +++ b/rules/windows/defense_evasion_rundll32_no_arguments.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -102,7 +101,14 @@ RunDLL32 is a legitimate Windows utility used to load and execute functions with risk_score = 73 rule_id = "f036953a-4615-4707-a1ca-dc53bf69dcd5" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_sccm_scnotification_dll.toml b/rules/windows/defense_evasion_sccm_scnotification_dll.toml index faa114dbc04..8abfbc3726a 100644 --- a/rules/windows/defense_evasion_sccm_scnotification_dll.toml +++ b/rules/windows/defense_evasion_sccm_scnotification_dll.toml @@ -2,9 +2,7 @@ creation_date = "2024/04/17" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/17" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -19,12 +17,18 @@ license = "Elastic License v2" name = "Potential Windows Session Hijacking via CcmExec" references = [ "https://cloud.google.com/blog/topics/threat-intelligence/windows-session-hijacking-via-ccmexec", - "https://mayfly277.github.io/posts/SCCM-LAB-part0x3/#impersonate-users---revshell-connected-users" + "https://mayfly277.github.io/posts/SCCM-LAB-part0x3/#impersonate-users---revshell-connected-users", ] risk_score = 47 rule_id = "e7357fec-6e9c-41b9-b93d-6e4fc40c7d47" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml index 0c7d058f10c..505aec53d6f 100644 --- a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +++ b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -30,7 +28,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -60,21 +67,19 @@ reference = "https://attack.mitre.org/techniques/T1562/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.002" name = "At" reference = "https://attack.mitre.org/techniques/T1053/002/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index 256dea76fc5..de71484089e 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -52,7 +50,17 @@ This rule identifies file name patterns generated by the use of SDelete utility risk_score = 21 rule_id = "5aee924b-6ceb-4633-980e-1bde8cdb40c5" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Impact", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Impact", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -78,8 +86,6 @@ reference = "https://attack.mitre.org/techniques/T1070/004/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_sip_provider_mod.toml b/rules/windows/defense_evasion_sip_provider_mod.toml index bb329324f80..95c8ab2462c 100644 --- a/rules/windows/defense_evasion_sip_provider_mod.toml +++ b/rules/windows/defense_evasion_sip_provider_mod.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -22,7 +20,15 @@ references = ["https://github.com/mattifestation/PoCSubjectInterfacePackage"] risk_score = 47 rule_id = "f2c7b914-eda3-40c2-96ac-d23ef91776ca" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index bc4bbd38fe9..cf10b147d41 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -31,7 +29,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Initial Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -54,6 +61,11 @@ registry where host.os.type == "windows" and registry.path : ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" @@ -64,10 +76,6 @@ name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml index fc5d2252dc3..6b2f2843b37 100644 --- a/rules/windows/defense_evasion_suspicious_certutil_commands.toml +++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic", "Austin Songer"] description = """ @@ -39,7 +38,13 @@ Certificate Services. CertUtil is often abused by attackers to live off the land data exfiltration. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Suspicious CertUtil Commands" @@ -102,7 +107,15 @@ references = [ risk_score = 47 rule_id = "fd70c98a-c410-42dc-a2e3-761c71848acf" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml index 2408f6bf60e..835c75dc5c7 100644 --- a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml +++ b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/28" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,7 +30,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -78,7 +84,6 @@ framework = "MITRE ATT&CK" id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml index 20706f7bbdb..3ed7d721f6a 100644 --- a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -17,11 +15,20 @@ index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_ope language = "eql" license = "Elastic License v2" name = "Suspicious Managed Code Hosting Process" -references = ["http://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html"] +references = [ + "http://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", +] risk_score = 73 rule_id = "acf738b5-b5b2-4acc-bad9-1e18ee234f40" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml index c10a9e070ad..d38e017d6b5 100644 --- a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml +++ b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/11" integration = ["windows"] maturity = "production" -min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." -min_stack_version = "8.8.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -113,7 +111,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -153,10 +159,8 @@ reference = "https://attack.mitre.org/techniques/T1055/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1106" name = "Native API" diff --git a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml index b2a16453572..d4c4fb10d89 100644 --- a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml +++ b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/24" integration = ["windows"] maturity = "production" -min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." -min_stack_version = "8.8.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -48,7 +46,14 @@ Attackers may inject code into child processes' memory to hide their actual acti risk_score = 47 rule_id = "3ed032b2-45d8-4406-bc79-7ad1eabb2c72" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index d852a474260..1011838ee92 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,7 +18,14 @@ name = "Suspicious Script Object Execution" risk_score = 47 rule_id = "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -57,13 +62,13 @@ framework = "MITRE ATT&CK" id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [[rule.threat.technique.subtechnique]] id = "T1218.010" name = "Regsvr32" reference = "https://attack.mitre.org/techniques/T1218/010/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_suspicious_short_program_name.toml b/rules/windows/defense_evasion_suspicious_short_program_name.toml index ecb73959414..75210439c1c 100644 --- a/rules/windows/defense_evasion_suspicious_short_program_name.toml +++ b/rules/windows/defense_evasion_suspicious_short_program_name.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,10 +29,13 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ -Identifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name. +Identifies the execution of a process with a single character process name, differing from the original file name. This +is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based +on the process name. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"] @@ -92,7 +93,16 @@ Identifies the execution of a process with a single character process name, diff risk_score = 47 rule_id = "17c7f6a5-5bc9-4e1f-92bf-13632d24384d" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index 789fd513212..b10b9798946 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,14 +11,27 @@ Identifies WMIC allowlist bypass techniques by alerting on suspicious execution libraries it may be indicative of an allowlist bypass. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.library-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Suspicious WMIC XSL Script Execution" risk_score = 47 rule_id = "7f370d54-c0eb-4270-ac5a-9a6020585dc6" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -46,15 +57,14 @@ reference = "https://attack.mitre.org/techniques/T1220/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index 21c674aa7cb..a3a278e0986 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/19" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -113,7 +111,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Sysmon" + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" @@ -145,7 +143,6 @@ reference = "https://attack.mitre.org/techniques/T1211/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_timestomp_sysmon.toml b/rules/windows/defense_evasion_timestomp_sysmon.toml index 002dc84526e..827fb4c7a89 100644 --- a/rules/windows/defense_evasion_timestomp_sysmon.toml +++ b/rules/windows/defense_evasion_timestomp_sysmon.toml @@ -2,16 +2,14 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies modification of a file creation time. Adversaries may modify file time attributes to blend -malicious content with existing files. Timestomping is a technique that modifies the timestamps of -a file often to mimic files that are in trusted directories. +Identifies modification of a file creation time. Adversaries may modify file time attributes to blend malicious content +with existing files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in +trusted directories. """ from = "now-9m" index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"] @@ -26,7 +24,7 @@ tags = [ "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", - "Data Source: Sysmon" + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" @@ -68,7 +66,9 @@ name = "Timestomp" reference = "https://attack.mitre.org/techniques/T1070/006/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml b/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml index f1a0df195b8..052d4bb6f3d 100644 --- a/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml +++ b/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml @@ -1,17 +1,15 @@ [metadata] creation_date = "2022/11/22" -maturity = "production" integration = ["endpoint"] -min_stack_comments = "New fields added: dll.Ext.relative_file_creation_time is populated in Elastic Endpoint 8.4 and above." -min_stack_version = "8.4.0" -updated_date = "2024/03/28" +maturity = "production" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted -program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading -a malicious DLL within the memory space of a signed processes. +program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a +malicious DLL within the memory space of a signed processes. """ from = "now-9m" index = ["logs-endpoint.events.library-*"] @@ -29,7 +27,13 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -126,12 +130,12 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" diff --git a/rules/windows/defense_evasion_untrusted_driver_loaded.toml b/rules/windows/defense_evasion_untrusted_driver_loaded.toml index 3e5574298ae..dcf13aab539 100644 --- a/rules/windows/defense_evasion_untrusted_driver_loaded.toml +++ b/rules/windows/defense_evasion_untrusted_driver_loaded.toml @@ -2,27 +2,31 @@ creation_date = "2023/01/27" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/15" +updated_date = "2024/05/21" [transform] [[transform.osquery]] label = "Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, +issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = +authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") """ [[transform.osquery]] label = "Osquery - Retrieve All Unsigned Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, +issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = +authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" """ + [rule] author = ["Elastic"] description = """ -Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. +Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of +unsigned or self-signed code. """ from = "now-9m" index = ["logs-endpoint.events.library-*"] @@ -89,13 +93,20 @@ This rule identifies an attempt to load an untrusted driver, which effectively m - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = [ - "https://github.com/hfiref0x/TDL", - "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN" + "https://github.com/hfiref0x/TDL", + "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN", ] risk_score = 73 rule_id = "d8ab1ec1-feeb-48b9-89e7-c12e189448aa" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -112,12 +123,13 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index 5a30ad13457..8379392aba0 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -110,7 +108,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_unusual_dir_ads.toml b/rules/windows/defense_evasion_unusual_dir_ads.toml index 2919e8d50aa..5e0ec96e22a 100644 --- a/rules/windows/defense_evasion_unusual_dir_ads.toml +++ b/rules/windows/defense_evasion_unusual_dir_ads.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -28,7 +26,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml index c5d82124da8..18f0e76af9e 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/28" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,12 @@ Identifies unusual instances of dllhost.exe making outbound network connections. and Control activity. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Unusual Network Connection via DllHost" @@ -25,7 +28,14 @@ references = [ risk_score = 47 rule_id = "c7894234-7814-44c2-92a9-f7d851ea246a" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml index 17ce9288d3e..90e8da27038 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,12 @@ Identifies unusual instances of rundll32.exe making outbound network connections and Control activity. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Unusual Network Connection via RunDLL32" @@ -56,7 +59,16 @@ references = [ risk_score = 47 rule_id = "52aaab7b-b51c-441a-89ce-4387b3aea886" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -105,3 +117,4 @@ reference = "https://attack.mitre.org/techniques/T1071/001/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/windows/defense_evasion_unusual_process_network_connection.toml b/rules/windows/defense_evasion_unusual_process_network_connection.toml index dfa44ae72ec..42fa32b52d9 100644 --- a/rules/windows/defense_evasion_unusual_process_network_connection.toml +++ b/rules/windows/defense_evasion_unusual_process_network_connection.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,12 @@ Identifies network activity from unexpected system applications. This may indica applications are often leveraged by adversaries to execute code and evade detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Unusual Process Network Connection" @@ -47,7 +50,15 @@ This rule identifies network activity from unexpected system utilities and appli risk_score = 21 rule_id = "610949a1-312f-4e04-bb55-3a79b8c95267" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index f1d993e1d78..3a55105d462 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -2,15 +2,19 @@ creation_date = "2020/08/19" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Unusual Child Process from a System Virtual Process" @@ -25,7 +29,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index 48df9e96121..4369e04cdf3 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -38,7 +37,13 @@ The Filter Manager Control Program (fltMC.exe) binary may be abused by adversari defenses. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Potential Evasion via Filter Manager" @@ -97,7 +102,15 @@ This rule identifies the attempt to unload a minifilter using the `fltmc.exe` co risk_score = 47 rule_id = "06dceabf-adca-48af-ac79-ffdf4c3b1e9a" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_windows_filtering_platform.toml b/rules/windows/defense_evasion_windows_filtering_platform.toml index b342d8df3a5..4c31c6f205c 100644 --- a/rules/windows/defense_evasion_windows_filtering_platform.toml +++ b/rules/windows/defense_evasion_windows_filtering_platform.toml @@ -2,16 +2,13 @@ creation_date = "2023/12/15" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies multiple Windows Filtering Platform block events and where the process name is related to -an endpoint security software. Adversaries may add malicious WFP rules to prevent Endpoint security -from sending telemetry. +Identifies multiple Windows Filtering Platform block events and where the process name is related to an endpoint +security software. Adversaries may add malicious WFP rules to prevent Endpoint security from sending telemetry. """ from = "now-9m" index = ["winlogbeat-*", "logs-windows.network-*", "logs-system.security-*"] @@ -19,11 +16,11 @@ language = "eql" license = "Elastic License v2" name = "Potential Evasion via Windows Filtering Platform" references = [ - "https://github.com/dsnezhkov/shutter/tree/main", - "https://github.com/netero1010/EDRSilencer/tree/main", - "https://www.mdsec.co.uk/2023/09/nighthawk-0-2-6-three-wise-monkeys/", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5157", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5152" + "https://github.com/dsnezhkov/shutter/tree/main", + "https://github.com/netero1010/EDRSilencer/tree/main", + "https://www.mdsec.co.uk/2023/09/nighthawk-0-2-6-three-wise-monkeys/", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5157", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5152", ] risk_score = 47 rule_id = "92d3a04e-6487-4b62-892d-70e640a590dc" @@ -49,7 +46,7 @@ tags = [ "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] type = "eql" @@ -116,3 +113,4 @@ reference = "https://attack.mitre.org/techniques/T1562/004/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_workfolders_control_execution.toml b/rules/windows/defense_evasion_workfolders_control_execution.toml index d7151581b3f..a301336e895 100644 --- a/rules/windows/defense_evasion_workfolders_control_execution.toml +++ b/rules/windows/defense_evasion_workfolders_control_execution.toml @@ -2,9 +2,7 @@ creation_date = "2022/03/02" integration = ["windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/01/16" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/defense_evasion_wsl_bash_exec.toml b/rules/windows/defense_evasion_wsl_bash_exec.toml index 56e4efaeea7..65ad3cc71f3 100644 --- a/rules/windows/defense_evasion_wsl_bash_exec.toml +++ b/rules/windows/defense_evasion_wsl_bash_exec.toml @@ -2,30 +2,42 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable -and use WSL for Linux to avoid detection. +Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to +avoid detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Suspicious Execution via Windows Subsystem for Linux" references = [ "https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", - "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1" + "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1", ] risk_score = 21 rule_id = "3e0eeb75-16e8-4f2f-9826-62461ca128b7" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -57,24 +69,26 @@ id = "T1202" name = "Indirect Command Execution" reference = "https://attack.mitre.org/techniques/T1202/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + - [[rule.threat.technique.subtechnique]] - id = "T1059.004" - name = "Unix Shell" - reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_wsl_child_process.toml b/rules/windows/defense_evasion_wsl_child_process.toml index add8d5f5179..05204c9c8a0 100644 --- a/rules/windows/defense_evasion_wsl_child_process.toml +++ b/rules/windows/defense_evasion_wsl_child_process.toml @@ -2,18 +2,22 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Detects attempts to execute a program on the host from the Windows Subsystem for Linux. -Adversaries may enable and use WSL for Linux to avoid detection. +Detects attempts to execute a program on the host from the Windows Subsystem for Linux. Adversaries may enable and use +WSL for Linux to avoid detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Execution via Windows Subsystem for Linux" @@ -21,7 +25,14 @@ references = ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"] risk_score = 47 rule_id = "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -52,3 +63,4 @@ reference = "https://attack.mitre.org/techniques/T1202/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml index a1b8f65debe..420fb3249fd 100644 --- a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml +++ b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml @@ -2,18 +2,22 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Detects attempts to enable the Windows Subsystem for Linux using Microsoft Dism utility. Adversaries may enable -and use WSL for Linux to avoid detection. +Detects attempts to enable the Windows Subsystem for Linux using Microsoft Dism utility. Adversaries may enable and use +WSL for Linux to avoid detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Windows Subsystem for Linux Enabled via Dism Utility" @@ -57,7 +61,14 @@ references = ["https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux risk_score = 47 rule_id = "e2e0537d-7d8f-4910-a11d-559bcf61295a" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -75,7 +86,9 @@ id = "T1202" name = "Indirect Command Execution" reference = "https://attack.mitre.org/techniques/T1202/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_wsl_filesystem.toml b/rules/windows/defense_evasion_wsl_filesystem.toml index 013c926ff62..afcf4dfd1c6 100644 --- a/rules/windows/defense_evasion_wsl_filesystem.toml +++ b/rules/windows/defense_evasion_wsl_filesystem.toml @@ -2,18 +2,21 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/04/08" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Detects files creation and modification on the host system from the the Windows Subsystem for Linux. -Adversaries may enable and use WSL for Linux to avoid detection. +Detects files creation and modification on the host system from the the Windows Subsystem for Linux. Adversaries may +enable and use WSL for Linux to avoid detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Host Files System Changes via Windows Subsystem for Linux" @@ -21,7 +24,15 @@ references = ["https://github.com/microsoft/WSL"] risk_score = 47 rule_id = "e88d1fe9-b2f4-48d4-bace-a026dc745d4b" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -47,3 +58,4 @@ reference = "https://attack.mitre.org/techniques/T1202/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_wsl_kalilinux.toml b/rules/windows/defense_evasion_wsl_kalilinux.toml index cc0e4849bf0..7a9d1eb04b8 100644 --- a/rules/windows/defense_evasion_wsl_kalilinux.toml +++ b/rules/windows/defense_evasion_wsl_kalilinux.toml @@ -2,18 +2,22 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. Adversaries may -enable and use WSL for Linux to avoid detection. +Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. Adversaries may enable and use WSL for +Linux to avoid detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Attempt to Install Kali Linux via WSL" @@ -21,7 +25,14 @@ references = ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"] risk_score = 73 rule_id = "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -49,3 +60,4 @@ reference = "https://attack.mitre.org/techniques/T1202/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_wsl_registry_modification.toml b/rules/windows/defense_evasion_wsl_registry_modification.toml index fe267a4a6fe..0908de4d327 100644 --- a/rules/windows/defense_evasion_wsl_registry_modification.toml +++ b/rules/windows/defense_evasion_wsl_registry_modification.toml @@ -2,15 +2,13 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Detects changes to the registry that indicates the install of a new Windows Subsystem for Linux -distribution by name. Adversaries may enable and use WSL for Linux to avoid detection. +Detects changes to the registry that indicates the install of a new Windows Subsystem for Linux distribution by name. +Adversaries may enable and use WSL for Linux to avoid detection. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"] @@ -58,7 +56,15 @@ references = ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"] risk_score = 47 rule_id = "a1699af0-8e1e-4ed0-8ec1-89783538a061" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timeline_id = "3e47ef71-ebfc-4520-975c-cb27fc090799" timeline_title = "Comprehensive Registry Timeline" timestamp_override = "event.ingested" @@ -89,3 +95,4 @@ reference = "https://attack.mitre.org/techniques/T1202/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/discovery_active_directory_webservice.toml b/rules/windows/discovery_active_directory_webservice.toml index 18fbaab7b8b..e43e63aa66c 100644 --- a/rules/windows/discovery_active_directory_webservice.toml +++ b/rules/windows/discovery_active_directory_webservice.toml @@ -2,15 +2,13 @@ creation_date = "2024/01/31" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies processes loading Active Directory related modules followed by a network connection to the ADWS dedicated TCP port. -Adversaries may abuse the ADWS Windows service that allows Active Directory to be queried via this web service. +Identifies processes loading Active Directory related modules followed by a network connection to the ADWS dedicated TCP +port. Adversaries may abuse the ADWS Windows service that allows Active Directory to be queried via this web service. """ from = "now-9m" index = ["logs-endpoint.events.library-*", "logs-endpoint.events.network-*"] @@ -21,7 +19,13 @@ references = ["https://github.com/FalconForceTeam/SOAPHound"] risk_score = 47 rule_id = "9c951837-7d13-4b0c-be7a-f346623c8795" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -41,15 +45,17 @@ sequence by process.entity_id with maxspan=3m network.direction == "egress" and network.transport == "tcp" and not cidrmatch(destination.ip, "127.0.0.0/8", "::1/128")] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index ed54cb9a061..0d0a328cdd3 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ leveraged by threat actors to perform post-exploitation Active Directory reconna observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "AdFind Command Activity" @@ -72,7 +76,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -91,6 +103,11 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" @@ -121,10 +138,6 @@ id = "T1482" name = "Domain Trust Discovery" reference = "https://attack.mitre.org/techniques/T1482/" -[[rule.threat.technique]] -id = "T1016" -name = "System Network Configuration Discovery" -reference = "https://attack.mitre.org/techniques/T1016/" [rule.threat.tactic] id = "TA0007" diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index f43b5d0cadb..601a38f93b8 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies instances of lower privilege accounts enumerating Administrator accou tools. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Enumeration of Administrator Accounts" @@ -60,14 +64,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -90,14 +95,13 @@ process where host.os.type == "windows" and event.type == "start" and ) and not user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" - [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" @@ -108,11 +112,11 @@ id = "T1069.002" name = "Domain Groups" reference = "https://attack.mitre.org/techniques/T1069/002/" + [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" - [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" @@ -123,7 +127,10 @@ id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" + + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/windows/discovery_command_system_account.toml b/rules/windows/discovery_command_system_account.toml index 373ff4fb17b..24ebab8393c 100644 --- a/rules/windows/discovery_command_system_account.toml +++ b/rules/windows/discovery_command_system_account.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -57,7 +55,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -86,7 +93,6 @@ reference = "https://attack.mitre.org/techniques/T1033/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml index 65c9545d489..27c8db8112e 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/27" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -17,7 +15,13 @@ false_positives = [ "Domain administrators may use this command-line utility for legitimate information gathering purposes.", ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Enumerating Domain Trusts via DSQUERY.EXE" @@ -59,7 +63,15 @@ references = [ risk_score = 21 rule_id = "06a7a03c-c735-47a6-a313-51c354aef6c3" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -73,14 +85,16 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1482" -name = "Domain Trust Discovery" -reference = "https://attack.mitre.org/techniques/T1482/" -[[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" +[[rule.threat.technique]] +id = "T1482" +name = "Domain Trust Discovery" +reference = "https://attack.mitre.org/techniques/T1482/" + + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index 34783cece38..2417a773ee9 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -2,9 +2,7 @@ creation_date = "2022/05/31" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,7 +18,13 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Enumerating Domain Trusts via NLTEST.EXE" @@ -62,14 +66,15 @@ references = [ risk_score = 21 rule_id = "84da2554-e12a-11ec-b896-f661ea17fbcd" severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -84,20 +89,22 @@ not process.parent.name : "PDQInventoryScanner.exe" and not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") ''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1018" +name = "Remote System Discovery" +reference = "https://attack.mitre.org/techniques/T1018/" [[rule.threat.technique]] id = "T1482" name = "Domain Trust Discovery" reference = "https://attack.mitre.org/techniques/T1482/" -[[rule.threat.technique]] -id = "T1018" -name = "Remote System Discovery" -reference = "https://attack.mitre.org/techniques/T1018/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/windows/discovery_group_policy_object_discovery.toml b/rules/windows/discovery_group_policy_object_discovery.toml index 7baf49bd178..e67adb37675 100644 --- a/rules/windows/discovery_group_policy_object_discovery.toml +++ b/rules/windows/discovery_group_policy_object_discovery.toml @@ -2,20 +2,23 @@ creation_date = "2023/01/18" integration = ["windows", "endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" - +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy -objects during the reconnaissance phase after compromising a system to gain a better understanding -of the active directory environment and possible methods to escalate privileges or move laterally. +Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy objects during the +reconnaissance phase after compromising a system to gain a better understanding of the active directory environment and +possible methods to escalate privileges or move laterally. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Group Policy Discovery via Microsoft GPResult Utility" @@ -55,7 +58,14 @@ The detection rule 'Group Policy Discovery via Microsoft GPResult Utility' is de risk_score = 21 rule_id = "94a401ba-4fa2-455c-b7ae-b6e037afc0b7" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -64,6 +74,7 @@ process where host.os.type == "windows" and event.type == "start" and (process.name: "gpresult.exe" or ?process.pe.original_file_name == "gprslt.exe") and process.args: ("/z", "/v", "/r", "/x") ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -71,7 +82,9 @@ id = "T1615" name = "Group Policy Discovery" reference = "https://attack.mitre.org/techniques/T1615/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/windows/discovery_high_number_ad_properties.toml b/rules/windows/discovery_high_number_ad_properties.toml index 85a3f52557d..e8bd71550b4 100644 --- a/rules/windows/discovery_high_number_ad_properties.toml +++ b/rules/windows/discovery_high_number_ad_properties.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/29" integration = ["windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -19,8 +17,7 @@ license = "Elastic License v2" name = "Suspicious Access to LDAP Attributes" risk_score = 73 rule_id = "68ad737b-f90a-4fe5-bda6-a68fa460044e" -setup = """ -The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). +setup = """The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: Computer Configuration > diff --git a/rules/windows/discovery_peripheral_device.toml b/rules/windows/discovery_peripheral_device.toml index 4bd545398e6..03a18f7de1e 100644 --- a/rules/windows/discovery_peripheral_device.toml +++ b/rules/windows/discovery_peripheral_device.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/02" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies use of the Windows file system utility (fsutil.exe) to gather informa and components connected to a computer system. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Peripheral Device Discovery" @@ -57,7 +61,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_posh_invoke_sharefinder.toml b/rules/windows/discovery_posh_invoke_sharefinder.toml index 3c2b0f7cfff..717838974c3 100644 --- a/rules/windows/discovery_posh_invoke_sharefinder.toml +++ b/rules/windows/discovery_posh_invoke_sharefinder.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/17" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -77,7 +75,16 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Collection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" @@ -132,15 +139,14 @@ reference = "https://attack.mitre.org/techniques/T1106/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1039" name = "Data from Network Shared Drive" reference = "https://attack.mitre.org/techniques/T1039/" + [rule.threat.tactic] id = "TA0009" name = "Collection" diff --git a/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml b/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml index f6108af2a7c..6c49a43316c 100644 --- a/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml +++ b/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml @@ -1,9 +1,7 @@ [metadata] creation_date = "2023/09/22" maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/09/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -19,14 +17,16 @@ name = "Unusual Discovery Signal Alert with Unusual Process Command Line" risk_score = 21 rule_id = "29ef5686-9b93-433e-91b5-683911094698" severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: Higher-Order Rule" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: Higher-Order Rule", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:( "d68e95ad-1c82-4074-a12a-125fe10ac8ba" or "7b8bfc26-81d2-435e-965c-d722ee397ef1" or @@ -36,6 +36,7 @@ host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" @@ -47,7 +48,8 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id", "process.command_line"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml b/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml index 6da4d484d64..b39b57e1999 100644 --- a/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml +++ b/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml @@ -1,9 +1,7 @@ [metadata] creation_date = "2023/09/22" maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/11/13" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -19,18 +17,21 @@ name = "Unusual Discovery Signal Alert with Unusual Process Executable" risk_score = 21 rule_id = "72ed9140-fe9d-4a34-a026-75b50e484b17" severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: Higher-Order Rule" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: Higher-Order Rule", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:"1d72d014-e2ab-4707-b056-9b96abe7b511" ''' + [[rule.threat]] framework = "MITRE ATT&CK" @@ -42,7 +43,8 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 5d6fe0c1f04..0df4a75f2b6 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -66,7 +64,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml index 8dd36feec9d..0d47ba3a78e 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ false_positives = [ "Trusted SolarWinds child processes. Verify process details such as network connections and file writes.", ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Command Execution via SolarWinds Process" @@ -32,7 +36,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Initial Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -55,7 +67,6 @@ framework = "MITRE ATT&CK" id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -67,6 +78,7 @@ name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml index ac3ce9329b7..aa545969430 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,7 +30,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml index 83546affc14..44443946e3c 100644 --- a/rules/windows/execution_com_object_xwizard.toml +++ b/rules/windows/execution_com_object_xwizard.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ programming interface (API) that enables interaction between software objects or run a COM object created in registry to evade defensive counter measures. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Execution of COM object via Xwizard" @@ -33,7 +37,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index 0d8848c106c..29d7056f17a 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -44,7 +43,12 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Command Prompt Network Connection" @@ -106,7 +110,15 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index ae32c9edd78..61d4d05768c 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [transform] [[transform.osquery]] diff --git a/rules/windows/execution_command_shell_via_rundll32.toml b/rules/windows/execution_command_shell_via_rundll32.toml index 37d892108b8..283ae13e81c 100644 --- a/rules/windows/execution_command_shell_via_rundll32.toml +++ b/rules/windows/execution_command_shell_via_rundll32.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -26,7 +24,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -50,6 +58,7 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" @@ -73,8 +82,6 @@ reference = "https://attack.mitre.org/techniques/T1552/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml b/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml index 704e5d260af..1fe398d770d 100644 --- a/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml +++ b/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,7 +18,14 @@ name = "Delayed Execution via Ping" risk_score = 21 rule_id = "e00b8d49-632f-4dc6-94a5-76153a481915" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] type = "eql" query = ''' @@ -62,88 +67,86 @@ sequence by process.parent.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -name = "Command and Scripting Interpreter" id = "T1059" +name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique.subtechnique]] - name = "Visual Basic" - id = "T1059.005" - reference = "https://attack.mitre.org/techniques/T1059/005/" +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" - [[rule.threat.technique.subtechnique]] - name = "PowerShell" - id = "T1059.001" - reference = "https://attack.mitre.org/techniques/T1059/001/" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -id = "T1497" -name = "Virtualization/Sandbox Evasion" -reference = "https://attack.mitre.org/techniques/T1497/" - - [[rule.threat.technique.subtechnique]] - name = "Time Based Evasion" - id = "T1497.003" - reference = "https://attack.mitre.org/techniques/T1497/003/" +id = "T1216" +name = "System Script Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1216/" [[rule.threat.technique]] -name = "System Binary Proxy Execution" id = "T1218" +name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" - [[rule.threat.technique.subtechnique]] - name = "CMSTP" - id = "T1218.003" - reference = "https://attack.mitre.org/techniques/T1218/003/" +[[rule.threat.technique.subtechnique]] +id = "T1218.004" +name = "InstallUtil" +reference = "https://attack.mitre.org/techniques/T1218/004/" - [[rule.threat.technique.subtechnique]] - name = "InstallUtil" - id = "T1218.004" - reference = "https://attack.mitre.org/techniques/T1218/004/" +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" - [[rule.threat.technique.subtechnique]] - name = "Mshta" - id = "T1218.005" - reference = "https://attack.mitre.org/techniques/T1218/005/" +[[rule.threat.technique.subtechnique]] +id = "T1218.009" +name = "Regsvcs/Regasm" +reference = "https://attack.mitre.org/techniques/T1218/009/" - [[rule.threat.technique.subtechnique]] - name = "Regsvcs/Regasm" - id = "T1218.009" - reference = "https://attack.mitre.org/techniques/T1218/009/" +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" - [[rule.threat.technique.subtechnique]] - name = "Regsvr32" - id = "T1218.010" - reference = "https://attack.mitre.org/techniques/T1218/010/" +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" - [[rule.threat.technique.subtechnique]] - name = "Rundll32" - id = "T1218.011" - reference = "https://attack.mitre.org/techniques/T1218/011/" - [[rule.threat.technique]] - name = "System Script Proxy Execution" - id = "T1216" - reference = "https://attack.mitre.org/techniques/T1216/" +[[rule.threat.technique]] +id = "T1220" +name = "XSL Script Processing" +reference = "https://attack.mitre.org/techniques/T1220/" + +[[rule.threat.technique]] +id = "T1497" +name = "Virtualization/Sandbox Evasion" +reference = "https://attack.mitre.org/techniques/T1497/" +[[rule.threat.technique.subtechnique]] +id = "T1497.003" +name = "Time Based Evasion" +reference = "https://attack.mitre.org/techniques/T1497/003/" - [[rule.threat.technique]] - name = "XSL Script Processing" - id = "T1220" - reference = "https://attack.mitre.org/techniques/T1220/" [rule.threat.tactic] -name = "Defense Evasion" id = "TA0005" +name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_downloaded_shortcut_files.toml b/rules/windows/execution_downloaded_shortcut_files.toml index 1f765f65ca0..4475a3d53a0 100644 --- a/rules/windows/execution_downloaded_shortcut_files.toml +++ b/rules/windows/execution_downloaded_shortcut_files.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,7 +18,13 @@ name = "Downloaded Shortcut Files" risk_score = 21 rule_id = "39157d52-4035-44a8-9d1a-6f8c5f580a07" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_downloaded_url_file.toml b/rules/windows/execution_downloaded_url_file.toml index a5a22b38ac1..14bb98b6e9f 100644 --- a/rules/windows/execution_downloaded_url_file.toml +++ b/rules/windows/execution_downloaded_url_file.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,7 +18,14 @@ name = "Downloaded URL Files" risk_score = 21 rule_id = "cd82e3d6-1346-4afd-8f22-38388bbf34cb" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index 9fbea06f8f3..59c46879a1f 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies native Windows host and network enumeration commands spawned by the W Provider Service (WMIPrvSE). """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Enumeration Command Spawned via WMIPrvSE" @@ -28,13 +32,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -73,27 +78,41 @@ process where host.os.type == "windows" and event.type == "start" and process.co not process.args : "tenable_mw_scan" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" +[[rule.threat.technique.subtechnique]] +id = "T1016.001" +name = "Internet Connection Discovery" +reference = "https://attack.mitre.org/techniques/T1016/001/" + [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" + [[rule.threat.technique]] id = "T1087" name = "Account Discovery" @@ -104,22 +123,9 @@ id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" -[[rule.threat.technique]] -id = "T1016" -name = "System Network Configuration Discovery" -reference = "https://attack.mitre.org/techniques/T1016/" - -[[rule.threat.technique.subtechnique]] -id = "T1016.001" -name = "Internet Connection Discovery" -reference = "https://attack.mitre.org/techniques/T1016/001/" - -[[rule.threat.technique]] -id = "T1057" -name = "Process Discovery" -reference = "https://attack.mitre.org/techniques/T1057/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index 00c4337057f..ad08c31dc11 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -39,7 +37,13 @@ Identifies process execution from suspicious default Windows directories. This m malware in trusted paths. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Execution from Unusual Directory - Command Line" @@ -113,7 +117,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index 569d4f4e19d..ee8d103a56a 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -39,7 +38,12 @@ malicious code in a CHM file and deliver it to a victim for execution. CHM conte program (hh.exe). """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Network Connection via Compiled HTML File" @@ -108,7 +112,15 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "b29ee2be-bf99-446c-ab1a-2dc0183394b8" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/execution_initial_access_via_msc_file.toml b/rules/windows/execution_initial_access_via_msc_file.toml index 6ca1ac04c15..8fe4c6a5b05 100644 --- a/rules/windows/execution_initial_access_via_msc_file.toml +++ b/rules/windows/execution_initial_access_via_msc_file.toml @@ -2,15 +2,13 @@ creation_date = "2024/05/12" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/12" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies the execution of a child process from a Microsoft Common Console file. Adversaries may embed a malicious command -in an MSC file in order to trick victims into executing malicious commands. +Identifies the execution of a child process from a Microsoft Common Console file. Adversaries may embed a malicious +command in an MSC file in order to trick victims into executing malicious commands. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"] @@ -45,7 +43,17 @@ references = ["https://www.genians.co.kr/blog/threat_intelligence/facebook"] risk_score = 73 rule_id = "e760c72b-bb1f-44f0-9f0d-37d51744ee75" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Initial Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_mofcomp.toml b/rules/windows/execution_mofcomp.toml index d29168632ce..ec3ebfe1bb9 100644 --- a/rules/windows/execution_mofcomp.toml +++ b/rules/windows/execution_mofcomp.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -21,7 +19,13 @@ name = "Mofcomp Activity" risk_score = 21 rule_id = "210d4430-b371-470e-b879-80b7182aa75e" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -40,19 +44,19 @@ process where host.os.type == "windows" and event.type == "start" and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -70,3 +74,4 @@ reference = "https://attack.mitre.org/techniques/T1546/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index 25359d1de52..d441f9758a3 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -68,14 +66,15 @@ This rule searches for executable files written by MS Office applications execut risk_score = 73 rule_id = "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5" severity = "high" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] type = "eql" query = ''' @@ -95,6 +94,7 @@ sequence with maxspan=2h ] by host.id, process.executable ''' + [[rule.threat]] framework = "MITRE ATT&CK" @@ -102,15 +102,12 @@ framework = "MITRE ATT&CK" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" - [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" @@ -121,7 +118,10 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/windows/execution_pdf_written_file.toml b/rules/windows/execution_pdf_written_file.toml index bb2bbb41f2e..55edc986b8f 100644 --- a/rules/windows/execution_pdf_written_file.toml +++ b/rules/windows/execution_pdf_written_file.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies a suspicious file that was written by a PDF reader application and su often launched via exploitation of PDF applications. """ from = "now-120m" -index = ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"] +index = [ + "logs-endpoint.events.process-*", + "logs-endpoint.events.file-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*", +] interval = "60m" language = "eql" license = "Elastic License v2" @@ -68,7 +72,16 @@ This rule searches for executable files written by PDF reader software and execu risk_score = 73 rule_id = "1defdd62-cd8d-426e-a246-81a37751bb2b" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/execution_posh_hacktool_authors.toml b/rules/windows/execution_posh_hacktool_authors.toml index dc920086f2e..96685e222ce 100644 --- a/rules/windows/execution_posh_hacktool_authors.toml +++ b/rules/windows/execution_posh_hacktool_authors.toml @@ -2,9 +2,7 @@ creation_date = "2024/05/08" integration = ["windows"] maturity = "production" -updated_date = "2024/05/08" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -18,6 +16,11 @@ index = ["winlogbeat-*", "logs-windows.powershell*"] language = "kuery" license = "Elastic License v2" name = "Potential PowerShell HackTool Script by Author" +references = [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", +] +risk_score = 73 +rule_id = "2553a9af-52a4-4a05-bb03-85b2a479a0a0" setup = """## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. @@ -36,13 +39,14 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -references = [ - "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", -] -risk_score = 73 -rule_id = "2553a9af-52a4-4a05-bb03-85b2a479a0a0" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml index 45f71e9083c..579739d5989 100644 --- a/rules/windows/execution_posh_portable_executable.toml +++ b/rules/windows/execution_posh_portable_executable.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -125,7 +123,15 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" @@ -154,7 +160,6 @@ reference = "https://attack.mitre.org/techniques/T1059/001/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index b8850975dff..4384952dbf1 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -19,7 +17,12 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "PsExec Network Connection" @@ -58,7 +61,16 @@ This rule identifies PsExec execution by looking for the creation of `PsExec.exe risk_score = 21 rule_id = "55d551c6-333b-4665-ab7e-5d14a59715ce" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -97,22 +109,22 @@ name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" + [[rule.threat.technique]] id = "T1570" name = "Lateral Tool Transfer" reference = "https://attack.mitre.org/techniques/T1570/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index da54d2e10f7..dc36a88a291 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -44,7 +43,12 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Network Connection via Registration Utility" @@ -105,7 +109,16 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "fb02b8d3-71ee-4af1-bacd-215d23f17efa" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -139,7 +152,6 @@ framework = "MITRE ATT&CK" id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [[rule.threat.technique.subtechnique]] id = "T1218.009" name = "Regsvcs/Regasm" diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index e7a2ccfbb3a..afa9ece3f6d 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,12 @@ within a short time period. This may indicate lateral movement or remote discove """ false_positives = ["Legitimate scheduled tasks may be created during installation of new software."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.library-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.library-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Outbound Scheduled Task Activity via PowerShell" @@ -25,13 +28,13 @@ risk_score = 47 rule_id = "5cd55388-a19c-47c7-8ec4-f41656c2fded" severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon" - ] + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -41,30 +44,32 @@ sequence by host.id, process.entity_id with maxspan = 5s [network where host.os.type == "windows" and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and destination.port == 135 and not destination.address in ("127.0.0.1", "::1")] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index b43dece2763..b5b97384fe5 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/28" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -34,7 +32,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index 33c1f03098c..b2aa9aee9b3 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies suspicious command execution (cmd) via Windows Management Instrumenta be indicative of adversary lateral movement. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Suspicious Cmd Execution via WMI" @@ -28,7 +32,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -46,17 +57,17 @@ id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml index e29aa19bf9c..9a1dba523ce 100644 --- a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml +++ b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,7 +30,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index d77be8a3be5..253e8841bd2 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/30" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies suspicious child processes of PDF reader applications. These child pr exploitation of PDF applications or social engineering. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Suspicious PDF Reader Child Process" @@ -76,7 +80,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Initial Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -109,7 +122,6 @@ reference = "https://attack.mitre.org/techniques/T1203/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -121,6 +133,8 @@ id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index 223ec981bce..04bf6f51e73 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/04/01" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -63,13 +61,14 @@ Attackers can use PowerShell without having to execute `PowerShell.exe` directly risk_score = 47 rule_id = "852c1f19-68e8-43a6-9dce-340771fe1be3" severity = "medium" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" @@ -93,19 +92,20 @@ host.os.type:windows and event.category:library and ) and not process.executable.caseless : "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -114,7 +114,8 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "user.id"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index 61e6eab2b8a..8a48048d3bc 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -59,16 +57,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -77,24 +76,24 @@ process where host.os.type == "windows" and event.type == "start" and process.pe.original_file_name : "psexesvc.exe" and not process.name : "PSEXESVC.exe" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1569" name = "System Services" reference = "https://attack.mitre.org/techniques/T1569/" - [[rule.threat.technique.subtechnique]] id = "T1569.002" name = "Service Execution" reference = "https://attack.mitre.org/techniques/T1569/002/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index 22b16f8f18a..0d012b1de00 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -47,7 +45,13 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Process Activity via Compiled HTML File" @@ -119,7 +123,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index 16e42c765ba..7398ebd3c6e 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -79,7 +77,18 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -107,7 +116,6 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -120,7 +128,6 @@ reference = "https://attack.mitre.org/techniques/T1036/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/exfiltration_smb_rare_destination.toml b/rules/windows/exfiltration_smb_rare_destination.toml index 019b7b033a5..4a6fd86e8a4 100644 --- a/rules/windows/exfiltration_smb_rare_destination.toml +++ b/rules/windows/exfiltration_smb_rare_destination.toml @@ -2,15 +2,13 @@ creation_date = "2023/12/04" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" - +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials via rogue UNC path injection. +This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials +via rogue UNC path injection. """ from = "now-9m" index = ["logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"] @@ -21,7 +19,15 @@ references = ["https://www.securify.nl/en/blog/living-off-the-land-stealing-netn risk_score = 47 rule_id = "f580bf0a-2d23-43bb-b8e1-17548bb947ec" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Exfiltration", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "new_terms" @@ -64,7 +70,6 @@ event.category:network and host.os.type:windows and process.pid:4 and ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -78,12 +83,11 @@ id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - - - [rule.new_terms] field = "new_terms_fields" value = ["destination.ip"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" + + diff --git a/rules/windows/impact_backup_file_deletion.toml b/rules/windows/impact_backup_file_deletion.toml index ac8c3262b61..5d756dbbc95 100644 --- a/rules/windows/impact_backup_file_deletion.toml +++ b/rules/windows/impact_backup_file_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/01" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -71,7 +69,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -109,15 +115,16 @@ file where host.os.type == "windows" and event.type == "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" -[[rule.threat.technique]] -id = "T1485" -name = "Data Destruction" -reference = "https://attack.mitre.org/techniques/T1485/" [rule.threat.tactic] id = "TA0040" diff --git a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml index afcc562e974..e588e0625d6 100644 --- a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and o system recovery. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Deleting Backup Catalogs with Wbadmin" @@ -67,7 +71,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -80,16 +92,16 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1490" -name = "Inhibit System Recovery" -reference = "https://attack.mitre.org/techniques/T1490/" - [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1490" +name = "Inhibit System Recovery" +reference = "https://attack.mitre.org/techniques/T1490/" + [rule.threat.tactic] id = "TA0040" diff --git a/rules/windows/impact_high_freq_file_renames_by_kernel.toml b/rules/windows/impact_high_freq_file_renames_by_kernel.toml index dc9b0e14398..f03d9bf2aff 100644 --- a/rules/windows/impact_high_freq_file_renames_by_kernel.toml +++ b/rules/windows/impact_high_freq_file_renames_by_kernel.toml @@ -2,9 +2,7 @@ creation_date = "2024/05/03" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/03" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -57,9 +55,16 @@ references = ["https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomwa risk_score = 73 rule_id = "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"] -type = "threshold" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" +type = "threshold" query = ''' event.category:file and host.os.type:windows and process.pid:4 and event.action:creation and @@ -74,11 +79,11 @@ id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -90,6 +95,8 @@ id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/impact_modification_of_boot_config.toml b/rules/windows/impact_modification_of_boot_config.toml index cd48ff5c495..a9398ce6b82 100644 --- a/rules/windows/impact_modification_of_boot_config.toml +++ b/rules/windows/impact_modification_of_boot_config.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/16" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies use of bcdedit.exe to delete boot configuration data. This tactic is attacker as a destructive technique. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Modification of Boot Configuration" @@ -67,7 +71,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/impact_ransomware_file_rename_smb.toml b/rules/windows/impact_ransomware_file_rename_smb.toml index 6b9573fa29c..40e79f39b18 100644 --- a/rules/windows/impact_ransomware_file_rename_smb.toml +++ b/rules/windows/impact_ransomware_file_rename_smb.toml @@ -2,15 +2,13 @@ creation_date = "2024/05/02" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies an incoming SMB connection followed by a suspicious file rename operation. This may indicate a remote ransomware -attack via the SMB protocol. +Identifies an incoming SMB connection followed by a suspicious file rename operation. This may indicate a remote +ransomware attack via the SMB protocol. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -57,7 +55,14 @@ references = ["https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomwa risk_score = 73 rule_id = "78e9b5d5-7c07-40a7-a591-3dbbf464c386" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -76,22 +81,21 @@ sequence by host.id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1490" -name = "Inhibit System Recovery" -reference = "https://attack.mitre.org/techniques/T1490/" - [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1490" +name = "Inhibit System Recovery" +reference = "https://attack.mitre.org/techniques/T1490/" + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -104,7 +108,9 @@ name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/impact_ransomware_note_file_over_smb.toml b/rules/windows/impact_ransomware_note_file_over_smb.toml index 2427e4a923d..275961dcef7 100644 --- a/rules/windows/impact_ransomware_note_file_over_smb.toml +++ b/rules/windows/impact_ransomware_note_file_over_smb.toml @@ -2,9 +2,7 @@ creation_date = "2024/05/02" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/02" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -57,7 +55,14 @@ note = """## Triage and analysis risk_score = 73 rule_id = "02bab13d-fb14-4d7c-b6fe-4a28874d37c5" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -75,22 +80,21 @@ sequence by host.id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1490" -name = "Inhibit System Recovery" -reference = "https://attack.mitre.org/techniques/T1490/" - [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1490" +name = "Inhibit System Recovery" +reference = "https://attack.mitre.org/techniques/T1490/" + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -108,3 +112,4 @@ reference = "https://attack.mitre.org/techniques/T1021/002/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/impact_stop_process_service_threshold.toml b/rules/windows/impact_stop_process_service_threshold.toml index 4c7e219f9ff..f3b2a9e9f87 100644 --- a/rules/windows/impact_stop_process_service_threshold.toml +++ b/rules/windows/impact_stop_process_service_threshold.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/03" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ This rule identifies a high number (10) of process terminations (stop, delete, o short time period. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "kuery" license = "Elastic License v2" name = "High Number of Process and/or Service Terminations" @@ -52,9 +56,17 @@ references = ["https://www.elastic.co/security-labs/luna-ransomware-attack-patte risk_score = 47 rule_id = "035889c4-2686-4583-a7df-67f89c292f2c" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] -type = "threshold" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" +type = "threshold" query = ''' event.category:process and host.os.type:windows and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and diff --git a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml index 8cba1822784..c55fe69b914 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints ransomware or other destructive attacks. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Volume Shadow Copy Deleted or Resized via VssAdmin" @@ -85,7 +89,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -108,3 +120,4 @@ reference = "https://attack.mitre.org/techniques/T1490/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index 8fff537f8b6..8ca781d1d5f 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/19" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -13,7 +11,13 @@ Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve occurs in tandem with ransomware or other destructive attacks. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Volume Shadow Copy Deletion via PowerShell" @@ -89,7 +93,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -114,7 +127,6 @@ reference = "https://attack.mitre.org/techniques/T1490/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml index 737be0b3d21..8cffe4dd6fb 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly other destructive attacks. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Volume Shadow Copy Deletion via WMIC" @@ -85,7 +89,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -108,16 +121,14 @@ reference = "https://attack.mitre.org/techniques/T1490/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml index a3ebf3b312f..0c6d5e6f543 100644 --- a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml +++ b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml @@ -2,9 +2,7 @@ creation_date = "2022/07/03" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -28,7 +26,13 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Data Source: Elastic Defend", +] type = "eql" query = ''' diff --git a/rules/windows/initial_access_execution_from_inetcache.toml b/rules/windows/initial_access_execution_from_inetcache.toml index 4c55b5c6d95..6d6d1b232e7 100644 --- a/rules/windows/initial_access_execution_from_inetcache.toml +++ b/rules/windows/initial_access_execution_from_inetcache.toml @@ -2,9 +2,7 @@ creation_date = "2024/02/14" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,17 +11,31 @@ Identifies the execution of a process with arguments pointing to the INetCache F content via WININET during initial access. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Suspicious Execution from INET Cache" references = [ -"https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html" + "https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html", ] risk_score = 73 rule_id = "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Command and Control", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -47,12 +59,11 @@ name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -65,3 +76,4 @@ reference = "https://attack.mitre.org/techniques/T1105/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/windows/initial_access_execution_from_removable_media.toml b/rules/windows/initial_access_execution_from_removable_media.toml index fd95d0db4a5..495c84b76fd 100644 --- a/rules/windows/initial_access_execution_from_removable_media.toml +++ b/rules/windows/initial_access_execution_from_removable_media.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -21,7 +19,13 @@ name = "Execution from a Removable Media with Network Connection" risk_score = 21 rule_id = "1542fa53-955e-4330-8e4d-b2d812adeb5f" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Data Source: Elastic Defend", +] type = "eql" query = ''' @@ -36,6 +40,7 @@ sequence by process.entity_id with maxspan=5m [network where host.os.type == "windows" and event.action == "connection_attempted"] ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -43,7 +48,9 @@ id = "T1091" name = "Replication Through Removable Media" reference = "https://attack.mitre.org/techniques/T1091/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/windows/initial_access_execution_remote_via_msiexec.toml b/rules/windows/initial_access_execution_remote_via_msiexec.toml index e8e45cc7b15..054e39cfd39 100644 --- a/rules/windows/initial_access_execution_remote_via_msiexec.toml +++ b/rules/windows/initial_access_execution_remote_via_msiexec.toml @@ -2,15 +2,13 @@ creation_date = "2023/09/28" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies the execution of the built-in Windows Installer, msiexec.exe, to install a remote package. Adversaries may abuse -msiexec.exe to launch local or network accessible MSI files. +Identifies the execution of the built-in Windows Installer, msiexec.exe, to install a remote package. Adversaries may +abuse msiexec.exe to launch local or network accessible MSI files. """ from = "now-9m" index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*"] @@ -20,7 +18,14 @@ name = "Potential Remote File Execution via MSIEXEC" risk_score = 21 rule_id = "3e441bdb-596c-44fd-8628-2cfdf4516ada" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] type = "eql" query = ''' @@ -57,6 +62,7 @@ sequence with maxspan=1m ] by process.parent.entity_id ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -68,11 +74,12 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -90,3 +97,4 @@ reference = "https://attack.mitre.org/techniques/T1218/007/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/initial_access_execution_via_office_addins.toml b/rules/windows/initial_access_execution_via_office_addins.toml index 7c44a71a943..fd670734deb 100644 --- a/rules/windows/initial_access_execution_via_office_addins.toml +++ b/rules/windows/initial_access_execution_via_office_addins.toml @@ -2,16 +2,13 @@ creation_date = "2023/03/20" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or -with an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing -MS Office Add-In. +Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with +an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"] @@ -19,13 +16,22 @@ language = "eql" license = "Elastic License v2" name = "Suspicious Execution via Microsoft Office Add-Ins" references = [ -"https://github.com/Octoberfest7/XLL_Phishing", -"https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/" + "https://github.com/Octoberfest7/XLL_Phishing", + "https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/", ] risk_score = 47 rule_id = "ae8a142c-6a1d-4918-bea7-0b617e99ecfa" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -90,9 +96,6 @@ reference = "https://attack.mitre.org/techniques/T1566/001/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -103,8 +106,11 @@ reference = "https://attack.mitre.org/techniques/T1137/" id = "T1137.006" name = "Add-ins" reference = "https://attack.mitre.org/techniques/T1137/006/" - + + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml b/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml index 52aa662a89a..6d2f0b2e59d 100644 --- a/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml +++ b/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml @@ -2,9 +2,7 @@ creation_date = "2023/03/16" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" -min_stack_version = "8.4.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -17,14 +15,23 @@ index = ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon language = "kuery" license = "Elastic License v2" name = "First Time Seen Removable Device" +references = [ + "https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html", + "https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings", +] risk_score = 21 rule_id = "0859355c-0f08-4b43-8ff5-7d2a4789fc08" severity = "low" -references = [ -"https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html", -"https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Exfiltration", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", ] -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "new_terms" @@ -40,23 +47,22 @@ id = "T1091" name = "Replication Through Removable Media" reference = "https://attack.mitre.org/techniques/T1091/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1052" name = "Exfiltration Over Physical Medium" reference = "https://attack.mitre.org/techniques/T1052/" +[[rule.threat.technique.subtechnique]] +id = "T1052.001" +name = "Exfiltration over USB" +reference = "https://attack.mitre.org/techniques/T1052/001/" - [[rule.threat.technique.subtechnique]] - id = "T1052.001" - name = "Exfiltration over USB" - reference = "https://attack.mitre.org/techniques/T1052/001/" [rule.threat.tactic] @@ -64,10 +70,11 @@ id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - [rule.new_terms] field = "new_terms_fields" value = ["registry.path"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" + + diff --git a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml index d721eef4deb..60d4797b805 100644 --- a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml +++ b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml @@ -2,9 +2,7 @@ creation_date = "2024/03/24" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -19,17 +17,31 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Suspicious JetBrains TeamCity Child Process" references = [ - "https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html" + "https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html", ] risk_score = 47 rule_id = "730ed57d-ae0f-444f-af50-78708b57edd5" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -65,8 +77,6 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -77,13 +87,16 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index c1cf0508978..54732f29f89 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -78,7 +76,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -110,8 +118,6 @@ reference = "https://attack.mitre.org/techniques/T1566/001/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -122,6 +128,7 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml index 578905ab678..c9c97d1bc8e 100644 --- a/rules/windows/initial_access_scripts_process_started_via_wmi.toml +++ b/rules/windows/initial_access_scripts_process_started_via_wmi.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/27" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,14 +11,29 @@ Identifies use of the built-in Windows script interpreters (cscript.exe or wscri via Windows Management Instrumentation (WMI). This may be indicative of malicious activity. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "endgame-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.library-*", + "logs-windows.sysmon_operational-*", + "endgame-*", +] language = "eql" license = "Elastic License v2" name = "Windows Script Interpreter Executing Process via WMI" risk_score = 47 rule_id = "b64b183e-1a76-422d-9179-7b389513e74d" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -73,10 +86,13 @@ reference = "https://attack.mitre.org/techniques/T1566/001/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -86,10 +102,6 @@ id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" -[[rule.threat.technique]] -id = "T1047" -name = "Windows Management Instrumentation" -reference = "https://attack.mitre.org/techniques/T1047/" [rule.threat.tactic] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_files.toml b/rules/windows/initial_access_suspicious_ms_exchange_files.toml index 9e1d6e88d9d..c82c46e2f7d 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_files.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_files.toml @@ -2,9 +2,7 @@ creation_date = "2021/03/04" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -51,7 +49,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -85,8 +93,6 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_process.toml index 559342a0528..17f88e2e4ee 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_process.toml @@ -2,9 +2,7 @@ creation_date = "2021/03/04" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Austin Songer"] @@ -19,7 +17,13 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Microsoft Exchange Server UM Spawning Suspicious Processes" @@ -38,7 +42,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -70,7 +83,6 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml index 2b7e956e311..ada3c44211b 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml @@ -2,9 +2,7 @@ creation_date = "2021/03/08" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -33,7 +31,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -57,7 +64,6 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -68,12 +74,14 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index 3552617eb97..90ea17b54ca 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ These child processes are often launched during exploitation of Office applicati macros. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Suspicious MS Office Child Process" @@ -77,7 +81,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -145,7 +159,6 @@ reference = "https://attack.mitre.org/techniques/T1059/003/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -154,7 +167,6 @@ name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml index 1bf889fb925..8fb53b5a56d 100644 --- a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +++ b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/29" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -28,7 +26,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -71,7 +79,6 @@ reference = "https://attack.mitre.org/techniques/T1566/002/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -87,6 +94,7 @@ reference = "https://attack.mitre.org/techniques/T1059/001/" id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" @@ -98,7 +106,6 @@ reference = "https://attack.mitre.org/techniques/T1059/005/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -107,7 +114,6 @@ name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/initial_access_webshell_screenconnect_server.toml b/rules/windows/initial_access_webshell_screenconnect_server.toml index 507f47c2545..e4fe726f8af 100644 --- a/rules/windows/initial_access_webshell_screenconnect_server.toml +++ b/rules/windows/initial_access_webshell_screenconnect_server.toml @@ -2,18 +2,22 @@ creation_date = "2024/03/26" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies suspicious processes being spawned by the ScreenConnect server process (ScreenConnect.Service.exe). This activity may -indicate exploitation activity or access to an existing web shell backdoor. +Identifies suspicious processes being spawned by the ScreenConnect server process (ScreenConnect.Service.exe). This +activity may indicate exploitation activity or access to an existing web shell backdoor. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "logs-system.security*", + "endgame-*", +] language = "eql" license = "Elastic License v2" name = "ScreenConnect Server Spawning Suspicious Processes" @@ -21,7 +25,16 @@ references = ["https://blackpointcyber.com/resources/blog/breaking-through-the-s risk_score = 73 rule_id = "3d00feab-e203-4acc-a463-c3e15b7e9a73" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -45,7 +58,6 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -56,12 +68,14 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/initial_access_xsl_script_execution_via_com.toml b/rules/windows/initial_access_xsl_script_execution_via_com.toml index e757c7ffb68..4b35a4ed939 100644 --- a/rules/windows/initial_access_xsl_script_execution_via_com.toml +++ b/rules/windows/initial_access_xsl_script_execution_via_com.toml @@ -2,14 +2,12 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies the execution of a hosted XSL script using the Microsoft.XMLDOM COM interface via Microsoft Office processes. +Identifies the execution of a hosted XSL script using the Microsoft.XMLDOM COM interface via Microsoft Office processes. This behavior may indicate adversarial activity to execute malicious JScript or VBScript on the system. """ from = "now-9m" @@ -20,7 +18,14 @@ name = "Remote XSL Script Execution via COM" risk_score = 21 rule_id = "48f657ee-de4f-477c-aa99-ed88ee7af97a" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] type = "eql" query = ''' @@ -38,6 +43,7 @@ sequence with maxspan=1m "?:\\Program Files (x86)\\*exe")] by process.parent.entity_id ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -55,7 +61,6 @@ reference = "https://attack.mitre.org/techniques/T1566/002/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -68,3 +73,4 @@ reference = "https://attack.mitre.org/techniques/T1220/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/lateral_movement_alternate_creds_pth.toml b/rules/windows/lateral_movement_alternate_creds_pth.toml index 2e4d081e5a4..e2460af09bf 100644 --- a/rules/windows/lateral_movement_alternate_creds_pth.toml +++ b/rules/windows/lateral_movement_alternate_creds_pth.toml @@ -2,16 +2,14 @@ creation_date = "2023/03/29" integration = ["windows", "system"] maturity = "production" -min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" -min_stack_version = "8.4.0" -updated_date = "2024/01/16" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Adversaries may pass the hash using stolen password hashes to move laterally within an environment, -bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user -without having access to the user's cleartext password. +Adversaries may pass the hash using stolen password hashes to move laterally within an environment, bypassing normal +system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's +cleartext password. """ from = "now-9m" index = ["winlogbeat-*", "logs-windows.*", "logs-system.security*"] @@ -52,11 +50,11 @@ id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - [rule.new_terms] field = "new_terms_fields" value = ["user.id"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" + + diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index 1ac54fbac80..191930a7cfd 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,14 +11,26 @@ Identifies use of sc.exe to create, modify, or start services on remote hosts. T lateral movement but will be noisy if commonly done by admins. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] +index = [ + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Service Command Lateral Movement" risk_score = 21 rule_id = "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_dcom_hta.toml b/rules/windows/lateral_movement_dcom_hta.toml index 2fbca0f1142..428f9abd7ca 100644 --- a/rules/windows/lateral_movement_dcom_hta.toml +++ b/rules/windows/lateral_movement_dcom_hta.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,12 @@ launched via the HTA Application COM Object. This behavior may indicate an attac laterally while attempting to evade detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Incoming DCOM Lateral Movement via MSHTA" @@ -22,7 +25,14 @@ references = ["https://codewhitesec.blogspot.com/2018/07/lethalhta.html"] risk_score = 73 rule_id = "622ecb68-fa81-4601-90b5-f8cd661e4520" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_dcom_mmc20.toml b/rules/windows/lateral_movement_dcom_mmc20.toml index 96af58d4069..472b5eaa456 100644 --- a/rules/windows/lateral_movement_dcom_mmc20.toml +++ b/rules/windows/lateral_movement_dcom_mmc20.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/06" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,12 @@ via the MMC20 Application COM Object. This behavior may indicate an attacker abu laterally. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Incoming DCOM Lateral Movement with MMC" @@ -22,7 +25,15 @@ references = ["https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20 risk_score = 73 rule_id = "51ce96fb-9e52-4dad-b0ba-99b54440fc9a" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -53,20 +64,19 @@ reference = "https://attack.mitre.org/techniques/T1021/003/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [[rule.threat.technique.subtechnique]] id = "T1218.014" name = "MMC" reference = "https://attack.mitre.org/techniques/T1218/014/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml index b6dca9f73db..b2a95628a49 100644 --- a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml +++ b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/06" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,12 @@ the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may application to stealthily move laterally. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows" @@ -22,7 +25,14 @@ references = ["https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round- risk_score = 47 rule_id = "8f919d4b-a5af-47ca-a594-6be59cd924a4" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml index e05a7b2c00f..43a994b5e50 100644 --- a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml +++ b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml @@ -2,9 +2,7 @@ creation_date = "2021/03/22" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -24,7 +22,16 @@ references = [ risk_score = 47 rule_id = "ddab1f5f-7089-44f5-9fda-de5b11322e77" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -54,7 +61,6 @@ reference = "https://attack.mitre.org/techniques/T1021/002/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -62,6 +68,7 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index 1ff1b29f63c..3cdaefdf926 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -97,7 +95,14 @@ This rule looks for unexpected processes making network connections over port 44 risk_score = 47 rule_id = "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml index d2abebdb940..0ef61678ad6 100644 --- a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml +++ b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml @@ -2,9 +2,7 @@ creation_date = "2021/04/12" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ indicative of an active RDP shadowing session. An adversary may abuse the RDP Sh other users active RDP sessions. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"] +index = [ + "logs-endpoint.events.process-*", + "logs-endpoint.events.registry-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*", +] language = "eql" license = "Elastic License v2" name = "Potential Remote Desktop Shadowing Activity" @@ -33,7 +37,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -63,12 +75,13 @@ framework = "MITRE ATT&CK" id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [[rule.threat.technique.subtechnique]] id = "T1021.001" name = "Remote Desktop Protocol" reference = "https://attack.mitre.org/techniques/T1021/001/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml index 88d746d28f8..f9b06fa6f47 100644 --- a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml +++ b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/10" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -61,7 +59,14 @@ Adversaries can use network shares to host tooling to support the compromise of risk_score = 47 rule_id = "58bc134c-e8d2-4291-a552-b4b3e537c60b" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml index a49d4b7953e..7e06777f9f7 100644 --- a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +++ b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/11" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint ts indicate a lateral movement attempt. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Execution via TSClient Mountpoint" @@ -29,7 +33,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -44,13 +55,13 @@ framework = "MITRE ATT&CK" id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [[rule.threat.technique.subtechnique]] id = "T1021.001" name = "Remote Desktop Protocol" reference = "https://attack.mitre.org/techniques/T1021/001/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index 03cf02f73dc..78ee3336494 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint"] maturity = "production" -updated_date = "2024/04/08" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -91,11 +89,21 @@ Adversaries can use network shares to host tooling to support the compromise of - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -references = ["http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html"] +references = [ + "http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html", +] risk_score = 47 rule_id = "ab75c24b-2502-43a0-bf7c-e60e662c811e" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml index 1fc13abf882..2384ec06eee 100644 --- a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml +++ b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -19,14 +17,26 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Incoming Execution via WinRM Remote Shell" risk_score = 47 rule_id = "1cd01db9-be24-4bef-8e7c-e923f0ff78ab" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -50,6 +60,7 @@ name = "Windows Remote Management" reference = "https://attack.mitre.org/techniques/T1021/006/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index b1ff8aaefaa..296271162ef 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,14 +11,26 @@ Identifies processes executed via Windows Management Instrumentation (WMI) on a adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] +index = [ + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "WMI Incoming Lateral Movement" risk_score = 47 rule_id = "f3475224-b179-4f78-8877-c2bd64c26b88" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -51,12 +61,12 @@ sequence by host.id with maxspan = 2s [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml index e1bdd3832b3..72bacb2d830 100644 --- a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml +++ b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/02" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies the use of net.exe to mount a WebDav or hidden remote share. This may preparation for data exfiltration. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Mounting Hidden or WebDav Remote Shares" @@ -28,7 +32,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -78,7 +90,6 @@ reference = "https://attack.mitre.org/techniques/T1078/003/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -89,11 +100,14 @@ reference = "https://attack.mitre.org/techniques/T1087/" id = "T1087.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1087/001/" + [[rule.threat.technique.subtechnique]] id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" + + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/windows/lateral_movement_powershell_remoting_target.toml b/rules/windows/lateral_movement_powershell_remoting_target.toml index abdb422d0ea..51b8ffdcf0b 100644 --- a/rules/windows/lateral_movement_powershell_remoting_target.toml +++ b/rules/windows/lateral_movement_powershell_remoting_target.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -19,7 +17,12 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Incoming Execution via PowerShell Remoting" @@ -29,7 +32,15 @@ references = [ risk_score = 47 rule_id = "2772264c-6fb9-4d9d-9014-b416eed21254" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -52,11 +63,12 @@ id = "T1021.006" name = "Windows Remote Management" reference = "https://attack.mitre.org/techniques/T1021/006/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -69,6 +81,7 @@ name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml index 2e5acf0e372..c7d277c0002 100644 --- a/rules/windows/lateral_movement_rdp_enabled_registry.toml +++ b/rules/windows/lateral_movement_rdp_enabled_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -64,7 +62,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -99,9 +107,6 @@ reference = "https://attack.mitre.org/techniques/T1021/001/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -109,6 +114,7 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/lateral_movement_rdp_sharprdp_target.toml b/rules/windows/lateral_movement_rdp_sharprdp_target.toml index dd56f8c1e57..6d75397aa48 100644 --- a/rules/windows/lateral_movement_rdp_sharprdp_target.toml +++ b/rules/windows/lateral_movement_rdp_sharprdp_target.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/11" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -24,7 +22,13 @@ references = [ risk_score = 73 rule_id = "8c81e506-6e82-4884-9b9a-75d3d252f967" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", +] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index 2d06b035c95..6517803a3ce 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies a remote file copy attempt to a hidden network share. This may indica activity. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Remote File Copy to a Hidden Share" @@ -28,7 +32,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_remote_service_installed_winlog.toml b/rules/windows/lateral_movement_remote_service_installed_winlog.toml index 7230fa97410..a8156603769 100644 --- a/rules/windows/lateral_movement_remote_service_installed_winlog.toml +++ b/rules/windows/lateral_movement_remote_service_installed_winlog.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,7 +18,13 @@ name = "Remote Windows Service Installed" risk_score = 47 rule_id = "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Persistence", +] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index aedaa22b544..da85d66e7cb 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/04/08" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -39,7 +37,12 @@ Identifies remote execution of Windows services over remote procedure call (RPC) movement, but will be noisy if commonly done by administrators. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] +index = [ + "logs-endpoint.events.process-*", + "logs-endpoint.events.network-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Remotely Started Services via RPC" @@ -103,7 +106,15 @@ references = [ risk_score = 47 rule_id = "aa9a274d-6b53-424d-ac5e-cb8ca4251650" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_remote_task_creation_winlog.toml b/rules/windows/lateral_movement_remote_task_creation_winlog.toml index a820887721c..388703c7100 100644 --- a/rules/windows/lateral_movement_remote_task_creation_winlog.toml +++ b/rules/windows/lateral_movement_remote_task_creation_winlog.toml @@ -2,15 +2,11 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/01" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = """ -Identifies scheduled task creation from a remote source. This could be indicative of adversary lateral movement. -""" +description = "Identifies scheduled task creation from a remote source. This could be indicative of adversary lateral movement.\n" from = "now-9m" index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"] language = "eql" @@ -49,8 +45,8 @@ risk_score = 47 rule_id = "9c865691-5599-447a-bac9-b3f2df5f9a9d" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"] -type = "eql" timestamp_override = "event.ingested" +type = "eql" query = ''' iam where event.action == "scheduled-task-created" and diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml index 3234e97317a..875bfd3abe1 100644 --- a/rules/windows/lateral_movement_scheduled_task_target.toml +++ b/rules/windows/lateral_movement_scheduled_task_target.toml @@ -2,15 +2,18 @@ creation_date = "2020/11/20" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = "Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement." from = "now-9m" -index = ["logs-endpoint.events.registry-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] +index = [ + "logs-endpoint.events.registry-*", + "logs-endpoint.events.network-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Remote Scheduled Task Creation" @@ -45,7 +48,15 @@ note = """## Triage and analysis risk_score = 47 rule_id = "954ee7c8-5437-49ae-b2d6-2960883898e9" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml index 4bcc98b9f3d..b68fdf713de 100644 --- a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml +++ b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -29,7 +27,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -65,12 +71,13 @@ framework = "MITRE ATT&CK" id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [[rule.threat.technique.subtechnique]] id = "T1021.001" name = "Remote Desktop Protocol" reference = "https://attack.mitre.org/techniques/T1021/001/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/lateral_movement_unusual_dns_service_children.toml b/rules/windows/lateral_movement_unusual_dns_service_children.toml index a58605b33f7..31ee079275f 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_children.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_children.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/16" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,7 +18,13 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Unusual Child Process of dns.exe" @@ -77,7 +81,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml index 0675a63a9db..dea6f0ce67c 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/16" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -40,7 +38,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index 2b52e22a8a7..650371712a9 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -29,7 +27,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -50,13 +56,13 @@ framework = "MITRE ATT&CK" id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [[rule.threat.technique.subtechnique]] id = "T1021.001" name = "Remote Desktop Protocol" reference = "https://attack.mitre.org/techniques/T1021/001/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/persistence_ad_adminsdholder.toml b/rules/windows/persistence_ad_adminsdholder.toml index 222a1d54ed4..98eab1918ae 100644 --- a/rules/windows/persistence_ad_adminsdholder.toml +++ b/rules/windows/persistence_ad_adminsdholder.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/31" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/09" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -27,7 +25,14 @@ references = [ risk_score = 73 rule_id = "6e9130a5-9be6-48e5-943a-9628bfc74b18" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", +] timestamp_override = "event.ingested" type = "query" @@ -43,17 +48,18 @@ framework = "MITRE ATT&CK" id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/persistence_app_compat_shim.toml b/rules/windows/persistence_app_compat_shim.toml index 297c90897a0..d1bf7ee53e2 100644 --- a/rules/windows/persistence_app_compat_shim.toml +++ b/rules/windows/persistence_app_compat_shim.toml @@ -2,9 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,7 +18,14 @@ name = "Installation of Custom Shim Databases" risk_score = 47 rule_id = "c5ce48a6-7f57-4ee8-9313-3d0024caee10" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml index 104d726eb32..28fb63edc48 100644 --- a/rules/windows/persistence_appinitdlls_registry.toml +++ b/rules/windows/persistence_appinitdlls_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] diff --git a/rules/windows/persistence_browser_extension_install.toml b/rules/windows/persistence_browser_extension_install.toml index 32a8066c708..5510e1a7d8b 100644 --- a/rules/windows/persistence_browser_extension_install.toml +++ b/rules/windows/persistence_browser_extension_install.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/22" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,7 +18,13 @@ name = "Browser Extension Install" risk_score = 21 rule_id = "f97504ac-1053-498f-aeaa-c6d01e76b379" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -45,6 +49,7 @@ file where host.os.type == "windows" and event.action : "creation" and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -52,7 +57,9 @@ id = "T1176" name = "Browser Extensions" reference = "https://attack.mitre.org/techniques/T1176/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_dontexpirepasswd_account.toml b/rules/windows/persistence_dontexpirepasswd_account.toml index a17685c15bd..47ca6bb6651 100644 --- a/rules/windows/persistence_dontexpirepasswd_account.toml +++ b/rules/windows/persistence_dontexpirepasswd_account.toml @@ -2,9 +2,7 @@ creation_date = "2022/02/22" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -71,7 +69,7 @@ tags = [ "Tactic: Persistence", "Data Source: Active Directory", "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring" + "Use Case: Active Directory Monitoring", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index fc11dc014d8..f8fc9d5dc76 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -60,7 +58,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_evasion_registry_ifeo_injection.toml b/rules/windows/persistence_evasion_registry_ifeo_injection.toml index d9072494d77..5488b17dee4 100644 --- a/rules/windows/persistence_evasion_registry_ifeo_injection.toml +++ b/rules/windows/persistence_evasion_registry_ifeo_injection.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -23,7 +21,16 @@ references = [ risk_score = 47 rule_id = "6839c821-011d-43bd-bd5b-acff00257226" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -61,9 +68,6 @@ reference = "https://attack.mitre.org/techniques/T1546/012/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -71,6 +75,7 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index 466f4625284..68063c7b4fa 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -2,9 +2,7 @@ creation_date = "2021/03/15" integration = ["endpoint"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -98,7 +96,17 @@ Techniques used within malware and by adversaries often leverage the Windows reg risk_score = 73 rule_id = "c8b150f0-0164-475b-a75e-74b47800a9ff" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -144,9 +152,6 @@ reference = "https://attack.mitre.org/techniques/T1547/001/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -154,6 +159,7 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_local_scheduled_task_creation.toml b/rules/windows/persistence_local_scheduled_task_creation.toml index 1700e005650..26e1a4dbada 100644 --- a/rules/windows/persistence_local_scheduled_task_creation.toml +++ b/rules/windows/persistence_local_scheduled_task_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -25,7 +23,14 @@ references = [ risk_score = 21 rule_id = "afcce5ad-65de-4ed2-8516-5e093d3ac99a" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/persistence_local_scheduled_task_scripting.toml b/rules/windows/persistence_local_scheduled_task_scripting.toml index d553e5e1f9f..a3f1b4f8eaa 100644 --- a/rules/windows/persistence_local_scheduled_task_scripting.toml +++ b/rules/windows/persistence_local_scheduled_task_scripting.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ an adversary to establish persistence. """ false_positives = ["Legitimate scheduled tasks may be created during installation of new software."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "endgame-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-endpoint.events.library-*", + "logs-windows.sysmon_operational-*", + "endgame-*", +] language = "eql" license = "Elastic License v2" name = "Scheduled Task Created by a Windows Script" @@ -24,7 +28,16 @@ Decode the base64 encoded Tasks Actions registry value to investigate the task's risk_score = 47 rule_id = "689b9d57-e4d5-4357-ad17-9c334609d79a" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' @@ -56,7 +69,6 @@ reference = "https://attack.mitre.org/techniques/T1053/005/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/persistence_ms_office_addins_file.toml b/rules/windows/persistence_ms_office_addins_file.toml index f40d7cb5219..eccc979af8a 100644 --- a/rules/windows/persistence_ms_office_addins_file.toml +++ b/rules/windows/persistence_ms_office_addins_file.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/16" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -26,7 +24,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -48,12 +54,13 @@ framework = "MITRE ATT&CK" id = "T1137" name = "Office Application Startup" reference = "https://attack.mitre.org/techniques/T1137/" - [[rule.threat.technique.subtechnique]] id = "T1137.006" name = "Add-ins" reference = "https://attack.mitre.org/techniques/T1137/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml index 89474f8e564..8d5bf2ff561 100644 --- a/rules/windows/persistence_ms_outlook_vba_template.toml +++ b/rules/windows/persistence_ms_outlook_vba_template.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -30,7 +28,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml index 8d7e3af7cc7..3efb314e337 100644 --- a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml +++ b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/27" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -40,7 +38,14 @@ Audit User Account Management (Success,Failure) ``` """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/persistence_msoffice_startup_registry.toml b/rules/windows/persistence_msoffice_startup_registry.toml index 79bc509048d..f081de1f735 100644 --- a/rules/windows/persistence_msoffice_startup_registry.toml +++ b/rules/windows/persistence_msoffice_startup_registry.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/22" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -24,7 +22,14 @@ references = [ risk_score = 21 rule_id = "14dab405-5dd9-450c-8106-72951af2391f" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -33,6 +38,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and registry.path : "*\\Software\\Microsoft\\Office Test\\Special\\Perf\\*" ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -43,12 +49,13 @@ reference = "https://attack.mitre.org/techniques/T1137/" id = "T1137.002" name = "Office Test" reference = "https://attack.mitre.org/techniques/T1137/002/" - + + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -56,6 +63,7 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_netsh_helper_dll.toml b/rules/windows/persistence_netsh_helper_dll.toml index ef39af45178..b7391f7f221 100644 --- a/rules/windows/persistence_netsh_helper_dll.toml +++ b/rules/windows/persistence_netsh_helper_dll.toml @@ -2,16 +2,14 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies the addition of a Netsh Helper DLL, netsh.exe supports the addition of these DLLs to extend its functionality. -Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed, which can be done -by administrators or a scheduled task. +Identifies the addition of a Netsh Helper DLL, netsh.exe supports the addition of these DLLs to extend its +functionality. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed, +which can be done by administrators or a scheduled task. """ from = "now-9m" index = ["logs-endpoint.events.registry-*", "endgame-*"] @@ -21,7 +19,14 @@ name = "Netsh Helper DLL" risk_score = 21 rule_id = "b0638186-4f12-48ac-83d2-47e686d08e82" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -46,12 +51,11 @@ name = "Netsh Helper DLL" reference = "https://attack.mitre.org/techniques/T1546/007/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -64,3 +68,4 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml index e7fbc4f3a4c..37ab09c27b6 100644 --- a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ Adversaries may target user email to collect sensitive information. """ false_positives = ["Legitimate exchange system administration activity."] from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "New ActiveSyncAllowedDeviceID Added via PowerShell" @@ -33,7 +37,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -60,7 +72,6 @@ reference = "https://attack.mitre.org/techniques/T1098/002/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/persistence_powershell_profiles.toml b/rules/windows/persistence_powershell_profiles.toml index 04eaf04023e..668dc35eda6 100644 --- a/rules/windows/persistence_powershell_profiles.toml +++ b/rules/windows/persistence_powershell_profiles.toml @@ -2,9 +2,7 @@ creation_date = "2022/10/13" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -103,7 +102,16 @@ references = [ risk_score = 47 rule_id = "5cf6397e-eb91-4f31-8951-9f0eaa755a31" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -133,7 +141,6 @@ reference = "https://attack.mitre.org/techniques/T1546/013/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index e6088b0d86e..857ad758109 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -110,7 +108,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index 22539edbe9a..18011a9884c 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -21,7 +19,14 @@ references = ["https://www.microsoftpressstore.com/articles/article.aspx?p=27620 risk_score = 47 rule_id = "54902e45-3467-49a4-8abc-529f2c8cfb80" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timeline_id = "3e47ef71-ebfc-4520-975c-cb27fc090799" timeline_title = "Comprehensive Registry Timeline" timestamp_override = "event.ingested" @@ -93,6 +98,16 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.002" +name = "Screensaver" +reference = "https://attack.mitre.org/techniques/T1546/002/" + + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" @@ -102,14 +117,7 @@ id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" -[[rule.threat.technique.subtechnique]] -id = "T1546.002" -name = "Screensaver" -reference = "https://attack.mitre.org/techniques/T1546/002/" + [rule.threat.tactic] id = "TA0003" diff --git a/rules/windows/persistence_remote_password_reset.toml b/rules/windows/persistence_remote_password_reset.toml index 2d616617e34..a15ea8909c6 100644 --- a/rules/windows/persistence_remote_password_reset.toml +++ b/rules/windows/persistence_remote_password_reset.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/18" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/18" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -19,7 +17,6 @@ language = "eql" license = "Elastic License v2" name = "Account Password Reset Remotely" note = """ - ## Performance This rule may cause medium to high performance impact due to logic scoping all remote Windows logon activity. """ @@ -32,7 +29,13 @@ references = [ risk_score = 47 rule_id = "2820c9c2-bcd7-4d6e-9eba-faf3891ba450" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Impact"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Impact", +] type = "eql" query = ''' @@ -68,15 +71,14 @@ reference = "https://attack.mitre.org/techniques/T1098/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1531" name = "Account Access Removal" reference = "https://attack.mitre.org/techniques/T1531/" + [rule.threat.tactic] id = "TA0040" name = "Impact" diff --git a/rules/windows/persistence_run_key_and_startup_broad.toml b/rules/windows/persistence_run_key_and_startup_broad.toml index 7d7ea941dc7..b03de150363 100644 --- a/rules/windows/persistence_run_key_and_startup_broad.toml +++ b/rules/windows/persistence_run_key_and_startup_broad.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -103,7 +101,15 @@ Adversaries may achieve persistence by referencing a program with a registry run risk_score = 21 rule_id = "97fc44d3-8dae-4019-ae83-298c3015600f" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timeline_id = "3e47ef71-ebfc-4520-975c-cb27fc090799" timeline_title = "Comprehensive Registry Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml index 8fc63c13930..e4e9538432b 100644 --- a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml +++ b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,7 +18,15 @@ name = "Execution of Persistent Suspicious Program" risk_score = 47 rule_id = "e7125cea-9fe1-42a5-9a05-b0792cf86f5a" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/persistence_scheduled_task_creation_winlog.toml b/rules/windows/persistence_scheduled_task_creation_winlog.toml index 18db7189b13..ed3a6f2fd42 100644 --- a/rules/windows/persistence_scheduled_task_creation_winlog.toml +++ b/rules/windows/persistence_scheduled_task_creation_winlog.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/01/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_scheduled_task_updated.toml b/rules/windows/persistence_scheduled_task_updated.toml index a2b566ef3b4..dd23a6bc267 100644 --- a/rules/windows/persistence_scheduled_task_updated.toml +++ b/rules/windows/persistence_scheduled_task_updated.toml @@ -2,10 +2,7 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" - +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml index 396217ba5c8..d5d88fd76cf 100644 --- a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml +++ b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml @@ -2,9 +2,7 @@ creation_date = "2022/02/24" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -94,7 +92,7 @@ tags = [ "Tactic: Persistence", "Data Source: Active Directory", "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring" + "Use Case: Active Directory Monitoring", ] timestamp_override = "event.ingested" type = "eql" @@ -110,22 +108,22 @@ any where event.action == "Directory Service Changes" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/persistence_service_dll_unsigned.toml b/rules/windows/persistence_service_dll_unsigned.toml index d348c770f07..4c9bda1fc63 100644 --- a/rules/windows/persistence_service_dll_unsigned.toml +++ b/rules/windows/persistence_service_dll_unsigned.toml @@ -2,9 +2,7 @@ creation_date = "2023/01/17" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: dll.Ext.relative_file_creation_time is populated in Elastic Endpoint 8.4 and above." -min_stack_version = "8.4.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,7 +18,15 @@ name = "Unsigned DLL Loaded by Svchost" risk_score = 47 rule_id = "78ef0c95-9dc2-40ac-a8da-5deb6293a14e" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -136,24 +142,23 @@ reference = "https://attack.mitre.org/techniques/T1543/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/persistence_service_windows_service_winlog.toml b/rules/windows/persistence_service_windows_service_winlog.toml index 7bd5af1c5bf..813526bb165 100644 --- a/rules/windows/persistence_service_windows_service_winlog.toml +++ b/rules/windows/persistence_service_windows_service_winlog.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -30,15 +28,20 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu [[transform.osquery]] label = "Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, +issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = +authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") """ [[transform.osquery]] label = "Osquery - Retrieve All Unsigned Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, +issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = +authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" """ + [rule] author = ["Elastic"] description = """ @@ -94,7 +97,13 @@ This rule looks for suspicious services being created with suspicious traits com risk_score = 47 rule_id = "da87eee1-129c-4661-a7aa-57d0b9645fad" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index 9fae059ac87..c58066caed3 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -21,7 +19,16 @@ name = "Unusual Persistence via Services Registry" risk_score = 21 rule_id = "403ef0d3-8259-40c9-a5b6-d48354712e49" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -67,9 +74,6 @@ reference = "https://attack.mitre.org/techniques/T1543/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -77,6 +81,7 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index 1cbcef5d6cf..da4b4658921 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -111,7 +109,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml index e3c7edc80eb..7e42c967460 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/04/08" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -102,7 +100,15 @@ This rule looks for unsigned processes writing to the Startup folder locations. risk_score = 47 rule_id = "2fba96c0-ade5-4bce-b92f-a5df2509da3f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] type = "eql" query = ''' @@ -140,19 +146,19 @@ reference = "https://attack.mitre.org/techniques/T1547/001/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index a773d1af6b6..fe6a4bcdd3e 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -110,7 +108,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index 8b63c653559..29a569e13cc 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -72,7 +70,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Tactic: Privilege Escalation","Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -148,7 +156,6 @@ reference = "https://attack.mitre.org/techniques/T1546/015/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -166,9 +173,6 @@ reference = "https://attack.mitre.org/techniques/T1546/015/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -176,6 +180,7 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index ee16c9b7969..c03e8ea7186 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -124,7 +123,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -142,31 +150,30 @@ framework = "MITRE ATT&CK" id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml index 7a9d64617bb..d74b17c8c9b 100644 --- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -26,7 +24,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -89,7 +94,6 @@ reference = "https://attack.mitre.org/techniques/T1053/005/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -102,6 +106,7 @@ name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/persistence_suspicious_service_created_registry.toml b/rules/windows/persistence_suspicious_service_created_registry.toml index 5af4cd96a3d..2f2ffddac1a 100644 --- a/rules/windows/persistence_suspicious_service_created_registry.toml +++ b/rules/windows/persistence_suspicious_service_created_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -20,7 +18,16 @@ name = "Suspicious ImagePath Service Creation" risk_score = 73 rule_id = "36a8e048-d888-4f61-a8b9-0f9e2e40f317" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -51,9 +58,6 @@ reference = "https://attack.mitre.org/techniques/T1543/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -61,6 +65,7 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_sysmon_wmi_event_subscription.toml b/rules/windows/persistence_sysmon_wmi_event_subscription.toml index f575f2ec6a9..617d438f1ed 100644 --- a/rules/windows/persistence_sysmon_wmi_event_subscription.toml +++ b/rules/windows/persistence_sysmon_wmi_event_subscription.toml @@ -2,9 +2,7 @@ creation_date = "2023/02/02" integration = ["windows"] maturity = "production" -min_stack_comments = "Related integrations field type changes in 8.8.0" -min_stack_version = "8.8.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -18,13 +16,19 @@ language = "eql" license = "Elastic License v2" name = "Suspicious WMI Event Subscription Created" references = [ - "https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", - "https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96", + "https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", + "https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96", ] risk_score = 47 rule_id = "e72f87d0-a70e-4f8d-8443-a6407bc34643" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -33,18 +37,19 @@ any where event.dataset == "windows.sysmon_operational" and event.code == "21" a winlog.event_data.Operation : "Created" and winlog.event_data.Consumer : ("*subscription:CommandLineEventConsumer*", "*subscription:ActiveScriptEventConsumer*") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.003" +name = "Windows Management Instrumentation Event Subscription" +reference = "https://attack.mitre.org/techniques/T1546/003/" + - [[rule.threat.technique.subtechnique]] - id = "T1546.003" - name = "Windows Management Instrumentation Event Subscription" - reference = "https://attack.mitre.org/techniques/T1546/003/" [rule.threat.tactic] id = "TA0003" diff --git a/rules/windows/persistence_temp_scheduled_task.toml b/rules/windows/persistence_temp_scheduled_task.toml index 233359c3c3d..f594f5be074 100644 --- a/rules/windows/persistence_temp_scheduled_task.toml +++ b/rules/windows/persistence_temp_scheduled_task.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -22,7 +20,13 @@ references = ["https://docs.microsoft.com/en-us/windows/security/threat-protecti risk_score = 47 rule_id = "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", +] type = "eql" query = ''' @@ -31,6 +35,7 @@ sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m [iam where event.action == "scheduled-task-deleted" and not user.name : "*$"] ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -48,20 +53,19 @@ reference = "https://attack.mitre.org/techniques/T1053/005/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/persistence_time_provider_mod.toml b/rules/windows/persistence_time_provider_mod.toml index 96b066dded8..6349b995f6c 100644 --- a/rules/windows/persistence_time_provider_mod.toml +++ b/rules/windows/persistence_time_provider_mod.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -98,7 +97,16 @@ references = ["https://pentestlab.blog/2019/10/22/persistence-time-providers/"] risk_score = 47 rule_id = "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -134,7 +142,6 @@ reference = "https://attack.mitre.org/techniques/T1547/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index a9bf18fa9a8..5d34c49c078 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/09" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [rule] author = ["Elastic", "Skoetting"] @@ -61,7 +59,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index bd955a90fef..1f23de1adb6 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies attempts to create new users. This is sometimes done by attackers to on a system or domain. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "User Account Creation" @@ -61,7 +65,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index de2cfc044a4..fdebc251f6b 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/01" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ changes over time. This Windows functionality has been abused by attackers to st code execution in legitimate Windows processes. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Potential Application Shimming via Sdbinst" @@ -29,7 +33,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_via_hidden_run_key_valuename.toml b/rules/windows/persistence_via_hidden_run_key_valuename.toml index db0134e02c7..93cbe924c0a 100644 --- a/rules/windows/persistence_via_hidden_run_key_valuename.toml +++ b/rules/windows/persistence_via_hidden_run_key_valuename.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,7 +30,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -71,10 +79,8 @@ reference = "https://attack.mitre.org/techniques/T1547/001/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1106" name = "Native API" @@ -85,8 +91,6 @@ reference = "https://attack.mitre.org/techniques/T1106/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -94,6 +98,7 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml index 9a700a80be5..9f8ee232a03 100644 --- a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml +++ b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -28,7 +26,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -61,9 +68,6 @@ reference = "https://attack.mitre.org/techniques/T1547/005/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -71,6 +75,7 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index 58ffb83f793..a981690a029 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,13 +11,17 @@ Detects the successful hijack of Microsoft Compatibility Appraiser scheduled tas integrity level of system. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Persistence via TelemetryController Scheduled Task Hijack" -references = [ - "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence", -] +references = ["https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence"] risk_score = 73 rule_id = "68921d85-d0dc-48b3-865f-43291ca2c4f2" setup = """## Setup @@ -31,7 +33,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -64,14 +74,13 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" @@ -81,13 +90,13 @@ id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index 58ef5c3fe52..51551db3bc2 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -107,7 +105,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Use Case: Vulnerability", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -149,7 +157,6 @@ reference = "https://attack.mitre.org/techniques/T1543/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml index 0e9060c0e2d..02d9eb6461e 100644 --- a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +++ b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,7 +12,13 @@ bindings that execute code when a defined event occurs. Adversaries may use the event and execute arbitrary code when that event occurs, providing persistence on a system. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Persistence via WMI Event Subscription" @@ -30,7 +34,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -59,15 +71,14 @@ reference = "https://attack.mitre.org/techniques/T1546/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml index 625e1c3c611..8d26a4ebe80 100644 --- a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml +++ b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml @@ -2,9 +2,7 @@ creation_date = "2021/03/15" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -101,7 +100,14 @@ references = [ risk_score = 73 rule_id = "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml index 9e7f7d5da89..41d3b26110b 100644 --- a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Execution via MSSQL xp_cmdshell Stored Procedure" @@ -62,7 +66,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -81,38 +93,37 @@ process where host.os.type == "windows" and event.type == "start" and process.pa ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" - [[rule.threat.technique.subtechnique]] id = "T1505.001" name = "SQL Stored Procedures" reference = "https://attack.mitre.org/techniques/T1505/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/persistence_werfault_reflectdebugger.toml b/rules/windows/persistence_werfault_reflectdebugger.toml index 2ca1d429677..fa3636187dc 100644 --- a/rules/windows/persistence_werfault_reflectdebugger.toml +++ b/rules/windows/persistence_werfault_reflectdebugger.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -21,7 +19,14 @@ references = ["https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.h risk_score = 21 rule_id = "205b52c4-9c28-4af4-8979-935f3278d61a" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -41,12 +46,11 @@ id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -59,3 +63,4 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/privilege_escalation_create_process_as_different_user.toml b/rules/windows/privilege_escalation_create_process_as_different_user.toml index 9f6d7a2e664..ecd4afd2994 100644 --- a/rules/windows/privilege_escalation_create_process_as_different_user.toml +++ b/rules/windows/privilege_escalation_create_process_as_different_user.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml b/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml index d3675bbc2b1..ffd8fd02012 100644 --- a/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml +++ b/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/02" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: process.Ext.effective_parent.executable, process.Ext.effective_parent.name, process.Ext.relative_file_creation_time, process.Ext.relative_file_name_modify_time" -min_stack_version = "8.4.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -17,13 +15,17 @@ index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Process Created with a Duplicated Token" -references = [ - "https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw", -] +references = ["https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw"] risk_score = 47 rule_id = "1b0b4818-5655-409b-9c73-341cac4bb73f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -64,7 +66,6 @@ framework = "MITRE ATT&CK" id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" - [[rule.threat.technique.subtechnique]] id = "T1134.001" name = "Token Impersonation/Theft" @@ -81,3 +82,4 @@ reference = "https://attack.mitre.org/techniques/T1134/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_credroaming_ldap.toml b/rules/windows/privilege_escalation_credroaming_ldap.toml index 154f98b3d26..8c3dc14a8e7 100644 --- a/rules/windows/privilege_escalation_credroaming_ldap.toml +++ b/rules/windows/privilege_escalation_credroaming_ldap.toml @@ -2,9 +2,7 @@ creation_date = "2022/11/09" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -43,7 +41,14 @@ Audit Directory Service Changes (Success,Failure) ``` """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Data Source: Active Directory", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Data Source: Active Directory", + "Tactic: Privilege Escalation", + "Use Case: Active Directory Monitoring", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index 007400959f9..2dd83bb73f4 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -82,7 +80,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -120,6 +127,11 @@ name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" @@ -129,6 +141,7 @@ id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" @@ -138,11 +151,6 @@ id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] @@ -150,4 +158,3 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/privilege_escalation_driver_newterm_imphash.toml b/rules/windows/privilege_escalation_driver_newterm_imphash.toml index 8bcae7a6ea6..4b8812b03c7 100644 --- a/rules/windows/privilege_escalation_driver_newterm_imphash.toml +++ b/rules/windows/privilege_escalation_driver_newterm_imphash.toml @@ -1,30 +1,32 @@ [metadata] creation_date = "2022/12/19" -maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" -min_stack_version = "8.6.0" integration = ["endpoint"] -updated_date = "2024/03/28" +maturity = "production" +updated_date = "2024/05/21" [transform] [[transform.osquery]] label = "Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, +issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = +authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") """ [[transform.osquery]] label = "Osquery - Retrieve All Unsigned Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, +issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = +authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" """ + [rule] author = ["Elastic"] description = """ -Identifies the load of a driver with an original file name and signature values that were observed -for the first time during the last 30 days. This rule type can help baseline drivers installation -within your environment. +Identifies the load of a driver with an original file name and signature values that were observed for the first time +during the last 30 days. This rule type can help baseline drivers installation within your environment. """ from = "now-9m" index = ["logs-endpoint.events.library-*"] @@ -97,7 +99,15 @@ references = ["https://www.elastic.co/kr/security-labs/stopping-vulnerable-drive risk_score = 47 rule_id = "df0fd41e-5590-4965-ad5e-cd079ec22fa9" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" @@ -105,6 +115,7 @@ query = ''' event.category:"driver" and host.os.type:windows and event.action:"load" ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -117,8 +128,6 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -131,6 +140,7 @@ name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -142,3 +152,5 @@ value = ["dll.pe.original_file_name", "dll.code_signature.subject_name"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-30d" + + diff --git a/rules/windows/privilege_escalation_expired_driver_loaded.toml b/rules/windows/privilege_escalation_expired_driver_loaded.toml index a94586c1294..5026c5b0606 100644 --- a/rules/windows/privilege_escalation_expired_driver_loaded.toml +++ b/rules/windows/privilege_escalation_expired_driver_loaded.toml @@ -2,9 +2,7 @@ creation_date = "2023/06/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -18,12 +16,19 @@ language = "eql" license = "Elastic License v2" name = "Expired or Revoked Driver Loaded" references = [ - "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN" + "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN", ] risk_score = 47 rule_id = "d12bac54-ab2a-4159-933f-d7bcefa7b61d" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -32,6 +37,7 @@ driver where host.os.type == "windows" and process.pid == 4 and dll.code_signature.status : ("errorExpired", "errorRevoked") ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -44,20 +50,19 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/privilege_escalation_exploit_cve_202238028.toml b/rules/windows/privilege_escalation_exploit_cve_202238028.toml index a25aab23346..d73ec6d3beb 100644 --- a/rules/windows/privilege_escalation_exploit_cve_202238028.toml +++ b/rules/windows/privilege_escalation_exploit_cve_202238028.toml @@ -2,27 +2,32 @@ creation_date = "2024/04/23" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = """ -Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution. -""" +description = "Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.\n" from = "now-9m" index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential privilege escalation via CVE-2022-38028" references = [ - "https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/" + "https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/", ] risk_score = 73 rule_id = "dffbd37c-d4c5-46f8-9181-5afdd9172b4c" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -32,6 +37,7 @@ file where host.os.type == "windows" and "?:\\*\\Windows\\WinSxS\\amd64_microsoft-windows-printing-printtopdf_*\\MPDW-constraints.js") ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -44,7 +50,6 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -52,6 +57,7 @@ id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml index 11fcae30c93..5208f641c4d 100644 --- a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml +++ b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/13" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -29,7 +27,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -58,7 +65,6 @@ reference = "https://attack.mitre.org/techniques/T1484/001/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/privilege_escalation_group_policy_iniscript.toml b/rules/windows/privilege_escalation_group_policy_iniscript.toml index e7e5d9fdd1c..51ebb21e505 100644 --- a/rules/windows/privilege_escalation_group_policy_iniscript.toml +++ b/rules/windows/privilege_escalation_group_policy_iniscript.toml @@ -2,9 +2,7 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -92,7 +90,7 @@ tags = [ "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring" + "Use Case: Active Directory Monitoring", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml index ba092d3ffb6..cd65fe208bb 100644 --- a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml +++ b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml @@ -2,9 +2,7 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -74,7 +72,7 @@ tags = [ "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring" + "Use Case: Active Directory Monitoring", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml index f40348e6cc4..53ad7a334fe 100644 --- a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml +++ b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml @@ -2,9 +2,7 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -95,7 +93,7 @@ tags = [ "Tactic: Lateral Movement", "Data Source: Active Directory", "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring" + "Use Case: Active Directory Monitoring", ] timestamp_override = "event.ingested" type = "query" @@ -136,10 +134,8 @@ reference = "https://attack.mitre.org/techniques/T1484/001/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1570" name = "Lateral Tool Transfer" @@ -150,3 +146,4 @@ reference = "https://attack.mitre.org/techniques/T1570/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/privilege_escalation_installertakeover.toml b/rules/windows/privilege_escalation_installertakeover.toml index aed4bd9d302..d1f06892c29 100644 --- a/rules/windows/privilege_escalation_installertakeover.toml +++ b/rules/windows/privilege_escalation_installertakeover.toml @@ -2,9 +2,7 @@ creation_date = "2021/11/25" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -110,7 +108,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Use Case: Vulnerability", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml index 07bf29f3339..83e22935c51 100644 --- a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml +++ b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml @@ -2,9 +2,7 @@ creation_date = "2022/04/27" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -27,7 +25,15 @@ references = [ risk_score = 73 rule_id = "e4e31051-ee01-4307-a6ee-b21b186958f4" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Credential Access", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", +] type = "eql" query = ''' diff --git a/rules/windows/privilege_escalation_lsa_auth_package.toml b/rules/windows/privilege_escalation_lsa_auth_package.toml index 9464e43efcc..2815d03202f 100644 --- a/rules/windows/privilege_escalation_lsa_auth_package.toml +++ b/rules/windows/privilege_escalation_lsa_auth_package.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -21,7 +19,14 @@ name = "Potential LSA Authentication Package Abuse" risk_score = 47 rule_id = "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_make_token_local.toml b/rules/windows/privilege_escalation_make_token_local.toml index 9ee903cf98b..4127468dfe2 100644 --- a/rules/windows/privilege_escalation_make_token_local.toml +++ b/rules/windows/privilege_escalation_make_token_local.toml @@ -2,15 +2,13 @@ creation_date = "2023/12/04" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/01/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies interactive logon attempt with alternate credentials and by an unusual process. Adversaries may -create a new token to escalate privileges and bypass access controls. +Identifies interactive logon attempt with alternate credentials and by an unusual process. Adversaries may create a new +token to escalate privileges and bypass access controls. """ from = "now-9m" index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] @@ -74,3 +72,4 @@ reference = "https://attack.mitre.org/techniques/T1134/003/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index ff81077a507..1edba51e546 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -39,7 +37,13 @@ Identifies a privilege escalation attempt via named pipe impersonation. An adver utilizing a framework such Metasploit's meterpreter getsystem command. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Privilege Escalation via Named Pipe Impersonation" @@ -116,7 +120,7 @@ tags = [ "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml b/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml index d8b013c2e42..5787866e3a9 100644 --- a/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml +++ b/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml @@ -2,25 +2,23 @@ creation_date = "2023/11/15" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" -min_stack_version = "8.4.0" -updated_date = "2024/01/15" +updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access token -forging capability that are often abused to bypass access control restrictions. +Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access +token forging capability that are often abused to bypass access control restrictions. """ from = "now-9m" index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "First Time Seen NewCredentials Logon Process" +references = ["https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation"] risk_score = 47 rule_id = "e468f3f6-7c4c-45bb-846a-053738b3fe5d" severity = "medium" -references = ["https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation"] tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "new_terms" @@ -42,15 +40,17 @@ name = "Token Impersonation/Theft" reference = "https://attack.mitre.org/techniques/T1134/001/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" + + diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index 8759499b76f..ed74562df8d 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -87,7 +85,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Sysmon" + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" @@ -152,19 +150,19 @@ reference = "https://attack.mitre.org/techniques/T1574/001/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml index 02021929a99..4c4ac047e3d 100644 --- a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml +++ b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -22,7 +20,14 @@ references = ["https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-gro risk_score = 47 rule_id = "8f3e91c7-d791-4704-80a1-42c160d7aa27" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -49,6 +54,7 @@ reference = "https://attack.mitre.org/techniques/T1547/" id = "T1547.010" name = "Port Monitors" reference = "https://attack.mitre.org/techniques/T1547/010/" + [[rule.threat.technique.subtechnique]] id = "T1547.012" name = "Print Processors" @@ -70,6 +76,7 @@ reference = "https://attack.mitre.org/techniques/T1547/" id = "T1547.010" name = "Port Monitors" reference = "https://attack.mitre.org/techniques/T1547/010/" + [[rule.threat.technique.subtechnique]] id = "T1547.012" name = "Print Processors" diff --git a/rules/windows/privilege_escalation_posh_token_impersonation.toml b/rules/windows/privilege_escalation_posh_token_impersonation.toml index 8542b868669..104f6ed9483 100644 --- a/rules/windows/privilege_escalation_posh_token_impersonation.toml +++ b/rules/windows/privilege_escalation_posh_token_impersonation.toml @@ -2,9 +2,7 @@ creation_date = "2022/08/17" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -129,7 +128,13 @@ references = [ risk_score = 47 rule_id = "11dd9713-0ec6-4110-9707-32daae1ee68c" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: PowerShell Logs"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: PowerShell Logs", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml index c0752b55e99..03ba85956c0 100644 --- a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml +++ b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -26,7 +24,16 @@ references = [ risk_score = 73 rule_id = "bd7eefee-f671-494e-98df-f01daf9e5f17" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] type = "eql" query = ''' diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index 80d175281dd..2b31df40e37 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -33,7 +31,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml index da760c6a03f..8fee45cb790 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/06" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -35,7 +33,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml index 04705ffe7b1..f6e2619c9b4 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -108,7 +106,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml index 369de22ae7a..07e9726f371 100644 --- a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml +++ b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -21,7 +19,15 @@ references = ["https://www.tiraniddo.dev/2017/05/exploiting-environment-variable risk_score = 73 rule_id = "d563aaba-2e72-462b-8658-3e5ea22db3a6" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml index 818894d1785..ed2a9f31ab9 100644 --- a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml +++ b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml @@ -2,9 +2,7 @@ creation_date = "2021/12/12" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -36,7 +34,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Use Case: Vulnerability"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Use Case: Vulnerability", +] timestamp_override = "event.ingested" type = "eql" @@ -49,7 +56,6 @@ iam where event.action == "renamed-user-account" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" diff --git a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml index a7540a238b5..fb37b69bae6 100644 --- a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml +++ b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -27,6 +25,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ + [rule] author = ["Elastic"] description = """ @@ -80,7 +79,17 @@ The `sc.exe` command line utility is used to manage and control Windows services risk_score = 21 rule_id = "e8571d5f-bea1-46c2-9f56-998de2d3ed95" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -108,13 +117,19 @@ id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -123,35 +138,29 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" -[[rule.threat.technique]] -id = "T1047" -name = "Windows Management Instrumentation" -reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [[rule.threat.technique.subtechnique]] id = "T1218.010" name = "Regsvr32" @@ -163,6 +172,7 @@ name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml index df47b515e14..20cd7649292 100644 --- a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml +++ b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml @@ -2,9 +2,7 @@ creation_date = "2022/05/11" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/21" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -26,7 +24,15 @@ references = [ risk_score = 73 rule_id = "6bed021a-0afb-461c-acbe-ffdb9574d3f3" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Use Case: Vulnerability"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Use Case: Vulnerability", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml index 842ee232096..52b35de4dd2 100644 --- a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml +++ b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml @@ -2,9 +2,7 @@ creation_date = "2022/10/20" integration = ["windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/01/16" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml index 2b333cea9b8..bc934e48b4c 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/28" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -29,7 +27,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -58,7 +66,6 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -76,7 +83,6 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index cf28f5d3cde..252307c82e7 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -29,7 +27,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -60,7 +68,6 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -78,7 +85,6 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -96,3 +102,4 @@ reference = "https://attack.mitre.org/techniques/T1559/001/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml index 094f11fdeb7..dc53b678812 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -28,7 +26,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -57,7 +65,6 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -75,7 +82,6 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index 6e72533b81b..9989095fd51 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,13 @@ Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled stealthily execute code with elevated permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "UAC Bypass via DiskCleanup Scheduled Task Hijack" @@ -28,7 +32,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -58,7 +71,6 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -76,7 +88,6 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml index f7d97510c29..2f8b172089e 100644 --- a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +++ b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/27" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,7 +30,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -62,7 +69,6 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -73,6 +79,8 @@ reference = "https://attack.mitre.org/techniques/T1548/" id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" + + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" @@ -89,4 +97,3 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index c6d243d3465..d0c4a672662 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/17" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -39,7 +37,13 @@ Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass elevated permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Bypass UAC via Event Viewer" @@ -108,7 +112,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -140,7 +153,6 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index e664bf293e9..7d67405a5f5 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/26" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -39,7 +37,13 @@ Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Attackers may bypass UAC to stealthily execute code with elevated permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "UAC Bypass Attempt via Windows Directory Masquerading" @@ -108,7 +112,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -135,9 +148,18 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" @@ -147,15 +169,6 @@ id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" - -[[rule.threat.technique.subtechnique]] -id = "T1036.005" -name = "Match Legitimate Name or Location" -reference = "https://attack.mitre.org/techniques/T1036/005/" [rule.threat.tactic] diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index 5d47b701d61..54e126d89dc 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/14" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -108,7 +106,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -138,28 +146,28 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1548.002" -name = "Bypass User Account Control" -reference = "https://attack.mitre.org/techniques/T1548/002/" -[[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [[rule.threat.technique.subtechnique]] id = "T1218.014" name = "MMC" reference = "https://attack.mitre.org/techniques/T1218/014/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.002" +name = "Bypass User Account Control" +reference = "https://attack.mitre.org/techniques/T1548/002/" + + [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/privilege_escalation_unquoted_service_path.toml b/rules/windows/privilege_escalation_unquoted_service_path.toml index 1b27f6a8932..c84307aa9f4 100644 --- a/rules/windows/privilege_escalation_unquoted_service_path.toml +++ b/rules/windows/privilege_escalation_unquoted_service_path.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -21,7 +19,13 @@ name = "Potential Exploitation of an Unquoted Service Path Vulnerability" risk_score = 21 rule_id = "12de29d4-bbb0-4eef-b687-857e8a163870" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -36,7 +40,6 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" @@ -47,7 +50,9 @@ name = "Path Interception by Unquoted Path" reference = "https://attack.mitre.org/techniques/T1574/009/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index 2a2df54861a..4c3ec0857cc 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -2,9 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/03/28" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -39,7 +37,13 @@ Identifies Windows programs run from unexpected parent processes. This could ind activity on a system. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Unusual Parent-Child Relationship" @@ -108,7 +112,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml index 1cc52ef44dd..f9fa449d1ae 100644 --- a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml +++ b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml @@ -2,9 +2,7 @@ creation_date = "2021/07/06" integration = ["endpoint", "windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -35,7 +33,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml index 62cfc4928d8..8aae57f66a0 100644 --- a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -2,9 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -29,7 +27,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" @@ -92,6 +99,7 @@ name = "Process Hollowing" reference = "https://attack.mitre.org/techniques/T1055/012/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/privilege_escalation_via_ppid_spoofing.toml b/rules/windows/privilege_escalation_via_ppid_spoofing.toml index c5c94e637c9..57c9603c900 100644 --- a/rules/windows/privilege_escalation_via_ppid_spoofing.toml +++ b/rules/windows/privilege_escalation_via_ppid_spoofing.toml @@ -2,9 +2,7 @@ creation_date = "2022/10/20" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -26,7 +24,13 @@ references = [ risk_score = 73 rule_id = "26b01043-4f04-4d2f-882a-5a1d2e95751b" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml index 3cdd594f349..52704a92758 100644 --- a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml +++ b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml @@ -2,9 +2,7 @@ creation_date = "2021/10/13" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -36,7 +34,13 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Sysmon"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Sysmon", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_via_token_theft.toml b/rules/windows/privilege_escalation_via_token_theft.toml index 62f573c9774..4e4c0049a82 100644 --- a/rules/windows/privilege_escalation_via_token_theft.toml +++ b/rules/windows/privilege_escalation_via_token_theft.toml @@ -2,9 +2,7 @@ creation_date = "2022/10/20" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup, process.Ext.effective_parent.executable" -min_stack_version = "8.4.0" -updated_date = "2024/03/28" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -24,7 +22,13 @@ references = [ risk_score = 73 rule_id = "02a23ee7-c8f8-4701-b99d-e9038ce313cb" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml index cd608a639b5..034fdc25533 100644 --- a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml +++ b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml @@ -2,9 +2,7 @@ creation_date = "2022/02/07" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/05/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules_building_block/collection_archive_data_zip_imageload.toml b/rules_building_block/collection_archive_data_zip_imageload.toml index a8f4f0650a1..445af055e36 100644 --- a/rules_building_block/collection_archive_data_zip_imageload.toml +++ b/rules_building_block/collection_archive_data_zip_imageload.toml @@ -2,29 +2,34 @@ creation_date = "2023/07/06" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the image load of a compression DLL. Adversaries will often compress and encrypt data in preparation for exfiltration. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.library-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Compression DLL Loaded by Unusual Process" risk_score = 21 rule_id = "d197478e-39f0-4347-a22f-ba654718b148" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" -building_block_type = "default" query = ''' library where host.os.type == "windows" and event.action == "load" and @@ -48,6 +53,7 @@ library where host.os.type == "windows" and event.action == "load" and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -55,7 +61,9 @@ id = "T1560" name = "Archive Collected Data" reference = "https://attack.mitre.org/techniques/T1560/" + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + diff --git a/rules_building_block/collection_common_compressed_archived_file.toml b/rules_building_block/collection_common_compressed_archived_file.toml index 7799e686368..8cbf9f55494 100644 --- a/rules_building_block/collection_common_compressed_archived_file.toml +++ b/rules_building_block/collection_common_compressed_archived_file.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = "endpoint" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -34,6 +32,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "windows" and event.type in ("creation", "change") and process.executable != null and not user.id : ("S-1-5-18", "S-1-5-17") and file.Ext.header_bytes : ( @@ -115,59 +114,58 @@ file where host.os.type == "windows" and event.type in ("creation", "change") an [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1074" +name = "Data Staged" +reference = "https://attack.mitre.org/techniques/T1074/" +[[rule.threat.technique.subtechnique]] +id = "T1074.001" +name = "Local Data Staging" +reference = "https://attack.mitre.org/techniques/T1074/001/" -[rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" - - [[rule.threat.technique]] - id = "T1560" - name = "Archive Collected Data" - reference = "https://attack.mitre.org/techniques/T1560/" - [[rule.threat.technique.subtechnique]] - id = "T1560.001" - name = "Archive via Utility" - reference = "https://attack.mitre.org/techniques/T1560/001/" +[[rule.threat.technique]] +id = "T1560" +name = "Archive Collected Data" +reference = "https://attack.mitre.org/techniques/T1560/" +[[rule.threat.technique.subtechnique]] +id = "T1560.001" +name = "Archive via Utility" +reference = "https://attack.mitre.org/techniques/T1560/001/" - [[rule.threat.technique]] - id = "T1074" - name = "Data Staged" - reference = "https://attack.mitre.org/techniques/T1074/" - [[rule.threat.technique.subtechnique]] - id = "T1074.001" - name = "Local Data Staging" - reference = "https://attack.mitre.org/techniques/T1074/001/" +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1132" +name = "Data Encoding" +reference = "https://attack.mitre.org/techniques/T1132/" +[[rule.threat.technique.subtechnique]] +id = "T1132.001" +name = "Standard Encoding" +reference = "https://attack.mitre.org/techniques/T1132/001/" + + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - - [[rule.threat.technique]] - id = "T1132" - name = "Data Encoding" - reference = "https://attack.mitre.org/techniques/T1132/" - - [[rule.threat.technique.subtechnique]] - id = "T1132.001" - name = "Standard Encoding" - reference = "https://attack.mitre.org/techniques/T1132/001/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat.technique]] - id = "T1027" - name = "Obfuscated Files or Information" - reference = "https://attack.mitre.org/techniques/T1027/" diff --git a/rules_building_block/collection_files_staged_in_recycle_bin_root.toml b/rules_building_block/collection_files_staged_in_recycle_bin_root.toml index bfebdb55c07..9b62ea0f761 100644 --- a/rules_building_block/collection_files_staged_in_recycle_bin_root.toml +++ b/rules_building_block/collection_files_staged_in_recycle_bin_root.toml @@ -2,28 +2,33 @@ creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies files written to the root of the Recycle Bin folder instead of subdirectories. Adversaries may place files in the root of the Recycle Bin in preparation for exfiltration or to evade defenses. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.file-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "File Staged in Root Folder of Recycle Bin" risk_score = 21 rule_id = "57bccf1d-daf5-4e1a-9049-ff79b5254704" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -33,20 +38,22 @@ file where host.os.type == "windows" and event.type == "creation" and not file.name : "desktop.ini" ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1074" name = "Data Staged" reference = "https://attack.mitre.org/techniques/T1074/" +[[rule.threat.technique.subtechnique]] +id = "T1074.001" +name = "Local Data Staging" +reference = "https://attack.mitre.org/techniques/T1074/001/" - [[rule.threat.technique.subtechnique]] - id = "T1074.001" - name = "Local Data Staging" - reference = "https://attack.mitre.org/techniques/T1074/001/" [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + diff --git a/rules_building_block/collection_linux_suspicious_clipboard_activity.toml b/rules_building_block/collection_linux_suspicious_clipboard_activity.toml index d48ae36952c..7705f9a89bb 100644 --- a/rules_building_block/collection_linux_suspicious_clipboard_activity.toml +++ b/rules_building_block/collection_linux_suspicious_clipboard_activity.toml @@ -2,20 +2,19 @@ creation_date = "2023/07/27" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ This rule monitors for the usage of the most common clipboard utilities on unix systems by an uncommon process group leader. Adversaries may collect data stored in the clipboard from users copying information within or between applications. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +interval = "60m" language = "kuery" license = "Elastic License v2" name = "Potential Suspicious Clipboard Activity Detected" @@ -23,32 +22,33 @@ risk_score = 21 rule_id = "884e87cc-c67b-4c90-a4ed-e1e24a940c82" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Collection", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] -type = "new_terms" + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Collection", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" -building_block_type = "default" +type = "new_terms" + query = ''' event.category:process and host.os.type:"linux" and event.type:"start" and event.action:("exec" or "exec_event" or "executed" or "process_started") and process.name:("xclip" or "xsel" or "wl-clipboard" or "clipman" or "copyq") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1115" name = "Clipboard Data" reference = "https://attack.mitre.org/techniques/T1115/" + [rule.threat.tactic] id = "TA0009" name = "Collection" @@ -57,7 +57,8 @@ reference = "https://attack.mitre.org/tactics/TA0009/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.group_leader.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" + + diff --git a/rules_building_block/collection_outlook_email_archive.toml b/rules_building_block/collection_outlook_email_archive.toml index 6b5b04cb050..3362ff8a2f4 100644 --- a/rules_building_block/collection_outlook_email_archive.toml +++ b/rules_building_block/collection_outlook_email_archive.toml @@ -2,29 +2,34 @@ creation_date = "2023/08/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ -Identifies commands containing references to Outlook data files extensions, which can potentially indicate the search, access, or -modification of these files. +Identifies commands containing references to Outlook data files extensions, which can potentially indicate the search, +access, or modification of these files. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.process-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Accessing Outlook Data Files" risk_score = 21 rule_id = "2e311539-cd88-4a85-a301-04f38795007c" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" -building_block_type = "default" query = ''' process where host.os.type == "windows" and event.type == "start" and process.args : ("*.ost", "*.pst") and @@ -35,19 +40,22 @@ process where host.os.type == "windows" and event.type == "start" and process.ar ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" - [[rule.threat.technique.subtechnique]] id = "T1114.001" name = "Local Email Collection" reference = "https://attack.mitre.org/techniques/T1114/001/" + + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + diff --git a/rules_building_block/command_and_control_bitsadmin_activity.toml b/rules_building_block/command_and_control_bitsadmin_activity.toml index cfc5929a85d..5090c481cdb 100644 --- a/rules_building_block/command_and_control_bitsadmin_activity.toml +++ b/rules_building_block/command_and_control_bitsadmin_activity.toml @@ -2,29 +2,34 @@ creation_date = "2023/08/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism. Adversaries may abuse BITS to persist, download, execute, and even clean up after running malicious code. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.process-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Bitsadmin Activity" risk_score = 21 rule_id = "8eec4df1-4b4b-4502-b6c3-c788714604c9" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" -building_block_type = "default" query = ''' process where host.os.type == "windows" and event.type == "start" and @@ -40,6 +45,7 @@ process where host.os.type == "windows" and event.type == "start" and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -52,7 +58,6 @@ reference = "https://attack.mitre.org/techniques/T1105/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -65,7 +70,6 @@ reference = "https://attack.mitre.org/techniques/T1197/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -78,3 +82,4 @@ reference = "https://attack.mitre.org/techniques/T1197/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules_building_block/command_and_control_certutil_network_connection.toml b/rules_building_block/command_and_control_certutil_network_connection.toml index 15bce7b6651..c2e4b44ff6c 100644 --- a/rules_building_block/command_and_control_certutil_network_connection.toml +++ b/rules_building_block/command_and_control_certutil_network_connection.toml @@ -2,9 +2,7 @@ creation_date = "2020/03/19" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" bypass_bbr_timing = true [transform] diff --git a/rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml b/rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml index 1caa23c1134..3a1341bca20 100644 --- a/rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml +++ b/rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,18 +29,19 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" + [rule] author = ["Elastic"] building_block_type = "default" description = """ This rule monitors for X11 forwarding via SSH. X11 forwarding is a feature that allows users to run graphical applications on a remote server and display the application's graphical user interface on their local machine. Attackers -can abuse X11 forwarding for tunneling their GUI-based tools, pivot through compromised systems, and create covert +can abuse X11 forwarding for tunneling their GUI-based tools, pivot through compromised systems, and create covert communication channels, enabling lateral movement and facilitating remote control of systems within a network. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.*", "endgame-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Potential Linux SSH X11 Forwarding" @@ -110,31 +109,34 @@ risk_score = 21 rule_id = "29f0cf93-d17c-4b12-b4f3-a433800539fa" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Rule Type: BBR" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name in ("ssh", "sshd") and process.args in ("-X", "-Y") and process.args_count >= 3 and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules_building_block/command_and_control_non_standard_http_port.toml b/rules_building_block/command_and_control_non_standard_http_port.toml index db386d382ef..44d1e9f9f71 100644 --- a/rules_building_block/command_and_control_non_standard_http_port.toml +++ b/rules_building_block/command_and_control_non_standard_http_port.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/10" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/05/21" [transform] [[transform.osquery]] @@ -31,18 +29,18 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" + [rule] author = ["Elastic"] building_block_type = "default" description = """ -Identifies potentially malicious processes communicating via a port paring typically not associated with HTTP/HTTPS. -For example, HTTP over port 8443 or port 440 as opposed to the traditional port 80 , 443. -Adversaries may make changes to the standard port a protocol uses to bypass filtering or -muddle analysis/parsing of network data. +Identifies potentially malicious processes communicating via a port paring typically not associated with HTTP/HTTPS. For +example, HTTP over port 8443 or port 440 as opposed to the traditional port 80 , 443. Adversaries may make changes to +the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.*", "endgame-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Potential Non-Standard Port HTTP/HTTPS connection" @@ -108,46 +106,46 @@ risk_score = 21 rule_id = "62b68eb2-1e47-4da7-85b6-8f478db5b272" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' network where process.name : ("http", "https") and destination.port not in (80, 443) and event.action in ( "connection_attempted", "ipv4_connection_attempt_event", "connection_accepted", "ipv4_connection_accept_event" ) and destination.ip != "127.0.0.1" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1571" -name = "Non-Standard Port" -reference = "https://attack.mitre.org/techniques/T1571/" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" - [[rule.threat.technique.subtechnique]] id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" + +[[rule.threat.technique]] +id = "T1571" +name = "Non-Standard Port" +reference = "https://attack.mitre.org/techniques/T1571/" + [[rule.threat.technique]] id = "T1573" name = "Encrypted Channel" reference = "https://attack.mitre.org/techniques/T1573/" - [[rule.threat.technique.subtechnique]] id = "T1573.001" name = "Symmetric Cryptography" @@ -158,7 +156,10 @@ id = "T1573.002" name = "Asymmetric Cryptography" reference = "https://attack.mitre.org/techniques/T1573/002/" + + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules_building_block/credential_access_mdmp_file_creation.toml b/rules_building_block/credential_access_mdmp_file_creation.toml index c9da48cd015..938d4cba5ab 100644 --- a/rules_building_block/credential_access_mdmp_file_creation.toml +++ b/rules_building_block/credential_access_mdmp_file_creation.toml @@ -1,14 +1,13 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/09/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the creation or modification of a medium size memory dump file which can indicate an attempt to access credentials from a process memory. @@ -21,9 +20,15 @@ name = "Potential Credential Access via Memory Dump File Creation" risk_score = 21 rule_id = "e707a7be-cc52-41ac-8ab3-d34b38c20005" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -90,3 +95,4 @@ reference = "https://attack.mitre.org/techniques/T1003/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules_building_block/credential_access_mdmp_file_unusual_extension.toml b/rules_building_block/credential_access_mdmp_file_unusual_extension.toml index 2a9735df4c9..666c28d4f06 100644 --- a/rules_building_block/credential_access_mdmp_file_unusual_extension.toml +++ b/rules_building_block/credential_access_mdmp_file_unusual_extension.toml @@ -1,14 +1,13 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/09/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the creation of a memory dump file with an unusual extension, which can indicate an attempt to disguise a memory dump as another file type to bypass security defenses. @@ -21,9 +20,16 @@ name = "Memory Dump File with Unusual Extension" risk_score = 21 rule_id = "c0b9dc99-c696-4779-b086-0d37dc2b3778" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -61,8 +67,6 @@ reference = "https://attack.mitre.org/techniques/T1003/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -75,7 +79,9 @@ name = "Masquerade File Type" reference = "https://attack.mitre.org/techniques/T1036/008/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/credential_access_win_private_key_access.toml b/rules_building_block/credential_access_win_private_key_access.toml index 42b71291c36..9ae2286caca 100644 --- a/rules_building_block/credential_access_win_private_key_access.toml +++ b/rules_building_block/credential_access_win_private_key_access.toml @@ -2,28 +2,31 @@ creation_date = "2023/08/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = """ -Attackers may try to access private keys, e.g. ssh, in order to gain further authenticated access to the environment. -""" +building_block_type = "default" +description = "Attackers may try to access private keys, e.g. ssh, in order to gain further authenticated access to the environment.\n" from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.process-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Attempted Private Key Access" risk_score = 21 rule_id = "c55badd3-3e61-4292-836f-56209dc8a601" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" -building_block_type = "default" query = ''' process where host.os.type == "windows" and event.type == "start" and @@ -47,6 +50,7 @@ process where host.os.type == "windows" and event.type == "start" and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -64,3 +68,4 @@ reference = "https://attack.mitre.org/techniques/T1552/004/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml index 399b4d52f16..8e6fdd61629 100644 --- a/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml +++ b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml @@ -2,28 +2,32 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = """ -Attackers may abuse cmd.exe commands to reassemble binary fragments into a malicious payload. -""" +building_block_type = "default" +description = "Attackers may abuse cmd.exe commands to reassemble binary fragments into a malicious payload.\n" from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.process-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Binary Content Copy via Cmd.exe" risk_score = 21 rule_id = "53dedd83-1be7-430f-8026-363256395c8b" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" -building_block_type = "default" query = ''' process where host.os.type == "windows" and event.type == "start" and @@ -32,33 +36,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.args : "copy" and process.args : "/b")) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules_building_block/defense_evasion_cmstp_execution.toml b/rules_building_block/defense_evasion_cmstp_execution.toml index a3bc97b3604..75a9ca7c70b 100644 --- a/rules_building_block/defense_evasion_cmstp_execution.toml +++ b/rules_building_block/defense_evasion_cmstp_execution.toml @@ -2,32 +2,35 @@ creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program to install Connection Manager service profiles, which accept installation information file (INF) files. Adversaries may abuse CMSTP to proxy the execution of malicious code by supplying INF files that contain malicious commands. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.process-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Potential Defense Evasion via CMSTP.exe" -references = [ - "https://attack.mitre.org/techniques/T1218/003/", -] +references = ["https://attack.mitre.org/techniques/T1218/003/"] risk_score = 21 rule_id = "bd3d058d-5405-4cee-b890-337f09366ba2" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -53,3 +56,4 @@ reference = "https://attack.mitre.org/techniques/T1218/003/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml b/rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml index 77c7aae2fce..e59ad5a89c1 100644 --- a/rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml +++ b/rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml @@ -1,14 +1,13 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the creation of an archive file with an unusual extension. Attackers may attempt to evade detection by masquerading files using the file extension values used by image, audio, or document file types. @@ -21,9 +20,15 @@ name = "Archive File with Unusual Extension" risk_score = 21 rule_id = "cffbaf47-9391-4e09-a83c-1f27d7474826" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -49,6 +54,7 @@ file where host.os.type == "windows" and event.action != "deletion" and not (process.executable : "?:\\Windows\\System32\\inetsrv\\w3wp.exe" and file.path : "?:\\inetpub\\temp\\IIS Temporary Compressed Files\\*") ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -61,7 +67,9 @@ name = "Masquerade File Type" reference = "https://attack.mitre.org/techniques/T1036/008/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml b/rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml index 303f5a25a8e..0e9ddb9fa5b 100644 --- a/rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml +++ b/rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml @@ -1,14 +1,13 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/08/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies suspicious child processes of communications apps, which can indicate a potential masquerading as the communication app or the exploitation of a vulnerability on the application causing it to execute code. @@ -21,9 +20,16 @@ name = "Suspicious Communication App Child Process" risk_score = 21 rule_id = "adbfa3ee-777e-4747-b6b0-7bd645f30880" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -255,7 +261,6 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -266,16 +271,17 @@ id = "T1036.005" name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -283,6 +289,7 @@ id = "T1554" name = "Compromise Client Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules_building_block/defense_evasion_creation_of_hidden_files_directories.toml b/rules_building_block/defense_evasion_creation_of_hidden_files_directories.toml index 0e918df3667..8bad6f8fed7 100644 --- a/rules_building_block/defense_evasion_creation_of_hidden_files_directories.toml +++ b/rules_building_block/defense_evasion_creation_of_hidden_files_directories.toml @@ -2,20 +2,18 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" description = """ -Identify activity related where adversaries can add the 'hidden' flag to files to hide -them from the user in an attempt to evade detection. +Identify activity related where adversaries can add the 'hidden' flag to files to hide them from the user in an attempt +to evade detection. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Hidden Files and Directories via Hidden Flag" @@ -23,36 +21,39 @@ risk_score = 21 rule_id = "5124e65f-df97-4471-8dcb-8e3953b3ea97" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' file where event.type == "creation" and process.name == "chflags" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" - [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_dll_hijack.toml b/rules_building_block/defense_evasion_dll_hijack.toml index 35f81a544a6..68d23e22874 100644 --- a/rules_building_block/defense_evasion_dll_hijack.toml +++ b/rules_building_block/defense_evasion_dll_hijack.toml @@ -2,29 +2,34 @@ creation_date = "2023/07/12" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: dll.Ext.relative_file_creation_time is populated in Elastic Endpoint 8.4 and above." -min_stack_version = "8.4.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies digitally signed (trusted) processes loading unsigned DLLs. Attackers may plant their payloads into the application folder and invoke the legitimate application to execute the payload, masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.library-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Unsigned DLL Loaded by a Trusted Process" risk_score = 21 rule_id = "c20cd758-07b1-46a1-b03f-fa66158258b8" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -82,7 +87,6 @@ framework = "MITRE ATT&CK" id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL Search Order Hijacking" @@ -95,8 +99,8 @@ reference = "https://attack.mitre.org/techniques/T1574/002/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml b/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml index 11d2c403320..79332fc5371 100644 --- a/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml +++ b/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml @@ -2,27 +2,32 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/09/25" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the execution of DotNet ClickOnce installer via Dfsvc.exe trampoline. Adversaries may take advantage of ClickOnce to proxy execution of malicious payloads via trusted Microsoft processes. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Execution via Microsoft DotNet ClickOnce Host" risk_score = 21 rule_id = "5297b7f1-bccd-4611-93fa-ea342a01ff84" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] -building_block_type = "default" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] type = "eql" query = ''' @@ -35,7 +40,6 @@ sequence by user.id with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" @@ -45,13 +49,15 @@ reference = "https://attack.mitre.org/techniques/T1127/" id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + - [[rule.threat.technique.subtechnique]] - id = "T1218.011" - name = "Rundll32" - reference = "https://attack.mitre.org/techniques/T1218/011/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_download_susp_extension.toml b/rules_building_block/defense_evasion_download_susp_extension.toml index 1a64a5acfab..0e65e8b4c34 100644 --- a/rules_building_block/defense_evasion_download_susp_extension.toml +++ b/rules_building_block/defense_evasion_download_susp_extension.toml @@ -2,32 +2,38 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ -Identifies unusual files downloaded from outside the local network that have the potential to be abused for code execution. +Identifies unusual files downloaded from outside the local network that have the potential to be abused for code +execution. """ -references = [ - "https://x.com/Laughing_Mantis/status/1518766501385318406", - "https://wikileaks.org/ciav7p1/cms/page_13763375.html" -] from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.file-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "File with Suspicious Extension Downloaded" +references = [ + "https://x.com/Laughing_Mantis/status/1518766501385318406", + "https://wikileaks.org/ciav7p1/cms/page_13763375.html", +] risk_score = 21 rule_id = "8d366588-cbd6-43ba-95b4-0971c3f906e5" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" -building_block_type = "default" query = ''' file where host.os.type == "windows" and event.type == "creation" and @@ -55,17 +61,16 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" - [[rule.threat.technique]] - name = "System Binary Proxy Execution" - id = "T1218" - reference = "https://attack.mitre.org/techniques/T1218/" - - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml b/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml index 2233ab0f34b..2eecbdb9c35 100644 --- a/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml +++ b/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml @@ -2,33 +2,39 @@ creation_date = "2023/09/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the execution of a command via Microsoft Visual Studio Pre or Post build events. Adversaries may backdoor a trusted visual studio project to execute a malicious command during the project build process. """ -references = [ - "https://docs.microsoft.com/en-us/visualstudio/ide/reference/pre-build-event-post-build-event-command-line-dialog-box?view=vs-2022", - "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html", - "https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/", - "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Execution/execution_evasion_visual_studio_prebuild_event.evtx" -] from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.process-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Execution via MS VisualStudio Pre/Post Build Events" +references = [ + "https://docs.microsoft.com/en-us/visualstudio/ide/reference/pre-build-event-post-build-event-command-line-dialog-box?view=vs-2022", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html", + "https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Execution/execution_evasion_visual_studio_prebuild_event.evtx", +] risk_score = 21 rule_id = "fec7ccb7-6ed9-4f98-93ab-d6b366b063a0" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Rule Type: BBR", "Data Source: Elastic Defend"] -building_block_type = "default" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] type = "eql" query = ''' @@ -94,3 +100,4 @@ framework = "MITRE ATT&CK" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/defense_evasion_file_permission_modification.toml b/rules_building_block/defense_evasion_file_permission_modification.toml index 11a0e1a7646..f58bdff58c1 100644 --- a/rules_building_block/defense_evasion_file_permission_modification.toml +++ b/rules_building_block/defense_evasion_file_permission_modification.toml @@ -2,28 +2,33 @@ creation_date = "2023/07/12" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the change of permissions/ownership of files/folders through built-in Windows utilities. Threat actors may require permission modification of files/folders to change, modify or delete them. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.process-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "File and Directory Permissions Modification" risk_score = 21 rule_id = "bc9e4f5a-e263-4213-a2ac-1edf9b417ada" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -46,14 +51,15 @@ framework = "MITRE ATT&CK" id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" - [[rule.threat.technique.subtechnique]] id = "T1222.001" name = "Windows File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_generic_deletion.toml b/rules_building_block/defense_evasion_generic_deletion.toml index 548a7d4d0f2..845c9e5546e 100644 --- a/rules_building_block/defense_evasion_generic_deletion.toml +++ b/rules_building_block/defense_evasion_generic_deletion.toml @@ -2,28 +2,33 @@ creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ This rule identifies the execution of commands that can be used to delete files and directories. Adversaries may delete files and directories on a host system, such as logs, browser history, or malware. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.process-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "File or Directory Deletion Command" risk_score = 21 rule_id = "5919988c-29e1-4908-83aa-1f087a838f63" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -47,7 +52,6 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" @@ -57,7 +61,10 @@ id = "T1070.004" name = "File Deletion" reference = "https://attack.mitre.org/techniques/T1070/004/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml b/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml index 360c17149f0..1b0edce3efc 100644 --- a/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml +++ b/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml @@ -2,27 +2,37 @@ creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = """ -Identifies indirect command execution via Program Compatibility Assistant (pcalua.exe) or forfiles.exe. -""" +building_block_type = "default" +description = "Identifies indirect command execution via Program Compatibility Assistant (pcalua.exe) or forfiles.exe.\n" from = "now-119m" +index = [ + "logs-endpoint.events.process-*", + "logs-system.security*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", +] interval = "60m" -index = ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Indirect Command Execution via Forfiles/Pcalua" risk_score = 21 rule_id = "98843d35-645e-4e66-9d6a-5049acd96ce1" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Rule Type: BBR", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -43,3 +53,4 @@ reference = "https://attack.mitre.org/techniques/T1202/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_injection_from_msoffice.toml b/rules_building_block/defense_evasion_injection_from_msoffice.toml index 92008c11f4b..6d1c96172e8 100644 --- a/rules_building_block/defense_evasion_injection_from_msoffice.toml +++ b/rules_building_block/defense_evasion_injection_from_msoffice.toml @@ -2,29 +2,36 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel) with unusual process arguments and path. This behavior is often observed during exploitation of Office applications or from documents with malicious macros. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.process-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Potential Process Injection from Malicious Document" risk_score = 21 rule_id = "1c5a04ae-d034-41bf-b0d8-96439b5cc774" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Tactic: Initial Access", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", + "Tactic: Initial Access", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -42,6 +49,7 @@ process where host.os.type == "windows" and event.action == "start" and "?:\\Windows\\System32\\notepad.exe") ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -49,12 +57,11 @@ id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -62,12 +69,11 @@ id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -79,7 +85,10 @@ id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules_building_block/defense_evasion_installutil_command_activity.toml b/rules_building_block/defense_evasion_installutil_command_activity.toml index cca9b3bca2a..18335f50a09 100644 --- a/rules_building_block/defense_evasion_installutil_command_activity.toml +++ b/rules_building_block/defense_evasion_installutil_command_activity.toml @@ -2,29 +2,41 @@ creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. Adversaries may use InstallUtil to proxy the execution of code through a trusted Windows utility. """ from = "now-119m" +index = [ + "logs-endpoint.events.process-*", + "logs-system.security*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", +] interval = "60m" -index = ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "InstallUtil Activity" risk_score = 21 rule_id = "90babaa8-5216-4568-992d-d4a01a105d98" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Rule Type: BBR", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -50,3 +62,4 @@ reference = "https://attack.mitre.org/techniques/T1218/004/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_invalid_codesign_imageload.toml b/rules_building_block/defense_evasion_invalid_codesign_imageload.toml index 1ab179118ab..2017bffb2fb 100644 --- a/rules_building_block/defense_evasion_invalid_codesign_imageload.toml +++ b/rules_building_block/defense_evasion_invalid_codesign_imageload.toml @@ -2,28 +2,33 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies binaries that are loaded and with an invalid code signature. This may indicate an attempt to masquerade as a signed binary. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.library-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Image Loaded with Invalid Signature" risk_score = 21 rule_id = "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -36,20 +41,22 @@ library where host.os.type == "windows" and event.action == "load" and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_masquerading_browsers.toml b/rules_building_block/defense_evasion_masquerading_browsers.toml index 3f033afb308..05eab7af329 100644 --- a/rules_building_block/defense_evasion_masquerading_browsers.toml +++ b/rules_building_block/defense_evasion_masquerading_browsers.toml @@ -1,14 +1,13 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/08/02" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies suspicious instances of browser processes, such as unsigned or signed with unusual certificates, that can indicate an attempt to conceal malicious activity, bypass security features such as allowlists, or trick users into @@ -22,9 +21,16 @@ name = "Potential Masquerading as Browser Process" risk_score = 21 rule_id = "5b9eb30f-87d6-45f4-9289-2bf2024f0376" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -159,7 +165,6 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -171,11 +176,11 @@ name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -183,6 +188,7 @@ id = "T1554" name = "Compromise Client Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml b/rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml index 0e92d42bad7..7df37c1057b 100644 --- a/rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml +++ b/rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml @@ -2,28 +2,33 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the creation or modification of an executable file with an unexpected file extension. Attackers may attempt to evade detection by masquerading files using the file extension values used by image, audio, or document file types. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.file-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Executable File with Unusual Extension" risk_score = 21 rule_id = "ecd4857b-5bac-455e-a7c9-a88b66e56a9e" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -59,7 +64,9 @@ name = "Masquerade File Type" reference = "https://attack.mitre.org/techniques/T1036/008/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_masquerading_vlc_dll.toml b/rules_building_block/defense_evasion_masquerading_vlc_dll.toml index 719e094cd04..a27d7831770 100644 --- a/rules_building_block/defense_evasion_masquerading_vlc_dll.toml +++ b/rules_building_block/defense_evasion_masquerading_vlc_dll.toml @@ -1,14 +1,13 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/08/09" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies instances of VLC-related DLLs which are not signed by the original developer. Attackers may name their payload as legitimate applications to blend into the environment, or embedding its malicious code within legitimate @@ -22,9 +21,16 @@ name = "Potential Masquerading as VLC DLL" risk_score = 21 rule_id = "4494c14f-5ff8-4ed2-8e99-bf816a1642fc" severity = "low" -tags = ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "Data Source: Elastic Defend", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Rule Type: BBR", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -43,7 +49,6 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -55,12 +60,11 @@ name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -68,6 +72,7 @@ id = "T1554" name = "Compromise Client Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules_building_block/defense_evasion_masquerading_windows_dll.toml b/rules_building_block/defense_evasion_masquerading_windows_dll.toml index 3cd09f3fdf8..41bd9f17d9d 100644 --- a/rules_building_block/defense_evasion_masquerading_windows_dll.toml +++ b/rules_building_block/defense_evasion_masquerading_windows_dll.toml @@ -1,14 +1,13 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/08/18" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: dll.Ext.relative_file_creation_time is populated in Elastic Endpoint 8.4 and above." -min_stack_version = "8.4.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies suspicious instances of default system32 DLLs either unsigned or signed with non-MS certificates. This can potentially indicate the attempt to masquerade as system DLLs, perform DLL Search Order Hijacking or backdoor and resign @@ -22,9 +21,16 @@ name = "Potential Masquerading as System32 DLL" risk_score = 21 rule_id = "fb01d790-9f74-4e76-97dd-b4b0f7bf6435" severity = "low" -tags = ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "Data Source: Elastic Defend", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Rule Type: BBR", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -106,7 +112,6 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -117,11 +122,11 @@ id = "T1036.005" name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL Search Order Hijacking" @@ -133,12 +138,11 @@ name = "DLL Side-Loading" reference = "https://attack.mitre.org/techniques/T1574/002/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -146,6 +150,7 @@ id = "T1554" name = "Compromise Client Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml b/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml index 803b5fea69f..bed9eb79637 100644 --- a/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml +++ b/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml @@ -1,14 +1,13 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/08/20" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies suspicious instances of default system32 executables, either unsigned or signed with non-MS certificates. This could indicate the attempt to masquerade as system executables or backdoored and resigned legitimate executables. @@ -21,9 +20,16 @@ name = "Potential Masquerading as System32 Executable" risk_score = 21 rule_id = "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47" severity = "low" -tags = ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "Data Source: Elastic Defend", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Rule Type: BBR", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -80,7 +86,6 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -91,12 +96,12 @@ id = "T1036.005" name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -104,6 +109,7 @@ id = "T1554" name = "Compromise Client Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml b/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml index 87018026368..a29c08022bc 100644 --- a/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml +++ b/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml @@ -2,31 +2,41 @@ creation_date = "2023/09/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ -Identifies the execution of the Microsoft Diagnostic Wizard to open a diagcab file from a suspicious path and with an unusual -parent process. This may indicate an attempt to execute malicious Troubleshooting Pack Cabinet files. +Identifies the execution of the Microsoft Diagnostic Wizard to open a diagcab file from a suspicious path and with an +unusual parent process. This may indicate an attempt to execute malicious Troubleshooting Pack Cabinet files. """ -references = [ - "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd" -] from = "now-119m" +index = [ + "logs-endpoint.events.process-*", + "logs-system.security*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", +] interval = "60m" -index = ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Troubleshooting Pack Cabinet Execution" +references = ["https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd"] risk_score = 21 rule_id = "808291d3-e918-4a3a-86cd-73052a0c9bdc" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -48,13 +58,14 @@ process where host.os.type == "windows" and event.action == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + - [[rule.threat.technique]] - name = "System Binary Proxy Execution" - id = "T1218" - reference = "https://attack.mitre.org/techniques/T1218/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml b/rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml index 8ee273efc40..1a910a7c360 100644 --- a/rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml +++ b/rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml @@ -2,30 +2,33 @@ creation_date = "2023/09/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/09/26" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the execution of an installer from an archive or with suspicious properties. Adversaries may abuse msiexec.exe to launch local or network accessible MSI files in an attempt to bypass application whitelisting. """ -references = [ - "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/" -] from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Windows Installer with Suspicious Properties" +references = ["https://lolbas-project.github.io/lolbas/Binaries/Msiexec/"] risk_score = 21 rule_id = "55f07d1b-25bc-4a0f-aa0c-05323c1319d0" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] -building_block_type = "default" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] type = "eql" query = ''' @@ -63,3 +66,4 @@ reference = "https://attack.mitre.org/techniques/T1218/007/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_processes_with_trailing_spaces.toml b/rules_building_block/defense_evasion_processes_with_trailing_spaces.toml index e0133519df6..c5e63bbb893 100644 --- a/rules_building_block/defense_evasion_processes_with_trailing_spaces.toml +++ b/rules_building_block/defense_evasion_processes_with_trailing_spaces.toml @@ -2,20 +2,18 @@ creation_date = "2023/08/24" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" description = """ -Identify instances where adversaries include trailing space characters to mimic regular files, disguising their -activity to evade default file handling mechanisms. +Identify instances where adversaries include trailing space characters to mimic regular files, disguising their activity +to evade default file handling mechanisms. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Processes with Trailing Spaces" @@ -23,37 +21,40 @@ risk_score = 21 rule_id = "0c093569-dff9-42b6-87b1-0242d9f7d9b4" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name : "* " ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.006" name = "Space after Filename" reference = "https://attack.mitre.org/techniques/T1036/006/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_service_disabled_registry.toml b/rules_building_block/defense_evasion_service_disabled_registry.toml index f822fdc3a3a..c1f1d49dab7 100644 --- a/rules_building_block/defense_evasion_service_disabled_registry.toml +++ b/rules_building_block/defense_evasion_service_disabled_registry.toml @@ -2,19 +2,18 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies attempts to modify services start settings using processes other than services.exe. Attackers may attempt to modify security and monitoring services to avoid detection or delay response. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.registry-*", "endgame-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Service Disabled via Registry Modification" @@ -28,10 +27,9 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Rule Type: BBR" + "Rule Type: BBR", ] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -60,7 +58,6 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -73,3 +70,4 @@ reference = "https://attack.mitre.org/techniques/T1489/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules_building_block/defense_evasion_service_path_registry.toml b/rules_building_block/defense_evasion_service_path_registry.toml index 3dbc25b09d7..7dbda2f6f28 100644 --- a/rules_building_block/defense_evasion_service_path_registry.toml +++ b/rules_building_block/defense_evasion_service_path_registry.toml @@ -2,19 +2,18 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies attempts to modify a service path by an unusual process. Attackers may attempt to modify existing services for persistence or privilege escalation. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.registry-*", "endgame-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Service Path Modification" @@ -28,10 +27,9 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Rule Type: BBR" + "Rule Type: BBR", ] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -62,29 +60,25 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" - [[rule.threat.technique.subtechnique]] - id = "T1543.003" - name = "Windows Service" - reference = "https://attack.mitre.org/techniques/T1543/003/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -100,3 +94,4 @@ reference = "https://attack.mitre.org/techniques/T1543/003/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules_building_block/defense_evasion_services_exe_path.toml b/rules_building_block/defense_evasion_services_exe_path.toml index c26ac369c4f..2cb09abc8f5 100644 --- a/rules_building_block/defense_evasion_services_exe_path.toml +++ b/rules_building_block/defense_evasion_services_exe_path.toml @@ -2,19 +2,18 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies attempts to modify a service path setting using sc.exe. Attackers may attempt to modify existing services for persistence or privilege escalation. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.process-*", "endgame-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Service Path Modification via sc.exe" @@ -28,10 +27,9 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Rule Type: BBR" + "Rule Type: BBR", ] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -52,29 +50,25 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" - [[rule.threat.technique.subtechnique]] - id = "T1543.003" - name = "Windows Service" - reference = "https://attack.mitre.org/techniques/T1543/003/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -90,3 +84,4 @@ reference = "https://attack.mitre.org/techniques/T1543/003/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml b/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml index 6625b9806cd..c5f71c75d33 100644 --- a/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml +++ b/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml @@ -2,32 +2,38 @@ creation_date = "2023/09/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies suspicious execution of the built-in Windows Installer, msiexec.exe, to install a package from usual paths or parent process. Adversaries may abuse msiexec.exe to launch malicious local MSI files. """ -references = [ - "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", - "https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/" -] from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Suspicious Execution via MSIEXEC" +references = [ + "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", + "https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/", +] risk_score = 21 rule_id = "708c9d92-22a3-4fe0-b6b9-1f861c55502d" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -79,3 +85,4 @@ reference = "https://attack.mitre.org/techniques/T1218/007/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_unsigned_bits_client.toml b/rules_building_block/defense_evasion_unsigned_bits_client.toml index 36adfe503fe..84012c3b2d4 100644 --- a/rules_building_block/defense_evasion_unsigned_bits_client.toml +++ b/rules_building_block/defense_evasion_unsigned_bits_client.toml @@ -2,32 +2,37 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies an unsigned Windows Background Intelligent Transfer Service (BITS) client process. Attackers may abuse BITS functionality to download or upload data using the BITS service. """ -references = [ - "https://web.archive.org/web/20230531215706/https://blog.menasec.net/2021/05/hunting-for-suspicious-usage-of.html", - "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2" -] from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.library-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Unsigned BITS Service Client Process" +references = [ + "https://web.archive.org/web/20230531215706/https://blog.menasec.net/2021/05/hunting-for-suspicious-usage-of.html", + "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2", +] risk_score = 21 rule_id = "9a3884d0-282d-45ea-86ce-b9c81100f026" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -39,23 +44,24 @@ not process.code_signature.status : ("errorExpired", "errorCode_endpoint*") [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1197" -name = "BITS Jobs" -reference = "https://attack.mitre.org/techniques/T1197/" - [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" +[[rule.threat.technique]] +id = "T1197" +name = "BITS Jobs" +reference = "https://attack.mitre.org/techniques/T1197/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_unusual_process_extension.toml b/rules_building_block/defense_evasion_unusual_process_extension.toml index 695bf5aea5f..62072e9e4ed 100644 --- a/rules_building_block/defense_evasion_unusual_process_extension.toml +++ b/rules_building_block/defense_evasion_unusual_process_extension.toml @@ -2,28 +2,31 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = """ -Identifies processes running with unusual extensions that are not typically valid for Windows executables. -""" +building_block_type = "default" +description = "Identifies processes running with unusual extensions that are not typically valid for Windows executables.\n" from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.process-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Unusual Process Extension" risk_score = 21 rule_id = "800e01be-a7a4-46d0-8de9-69f3c9582b44" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" -building_block_type = "default" query = ''' process where host.os.type == "windows" and event.type == "start" and @@ -57,19 +60,22 @@ process where host.os.type == "windows" and event.type == "start" and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.008" name = "Masquerade File Type" reference = "https://attack.mitre.org/techniques/T1036/008/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_unusual_process_path_wbem.toml b/rules_building_block/defense_evasion_unusual_process_path_wbem.toml index 2337423bd21..b65efa3547c 100644 --- a/rules_building_block/defense_evasion_unusual_process_path_wbem.toml +++ b/rules_building_block/defense_evasion_unusual_process_path_wbem.toml @@ -2,28 +2,38 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] -description = """ -Identifies unusual processes running from the WBEM path, uncommon outside WMI-related Windows processes. -""" +building_block_type = "default" +description = "Identifies unusual processes running from the WBEM path, uncommon outside WMI-related Windows processes.\n" from = "now-119m" +index = [ + "logs-endpoint.events.process-*", + "logs-system.security*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", +] interval = "60m" -index = ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Unusual Process Execution on WBEM Path" risk_score = 21 rule_id = "1f460f12-a3cf-4105-9ebb-f788cc63f365" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Rule Type: BBR", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" -building_block_type = "default" query = ''' process where host.os.type == "windows" and event.type == "start" and @@ -41,6 +51,7 @@ process where host.os.type == "windows" and event.type == "start" and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -48,7 +59,9 @@ id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_write_dac_access.toml b/rules_building_block/defense_evasion_write_dac_access.toml index ddd47f1ea76..09e5dd121c7 100644 --- a/rules_building_block/defense_evasion_write_dac_access.toml +++ b/rules_building_block/defense_evasion_write_dac_access.toml @@ -2,12 +2,11 @@ creation_date = "2023/08/15" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the access on an object with WRITEDAC permissions. With the WRITEDAC permission, the user can perform a Write Discretionary Access Control List (WriteDACL) operation, which is used to modify the access control rules associated @@ -16,11 +15,16 @@ compromised accounts additional rights, ultimately compromising the target objec lateral movement, and persistence. """ from = "now-119m" -interval = "60m" index = ["winlogbeat-*", "logs-system.security*", "logs-windows.*"] +interval = "60m" language = "kuery" license = "Elastic License v2" name = "WRITEDAC Access on Active Directory Object" +references = [ + "https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors.pdf", +] +risk_score = 21 +rule_id = "f5861570-e39a-4b8a-9259-abd39f84cb97" setup = """## Setup The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure). @@ -37,35 +41,38 @@ DS Access > Audit Directory Service Access (Success,Failure) ``` """ -references = [ - "https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors.pdf" -] -risk_score = 21 -rule_id = "f5861570-e39a-4b8a-9259-abd39f84cb97" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Active Directory", + "Use Case: Active Directory Monitoring", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "query" -building_block_type = "default" query = ''' host.os.type: "windows" and event.action : ("Directory Service Access" or "object-operation-performed") and event.code : "4662" and winlog.event_data.AccessMask:"0x40000" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1222" -reference = "https://attack.mitre.org/techniques/T1222/" name = "File and Directory Permissions Modification" - +reference = "https://attack.mitre.org/techniques/T1222/" [[rule.threat.technique.subtechnique]] id = "T1222.001" name = "Windows File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml b/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml index 305f6b593bf..ff88b1d331f 100644 --- a/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml +++ b/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml @@ -1,17 +1,15 @@ [metadata] +bypass_bbr_timing = true creation_date = "2022/11/01" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" description = """ -Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows +Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows Command Shell. """ from = "now-9m" @@ -57,15 +55,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Rule Type: BBR" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" @@ -75,9 +74,9 @@ process where host.os.type == "windows" and event.type == "start" and not process.parent.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\PROGRA~1\\*") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" @@ -88,25 +87,26 @@ id = "T1083" name = "File and Directory Discovery" reference = "https://attack.mitre.org/techniques/T1083/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/discovery_generic_account_groups.toml b/rules_building_block/discovery_generic_account_groups.toml index 2b0ab58fa5a..eb8dadcd502 100644 --- a/rules_building_block/discovery_generic_account_groups.toml +++ b/rules_building_block/discovery_generic_account_groups.toml @@ -1,11 +1,9 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -22,13 +20,14 @@ name = "Windows Account or Group Discovery" risk_score = 21 rule_id = "089db1af-740d-4d84-9a5b-babd6de143b0" severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -62,14 +61,13 @@ process where host.os.type == "windows" and event.type == "start" and and not process.parent.name : "LTSVC.exe" and not user.id : "S-1-5-18" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" - [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" @@ -80,16 +78,11 @@ id = "T1069.002" name = "Domain Groups" reference = "https://attack.mitre.org/techniques/T1069/002/" -[[rule.threat.technique]] -id = "T1201" -name = "Password Policy Discovery" -reference = "https://attack.mitre.org/techniques/T1201/" [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" - [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" @@ -100,7 +93,15 @@ id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" + +[[rule.threat.technique]] +id = "T1201" +name = "Password Policy Discovery" +reference = "https://attack.mitre.org/techniques/T1201/" + + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_generic_process_discovery.toml b/rules_building_block/discovery_generic_process_discovery.toml index d56783275ec..bafbf1c8680 100644 --- a/rules_building_block/discovery_generic_process_discovery.toml +++ b/rules_building_block/discovery_generic_process_discovery.toml @@ -1,11 +1,9 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -15,21 +13,28 @@ This rule identifies the execution of commands that can be used to enumerate run enumerate processes to identify installed applications and security solutions. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"] +index = [ + "logs-endpoint.events.process-*", + "logs-system.security*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", +] language = "eql" license = "Elastic License v2" name = "Process Discovery Using Built-in Tools" risk_score = 21 rule_id = "4982ac3e-d0ee-4818-b95d-d9522d689259" severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" @@ -44,15 +49,17 @@ process where host.os.type == "windows" and event.type == "start" and ) and not user.id : "S-1-5-18" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_generic_registry_query.toml b/rules_building_block/discovery_generic_registry_query.toml index d645ef76a6e..cfe2edba2ae 100644 --- a/rules_building_block/discovery_generic_registry_query.toml +++ b/rules_building_block/discovery_generic_registry_query.toml @@ -1,11 +1,9 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -23,13 +21,14 @@ name = "Query Registry using Built-in Tools" risk_score = 21 rule_id = "ded09d02-0137-4ccc-8005-c45e617e8d4c" severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" @@ -54,14 +53,15 @@ host.os.type:windows and event.category:process and event.type:start and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1012" name = "Query Registry" reference = "https://attack.mitre.org/techniques/T1012/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -70,7 +70,8 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" + + diff --git a/rules_building_block/discovery_hosts_file_access.toml b/rules_building_block/discovery_hosts_file_access.toml index 74bee070950..8a3177bf266 100644 --- a/rules_building_block/discovery_hosts_file_access.toml +++ b/rules_building_block/discovery_hosts_file_access.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,8 +12,8 @@ Identifies the use of built-in tools to read the contents of \\etc\\hosts on a l to discover remote machines in an environment that may be used for Lateral Movement from the current system. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "System Hosts File Access" @@ -23,32 +21,35 @@ risk_score = 21 rule_id = "f75f65cf-ed04-48df-a7ff-b02a8bfe636e" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name in ("vi", "nano", "cat", "more", "less") and process.args == "/etc/hosts" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_internet_capabilities.toml b/rules_building_block/discovery_internet_capabilities.toml index e518e8a81f3..2ae9e761e72 100644 --- a/rules_building_block/discovery_internet_capabilities.toml +++ b/rules_building_block/discovery_internet_capabilities.toml @@ -1,11 +1,9 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/07/12" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/01/11" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -23,13 +21,14 @@ name = "Discovery of Internet Capabilities via Built-in Tools" risk_score = 21 rule_id = "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db" severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" @@ -39,19 +38,20 @@ process.name.caseless:("ping.exe" or "tracert.exe" or "pathping.exe") and not process.args:("127.0.0.1" or "0.0.0.0" or "localhost" or "::1") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" reference = "https://attack.mitre.org/techniques/T1016/" - [[rule.threat.technique.subtechnique]] id = "T1016.001" name = "Internet Connection Discovery" reference = "https://attack.mitre.org/techniques/T1016/001/" + + [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -60,7 +60,8 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id", "process.command_line"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml b/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml index d351ec77fd9..00a0f082ba3 100644 --- a/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml +++ b/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml @@ -2,17 +2,16 @@ creation_date = "2020/04/12" integration = ["auditd_manager"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/02/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate -information about a kernel module using the /proc/modules filesystem. This filesystem is used by utilities such as -lsmod and kmod to list the available kernel modules. +information about a kernel module using the /proc/modules filesystem. This filesystem is used by utilities such as lsmod +and kmod to list the available kernel modules. """ false_positives = [ """ @@ -21,8 +20,8 @@ false_positives = [ """, ] from = "now-119m" -interval = "60m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] +interval = "60m" language = "kuery" license = "Elastic License v2" name = "Enumeration of Kernel Modules via Proc" @@ -47,28 +46,29 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen """ severity = "low" tags = [ - "Data Source: Auditd Manager", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR" - ] + "Data Source: Auditd Manager", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "new_terms" -building_block_type = "default" + query = ''' host.os.type:linux and event.category:file and event.action:"opened-file" and file.path:"/proc/modules" and not process.name:(grep or python* or chef-client) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -77,7 +77,8 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" + + diff --git a/rules_building_block/discovery_linux_modprobe_enumeration.toml b/rules_building_block/discovery_linux_modprobe_enumeration.toml index e5867834327..05b04fa4b07 100644 --- a/rules_building_block/discovery_linux_modprobe_enumeration.toml +++ b/rules_building_block/discovery_linux_modprobe_enumeration.toml @@ -2,21 +2,20 @@ creation_date = "2023/06/08" integration = ["auditd_manager"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/02/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ -Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or +Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized -kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the +kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the system. """ from = "now-119m" -interval = "60m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] +interval = "60m" language = "kuery" license = "Elastic License v2" name = "Suspicious Modprobe File Event" @@ -46,15 +45,15 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen """ severity = "low" tags = [ - "Data Source: Auditd Manager", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR" - ] + "Data Source: Auditd Manager", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "new_terms" -building_block_type = "default" + query = ''' host.os.type:linux and event.category:file and event.action:"opened-file" and file.path : ("/etc/modprobe.conf" or "/etc/modprobe.d" or /etc/modprobe.d/*) and not process.name:( @@ -63,14 +62,15 @@ file.path : ("/etc/modprobe.conf" or "/etc/modprobe.d" or /etc/modprobe.d/*) and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -79,7 +79,8 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules_building_block/discovery_linux_sysctl_enumeration.toml b/rules_building_block/discovery_linux_sysctl_enumeration.toml index e02b8d69775..f01834a9931 100644 --- a/rules_building_block/discovery_linux_sysctl_enumeration.toml +++ b/rules_building_block/discovery_linux_sysctl_enumeration.toml @@ -2,20 +2,19 @@ creation_date = "2023/06/08" integration = ["auditd_manager"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/02/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ -Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc/sysctl.d/*.conf) to identify potential -unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl +Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc/sysctl.d/*.conf) to identify potential +unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl configuration files to modify kernel parameters, potentially compromising system stability, performance, or security. """ from = "now-119m" -interval = "60m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] +interval = "60m" language = "kuery" license = "Elastic License v2" name = "Suspicious Sysctl File Event" @@ -46,15 +45,15 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen """ severity = "low" tags = [ - "Data Source: Auditd Manager", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR" - ] + "Data Source: Auditd Manager", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "new_terms" -building_block_type = "default" + query = ''' host.os.type:linux and event.category:file and event.action:("opened-file" or "read-file" or "wrote-to-file") and file.path : ("/etc/sysctl.conf" or "/etc/sysctl.d" or /etc/sysctl.d/*) and not process.name:( @@ -62,14 +61,15 @@ file.path : ("/etc/sysctl.conf" or "/etc/sysctl.d" or /etc/sysctl.d/*) and not p ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -78,7 +78,8 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules_building_block/discovery_linux_system_information_discovery.toml b/rules_building_block/discovery_linux_system_information_discovery.toml index af04ae90db5..431c60f4301 100644 --- a/rules_building_block/discovery_linux_system_information_discovery.toml +++ b/rules_building_block/discovery_linux_system_information_discovery.toml @@ -2,17 +2,15 @@ creation_date = "2023/07/10" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" description = "Enrich process events with uname and other command lines that imply Linux system information discovery." from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Linux System Information Discovery" @@ -20,17 +18,18 @@ risk_score = 21 rule_id = "b81bd314-db5b-4d97-82e8-88e3e5fc9de5" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( process.name: "uname" or ( @@ -39,15 +38,17 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_linux_system_owner_user_discovery.toml b/rules_building_block/discovery_linux_system_owner_user_discovery.toml index 461660560f7..2e2c8d3def8 100644 --- a/rules_building_block/discovery_linux_system_owner_user_discovery.toml +++ b/rules_building_block/discovery_linux_system_owner_user_discovery.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/10" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,8 +12,8 @@ Identifies the use of built-in tools which adversaries may use to enumerate the system. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "System Owner/User Discovery Linux" @@ -23,25 +21,26 @@ risk_score = 21 rule_id = "bf8c007c-7dee-4842-8e9a-ee534c09d205" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name : ("whoami", "w", "who", "users", "id") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1033" name = "System Owner/User Discovery" @@ -52,7 +51,9 @@ id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_net_share_discovery_winlog.toml b/rules_building_block/discovery_net_share_discovery_winlog.toml index 1a9085fe98c..dff948bf5ad 100644 --- a/rules_building_block/discovery_net_share_discovery_winlog.toml +++ b/rules_building_block/discovery_net_share_discovery_winlog.toml @@ -2,28 +2,33 @@ creation_date = "2023/07/14" integration = ["windows", "system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Adversaries may look for folders and drives shared on remote systems to identify sources of information to gather as a precursor for collection and identify potential systems of interest for Lateral Movement. """ from = "now-119m" -interval = "60m" index = ["winlogbeat-*", "logs-windows.*", "logs-system.security*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Potential Network Share Discovery" risk_score = 21 rule_id = "b2318c71-5959-469a-a3ce-3a0768e63b9c" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Collection", + "Rule Type: BBR", +] type = "eql" -building_block_type = "default" query = ''' sequence by user.name, source.port, source.ip with maxspan=15s @@ -35,6 +40,7 @@ sequence by user.name, source.port, source.ip with maxspan=15s source.ip != null and source.ip != "0.0.0.0" and source.ip != "::1" and source.ip != "::" and source.ip != "127.0.0.1"] ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -42,19 +48,19 @@ id = "T1135" name = "Network Share Discovery" reference = "https://attack.mitre.org/techniques/T1135/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1039" name = "Data from Network Shared Drive" reference = "https://attack.mitre.org/techniques/T1039/" + [rule.threat.tactic] id = "TA0009" name = "Collection" diff --git a/rules_building_block/discovery_net_view.toml b/rules_building_block/discovery_net_view.toml index c07a155965b..10e11ec992a 100644 --- a/rules_building_block/discovery_net_view.toml +++ b/rules_building_block/discovery_net_view.toml @@ -1,11 +1,9 @@ [metadata] +bypass_bbr_timing = true creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -55,16 +53,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Collection", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Rule Type: BBR" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Collection", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" @@ -86,9 +85,9 @@ process where host.os.type == "windows" and event.type == "start" and */ ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" @@ -99,20 +98,19 @@ id = "T1135" name = "Network Share Discovery" reference = "https://attack.mitre.org/techniques/T1135/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1039" name = "Data from Network Shared Drive" reference = "https://attack.mitre.org/techniques/T1039/" + [rule.threat.tactic] id = "TA0009" name = "Collection" diff --git a/rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml b/rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml index eb07c9ed3c6..534e6b19c1c 100644 --- a/rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml +++ b/rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml @@ -2,19 +2,15 @@ creation_date = "2023/07/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" -description = """ -Adversaries may use built-in applications to get a listing of local system or domain accounts and groups. -""" +description = "Adversaries may use built-in applications to get a listing of local system or domain accounts and groups.\n" from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Account or Group Discovery via Built-In Tools" @@ -22,18 +18,19 @@ risk_score = 21 rule_id = "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( (process.name in ("groups", "id")) or @@ -44,14 +41,13 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" - [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" @@ -62,11 +58,11 @@ id = "T1069.002" name = "Domain Groups" reference = "https://attack.mitre.org/techniques/T1069/002/" + [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" - [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" @@ -77,7 +73,10 @@ id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" + + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_of_domain_groups.toml b/rules_building_block/discovery_of_domain_groups.toml index fc2e465b263..6a1122dd0d6 100644 --- a/rules_building_block/discovery_of_domain_groups.toml +++ b/rules_building_block/discovery_of_domain_groups.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,8 +12,8 @@ Identifies the execution of Linux built-in commands related to account or group and group information to orient themselves before deciding how to act. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Discovery of Domain Groups" @@ -23,17 +21,18 @@ risk_score = 21 rule_id = "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -41,15 +40,17 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_posh_password_policy.toml b/rules_building_block/discovery_posh_password_policy.toml index ff9a476a59b..717f91f01be 100644 --- a/rules_building_block/discovery_posh_password_policy.toml +++ b/rules_building_block/discovery_posh_password_policy.toml @@ -2,19 +2,18 @@ creation_date = "2023/07/12" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools. """ from = "now-119m" -interval = "60m" index = ["winlogbeat-*", "logs-windows.powershell*"] +interval = "60m" language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Password Policy Discovery Capabilities" @@ -39,10 +38,17 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Execution", "Data Source: PowerShell Logs", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Execution", + "Data Source: PowerShell Logs", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "query" -building_block_type = "default" query = ''' event.category: "process" and host.os.type:windows and @@ -92,12 +98,11 @@ id = "T1201" name = "Password Policy Discovery" reference = "https://attack.mitre.org/techniques/T1201/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml b/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml index e43887f6438..ca94235feb2 100644 --- a/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml +++ b/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml @@ -1,11 +1,9 @@ [metadata] +bypass_bbr_timing = true creation_date = "2020/09/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -64,14 +62,15 @@ references = [ risk_score = 21 rule_id = "1d72d014-e2ab-4707-b056-9b96abe7b511" severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Rule Type: BBR" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" @@ -131,25 +130,27 @@ network where host.os.type == "windows" and network.protocol == "dns" and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" reference = "https://attack.mitre.org/techniques/T1016/" - [[rule.threat.technique.subtechnique]] id = "T1016.001" name = "Internet Connection Discovery" reference = "https://attack.mitre.org/techniques/T1016/001/" + [[rule.threat.technique]] id = "T1614" name = "System Location Discovery" reference = "https://attack.mitre.org/techniques/T1614/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_potential_memory_seeking_activity.toml b/rules_building_block/discovery_potential_memory_seeking_activity.toml index d6dc62b89ea..8b6be1ce1e2 100644 --- a/rules_building_block/discovery_potential_memory_seeking_activity.toml +++ b/rules_building_block/discovery_potential_memory_seeking_activity.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -24,16 +22,17 @@ risk_score = 21 rule_id = "035a6f21-4092-471d-9cda-9e379f459b1e" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( (process.name == "tail" and process.args == "-c") or @@ -43,15 +42,17 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_process_discovery_via_builtin_tools.toml b/rules_building_block/discovery_process_discovery_via_builtin_tools.toml index 8b30470080a..d3826371012 100644 --- a/rules_building_block/discovery_process_discovery_via_builtin_tools.toml +++ b/rules_building_block/discovery_process_discovery_via_builtin_tools.toml @@ -2,17 +2,15 @@ creation_date = "2023/07/11" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" description = "Identifies the use of built-in tools attackers can use to discover running processes on an endpoint." from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.*", "endgame-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Process Discovery via Built-In Applications" @@ -20,17 +18,18 @@ risk_score = 21 rule_id = "3f4d7734-2151-4481-b394-09d7c6c91f75" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where event.type == "start" and event.action in ("exec", "exec_event") and process.name in ( "ps", "pstree", "htop", "pgrep" @@ -38,9 +37,9 @@ process where event.type == "start" and event.action in ("exec", "exec_event") a not process.parent.name in ("amazon-ssm-agent", "snap") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1057" name = "Process Discovery" @@ -50,13 +49,15 @@ reference = "https://attack.mitre.org/techniques/T1057/" id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" - [[rule.threat.technique.subtechnique]] id = "T1518.001" name = "Security Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/001/" + + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml index 4fbf67eccde..b7e1e6414dd 100644 --- a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml +++ b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml @@ -1,11 +1,9 @@ [metadata] +bypass_bbr_timing = true creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -55,15 +53,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Rule Type: BBR" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" @@ -91,9 +90,9 @@ process where host.os.type == "windows" and event.type == "start" and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" @@ -104,7 +103,9 @@ id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_security_software_wmic.toml b/rules_building_block/discovery_security_software_wmic.toml index 7811c935fe8..42a76b8cd84 100644 --- a/rules_building_block/discovery_security_software_wmic.toml +++ b/rules_building_block/discovery_security_software_wmic.toml @@ -1,20 +1,25 @@ [metadata] +bypass_bbr_timing = true creation_date = "2020/10/19" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "Security Software Discovery using WMIC" @@ -57,17 +62,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Rule Type: BBR" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -76,32 +81,32 @@ process where host.os.type == "windows" and event.type == "start" and process.args : "/namespace:\\\\root\\SecurityCenter2" and process.args : "Get" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" - [[rule.threat.technique.subtechnique]] id = "T1518.001" name = "Security Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/001/" + + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules_building_block/discovery_signal_unusual_user_host.toml b/rules_building_block/discovery_signal_unusual_user_host.toml index 5c46f340044..6697231b3ee 100644 --- a/rules_building_block/discovery_signal_unusual_user_host.toml +++ b/rules_building_block/discovery_signal_unusual_user_host.toml @@ -1,10 +1,8 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/10/10" maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/10/10" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -21,14 +19,16 @@ name = "Unusual Discovery Activity by User" risk_score = 21 rule_id = "cf575427-0839-4c69-a9e6-99fde02606f3" severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: Higher-Order Rule" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: Higher-Order Rule", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:( "d68e95ad-1c82-4074-a12a-125fe10ac8ba" or "7b8bfc26-81d2-435e-965c-d722ee397ef1" or @@ -39,6 +39,7 @@ host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" @@ -50,7 +51,8 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules_building_block/discovery_suspicious_memory_grep_activity.toml b/rules_building_block/discovery_suspicious_memory_grep_activity.toml index 238e3a74056..e5e09b92269 100644 --- a/rules_building_block/discovery_suspicious_memory_grep_activity.toml +++ b/rules_building_block/discovery_suspicious_memory_grep_activity.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2024/02/05" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -13,7 +11,7 @@ building_block_type = "default" description = """ Monitors for grep activity related to memory mapping. The /proc/*/maps file in Linux provides a memory map for a specific process, detailing the memory segments, permissions, and what files are mapped to these segments. Attackers may -read a process's memory map to identify memory addresses for code injection or process hijacking. +read a process's memory map to identify memory addresses for code injection or process hijacking. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -25,30 +23,33 @@ risk_score = 21 rule_id = "d74d6506-427a-4790-b170-0c2a6ddac799" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name in ("grep", "egrep", "fgrep", "rgrep") and process.args in ("[stack]", "[vdso]", "[heap]") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_suspicious_proc_enumeration.toml b/rules_building_block/discovery_suspicious_proc_enumeration.toml index 58422eaadf7..5416dfa0a22 100644 --- a/rules_building_block/discovery_suspicious_proc_enumeration.toml +++ b/rules_building_block/discovery_suspicious_proc_enumeration.toml @@ -2,20 +2,19 @@ creation_date = "2023/06/09" integration = ["auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/19" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ -This rule monitors for a rapid enumeration of 25 different proc cmd, stat, and exe files, which suggests an abnormal -activity pattern. Such behavior could be an indicator of a malicious process scanning or gathering information about -running processes, potentially for reconnaissance, privilege escalation, or identifying vulnerable targets. +This rule monitors for a rapid enumeration of 25 different proc cmd, stat, and exe files, which suggests an abnormal +activity pattern. Such behavior could be an indicator of a malicious process scanning or gathering information about +running processes, potentially for reconnaissance, privilege escalation, or identifying vulnerable targets. """ from = "now-119m" -interval = "60m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] +interval = "60m" language = "kuery" license = "Elastic License v2" name = "Suspicious Proc Pseudo File System Enumeration" @@ -47,12 +46,12 @@ tags = [ "Data Source: Auditd Manager", "OS: Linux", "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR" - ] + "Tactic: Discovery", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "threshold" -building_block_type = "default" + query = ''' host.os.type:linux and event.category:file and event.action:"opened-file" and file.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.name : ( @@ -60,9 +59,9 @@ file.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.nam ) and not process.parent.pid : 1 ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1057" name = "Process Discovery" @@ -73,6 +72,7 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -81,7 +81,8 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.threshold] field = ["host.id", "process.pid", "process.name"] value = 1 - [[rule.threshold.cardinality]] field = "file.path" value = 100 + + diff --git a/rules_building_block/discovery_system_network_connections.toml b/rules_building_block/discovery_system_network_connections.toml index 8445acfedac..146fae92b45 100644 --- a/rules_building_block/discovery_system_network_connections.toml +++ b/rules_building_block/discovery_system_network_connections.toml @@ -2,17 +2,15 @@ creation_date = "2023/07/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" description = "Adversaries may attempt to get a listing of network connections to or from a compromised system." from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "System Network Connections Discovery" @@ -20,32 +18,35 @@ risk_score = 21 rule_id = "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name in ("netstat", "lsof", "who", "w") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1049" name = "System Network Connections Discovery" reference = "https://attack.mitre.org/techniques/T1049/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_system_service_discovery.toml b/rules_building_block/discovery_system_service_discovery.toml index e558d25c5d3..284105bfc7c 100644 --- a/rules_building_block/discovery_system_service_discovery.toml +++ b/rules_building_block/discovery_system_service_discovery.toml @@ -1,35 +1,41 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/01/24" integration = ["windows", "endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" description = """ -Detects the usage of commonly used system service discovery techniques, which attackers may use during the reconnaissance phase -after compromising a system in order to gain a better understanding of the environment and/or escalate privileges. +Detects the usage of commonly used system service discovery techniques, which attackers may use during the +reconnaissance phase after compromising a system in order to gain a better understanding of the environment and/or +escalate privileges. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "System Service Discovery through built-in Windows Utilities" risk_score = 21 rule_id = "e0881d20-54ac-457f-8733-fe0bc5d44c55" severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Rule Type: BBR" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" @@ -44,15 +50,17 @@ process where host.os.type == "windows" and event.type == "start" and ) and not user.id : "S-1-5-18" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1007" name = "System Service Discovery" reference = "https://attack.mitre.org/techniques/T1007/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_system_time_discovery.toml b/rules_building_block/discovery_system_time_discovery.toml index 7f57882ce99..537fc9d8ae6 100644 --- a/rules_building_block/discovery_system_time_discovery.toml +++ b/rules_building_block/discovery_system_time_discovery.toml @@ -1,35 +1,40 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/01/24" integration = ["windows", "endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" description = """ Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance -phase after compromising a system. +phase after compromising a system. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] language = "eql" license = "Elastic License v2" name = "System Time Discovery" risk_score = 21 rule_id = "06568a02-af29-4f20-929c-f3af281e41aa" severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Rule Type: BBR" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" @@ -45,15 +50,17 @@ process where host.os.type == "windows" and event.type == "start" and ) and not user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1124" name = "System Time Discovery" reference = "https://attack.mitre.org/techniques/T1124/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_win_network_connections.toml b/rules_building_block/discovery_win_network_connections.toml index 318357b4d7d..dc1f9d25751 100644 --- a/rules_building_block/discovery_win_network_connections.toml +++ b/rules_building_block/discovery_win_network_connections.toml @@ -1,18 +1,17 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/07/14" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" description = """ This rule identifies the execution of commands that can be used to enumerate network connections. Adversaries may -attempt to get a listing of network connections to or from a compromised system to identify targets within an environment. +attempt to get a listing of network connections to or from a compromised system to identify targets within an +environment. """ from = "now-9m" index = ["logs-endpoint.events.process-*"] @@ -22,13 +21,14 @@ name = "Windows System Network Connections Discovery" risk_score = 21 rule_id = "c4e9ed3e-55a2-4309-a012-bc3c78dad10a" severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -49,9 +49,9 @@ process where event.type == "start" and ) and not user.id : "S-1-5-18" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1049" name = "System Network Connections Discovery" @@ -62,7 +62,9 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/discovery_windows_system_information_discovery.toml b/rules_building_block/discovery_windows_system_information_discovery.toml index 0cd59156c58..3116404c902 100644 --- a/rules_building_block/discovery_windows_system_information_discovery.toml +++ b/rules_building_block/discovery_windows_system_information_discovery.toml @@ -1,11 +1,9 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/07/06" integration = ["windows", "endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -22,13 +20,15 @@ name = "Windows System Information Discovery" risk_score = 21 rule_id = "51176ed2-2d90-49f2-9f3d-17196428b169" severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" @@ -52,15 +52,17 @@ process.parent.executable : ( ) and not user.id : "S-1-5-18" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules_building_block/execution_github_new_event_action_for_pat.toml b/rules_building_block/execution_github_new_event_action_for_pat.toml index 411b406a4b8..cc3256581ed 100644 --- a/rules_building_block/execution_github_new_event_action_for_pat.toml +++ b/rules_building_block/execution_github_new_event_action_for_pat.toml @@ -3,16 +3,12 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added to GitHub Integration" -min_stack_version = "8.8.0" -updated_date = "2023/12/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" -description = """ -Detects a first occurrence event for a personal access token (PAT) not seen in the last 14 days. -""" +description = "Detects a first occurrence event for a personal access token (PAT) not seen in the last 14 days.\n" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -21,13 +17,14 @@ name = "First Occurrence GitHub Event for a Personal Access Token (PAT)" risk_score = 21 rule_id = "ce08b55a-f67d-4804-92b5-617b0fe5a5b5" severity = "low" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Rule Type: BBR", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "new_terms" @@ -37,6 +34,7 @@ event.action:* and github.hashed_token:* and github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -50,11 +48,11 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "event.action"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules_building_block/execution_github_new_repo_interaction_for_pat.toml b/rules_building_block/execution_github_new_repo_interaction_for_pat.toml index 98e6201bbf5..f8c429ed7cb 100644 --- a/rules_building_block/execution_github_new_repo_interaction_for_pat.toml +++ b/rules_building_block/execution_github_new_repo_interaction_for_pat.toml @@ -3,16 +3,12 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added to GitHub Integration" -min_stack_version = "8.8.0" -updated_date = "2023/12/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" -description = """ -Detects a new private repo interaction for a GitHub PAT not seen in the last 14 days. -""" +description = "Detects a new private repo interaction for a GitHub PAT not seen in the last 14 days.\n" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -21,13 +17,14 @@ name = "First Occurrence of Private Repo Event from Specific GitHub Personal Acc risk_score = 21 rule_id = "1e9b271c-8caa-4e20-aed8-e91e34de9283" severity = "low" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Rule Type: BBR", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "new_terms" @@ -38,6 +35,7 @@ github.programmatic_access_type:("OAuth access token" or "Fine-grained personal github.repository_public:false ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -51,11 +49,11 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "github.repo"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules_building_block/execution_github_new_repo_interaction_for_user.toml b/rules_building_block/execution_github_new_repo_interaction_for_user.toml index 9f900204215..eeb3716928a 100644 --- a/rules_building_block/execution_github_new_repo_interaction_for_user.toml +++ b/rules_building_block/execution_github_new_repo_interaction_for_user.toml @@ -3,16 +3,12 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2023/12/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" -description = """ -Detects a new private repo interaction for a GitHub user not seen in the last 14 days. -""" +description = "Detects a new private repo interaction for a GitHub user not seen in the last 14 days.\n" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -21,13 +17,14 @@ name = "First Occurrence of GitHub User Interaction with Private Repo" risk_score = 21 rule_id = "01c49712-25bc-49d2-a27d-d7ce52f5dc49" severity = "low" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Rule Type: BBR", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "new_terms" @@ -37,6 +34,7 @@ github.repo:* and user.name:* and github.repository_public:false ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -50,11 +48,11 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.new_terms] field = "new_terms_fields" value = ["user.name", "github.repo"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules_building_block/execution_github_repo_created.toml b/rules_building_block/execution_github_repo_created.toml index c10de1f2ea0..e8232137bfa 100644 --- a/rules_building_block/execution_github_repo_created.toml +++ b/rules_building_block/execution_github_repo_created.toml @@ -3,16 +3,12 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/14" +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" -description = """ -A new GitHub repository was created. -""" +description = "A new GitHub repository was created.\n" from = "now-9m" index = ["logs-github.audit-*"] language = "eql" @@ -21,13 +17,14 @@ name = "GitHub Repo Created" risk_score = 21 rule_id = "6cea88e4-6ce2-4238-9981-a54c140d6336" severity = "low" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Rule Type: BBR", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "eql" @@ -35,6 +32,7 @@ query = ''' configuration where event.dataset == "github.audit" and event.action == "repo.create" ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -47,3 +45,4 @@ reference = "https://attack.mitre.org/techniques/T1648/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/execution_github_repo_interaction_from_new_ip.toml b/rules_building_block/execution_github_repo_interaction_from_new_ip.toml index a9b685231e8..52daf9d6e29 100644 --- a/rules_building_block/execution_github_repo_interaction_from_new_ip.toml +++ b/rules_building_block/execution_github_repo_interaction_from_new_ip.toml @@ -1,18 +1,14 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added to GitHub Integration" -min_stack_version = "8.8.0" -updated_date = "2023/12/14" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" -description = """ -Detects an interaction with a private GitHub repository from a new IP address not seen in the last 14 days. -""" +description = "Detects an interaction with a private GitHub repository from a new IP address not seen in the last 14 days.\n" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -21,13 +17,14 @@ name = "First Occurrence of GitHub Repo Interaction From a New IP" risk_score = 21 rule_id = "0294f105-d7af-4a02-ae90-35f56763ffa2" severity = "low" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Rule Type: BBR", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "new_terms" @@ -37,6 +34,7 @@ github.actor_ip:* and github.repo:* and github.repository_public:false ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -50,11 +48,11 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.new_terms] field = "new_terms_fields" value = ["github.repo", "github.actor_ip"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules_building_block/execution_linux_segfault.toml b/rules_building_block/execution_linux_segfault.toml index 052ee041024..e1d006ca679 100644 --- a/rules_building_block/execution_linux_segfault.toml +++ b/rules_building_block/execution_linux_segfault.toml @@ -3,12 +3,11 @@ bypass_bbr_timing = true creation_date = "2023/10/26" integration = ["system"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/26" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Monitors kernel logs for segfault messages. A segfault, or segmentation fault, is an error that occurs when a program tries to access a memory location that it's not allowed to access, typically leading to program termination. A segfault @@ -47,20 +46,15 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Rule Type: BBR" - ] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Rule Type: BBR"] timestamp_override = "event.ingested" -building_block_type = "default" type = "query" + query = ''' host.os.type:linux and event.dataset:"system.syslog" and process.name:kernel and message:segfault ''' + [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules_building_block/execution_settingcontent_ms_file_creation.toml b/rules_building_block/execution_settingcontent_ms_file_creation.toml index f4834c928b2..cef517d3a22 100644 --- a/rules_building_block/execution_settingcontent_ms_file_creation.toml +++ b/rules_building_block/execution_settingcontent_ms_file_creation.toml @@ -3,12 +3,11 @@ bypass_bbr_timing = true creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the suspicious creation of SettingContents-ms files, which have been used in attacks to achieve code execution while evading defenses. @@ -18,15 +17,19 @@ index = ["logs-endpoint.events.file-*"] language = "eql" license = "Elastic License v2" name = "Creation of SettingContent-ms Files" -references = [ - "https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39", -] +references = ["https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39"] risk_score = 21 rule_id = "1e6363a6-3af5-41d4-b7ea-d475389c0ceb" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -38,40 +41,39 @@ file where host.os.type == "windows" and event.type == "creation" and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" - [[rule.threat.technique.subtechnique]] - id = "T1204.002" - name = "Malicious File" - reference = "https://attack.mitre.org/techniques/T1204/002/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" - [[rule.threat.technique.subtechnique]] - id = "T1566.001" - name = "Spearphishing Attachment" - reference = "https://attack.mitre.org/techniques/T1566/001/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules_building_block/execution_unix_socket_communication.toml b/rules_building_block/execution_unix_socket_communication.toml index 26e055dbed2..bd444e795c8 100644 --- a/rules_building_block/execution_unix_socket_communication.toml +++ b/rules_building_block/execution_unix_socket_communication.toml @@ -1,19 +1,18 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/09/04" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ -This rule monitors for inter-process communication via Unix sockets. Adversaries may attempt to communicate with local -Unix sockets to enumerate application details, find vulnerabilities/configuration mistakes and potentially escalate -privileges or set up malicious communication channels via Unix sockets for inter-process communication to attempt to -evade detection. +This rule monitors for inter-process communication via Unix sockets. Adversaries may attempt to communicate with local +Unix sockets to enumerate application details, find vulnerabilities/configuration mistakes and potentially escalate +privileges or set up malicious communication channels via Unix sockets for inter-process communication to attempt to +evade detection. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -24,18 +23,18 @@ risk_score = 21 rule_id = "41284ba3-ed1a-4598-bfba-a97f75d9aba2" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Rule Type: BBR", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Rule Type: BBR", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -46,15 +45,17 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1559" name = "Inter-Process Communication" reference = "https://attack.mitre.org/techniques/T1559/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/execution_unsigned_service_executable.toml b/rules_building_block/execution_unsigned_service_executable.toml index ee7b2e8f624..e6c2b4816cc 100644 --- a/rules_building_block/execution_unsigned_service_executable.toml +++ b/rules_building_block/execution_unsigned_service_executable.toml @@ -1,11 +1,9 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/07/14" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -22,14 +20,15 @@ name = "Execution of an Unsigned Service" risk_score = 21 rule_id = "56fdfcf1-ca7c-4fd9-951d-e215ee26e404" severity = "low" -tags = ["Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend" - ] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" @@ -40,36 +39,37 @@ process.parent.executable:"C:\\Windows\\System32\\services.exe" and not process.code_signature.status : (errorCode_endpoint* or "errorChaining") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1569" name = "System Services" reference = "https://attack.mitre.org/techniques/T1569/" - [[rule.threat.technique.subtechnique]] id = "T1569.002" name = "Service Execution" reference = "https://attack.mitre.org/techniques/T1569/002/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" @@ -78,7 +78,8 @@ reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "user.id"] - [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-14d" \ No newline at end of file +value = "now-14d" + + diff --git a/rules_building_block/execution_wmi_wbemtest.toml b/rules_building_block/execution_wmi_wbemtest.toml index 6f65b1aca47..0e8da7c0534 100644 --- a/rules_building_block/execution_wmi_wbemtest.toml +++ b/rules_building_block/execution_wmi_wbemtest.toml @@ -2,28 +2,40 @@ creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Adversaries may abuse the WMI diagnostic tool, wbemtest.exe, to enumerate WMI object instances or invoke methods against local or remote endpoints. """ from = "now-119m" +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] interval = "60m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "WMI WBEMTEST Utility Execution" risk_score = 21 rule_id = "d3551433-782f-4e22-bbea-c816af2d41c6" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Rule Type: BBR", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -33,13 +45,14 @@ process where host.os.type == "windows" and event.type == "start" and process.na [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/impact_github_member_removed_from_organization.toml b/rules_building_block/impact_github_member_removed_from_organization.toml index ddffcc741d0..9b6f36d684b 100644 --- a/rules_building_block/impact_github_member_removed_from_organization.toml +++ b/rules_building_block/impact_github_member_removed_from_organization.toml @@ -1,18 +1,14 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/21" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" -description = """ -A member was removed or their invitation to join was removed from a GitHub Organization. -""" +description = "A member was removed or their invitation to join was removed from a GitHub Organization.\n" from = "now-9m" index = ["logs-github.audit-*"] language = "eql" @@ -21,13 +17,14 @@ name = "Member Removed From GitHub Organization" risk_score = 21 rule_id = "095b6a58-8f88-4b59-827c-ab584ad4e759" severity = "low" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Impact", - "Rule Type: BBR", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Impact", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "eql" @@ -35,6 +32,7 @@ query = ''' configuration where event.dataset == "github.audit" and event.action == "org.remove_member" ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -47,3 +45,4 @@ reference = "https://attack.mitre.org/techniques/T1531/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules_building_block/impact_github_pat_access_revoked.toml b/rules_building_block/impact_github_pat_access_revoked.toml index aa9fc0e0c90..40804acb163 100644 --- a/rules_building_block/impact_github_pat_access_revoked.toml +++ b/rules_building_block/impact_github_pat_access_revoked.toml @@ -1,18 +1,14 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/14" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" -description = """ -Access to private GitHub organization resources was revoked for a PAT. -""" +description = "Access to private GitHub organization resources was revoked for a PAT.\n" from = "now-9m" index = ["logs-github.audit-*"] language = "eql" @@ -21,13 +17,14 @@ name = "GitHub PAT Access Revoked" risk_score = 21 rule_id = "8a0fd93a-7df8-410d-8808-4cc5e340f2b9" severity = "low" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Impact", - "Rule Type: BBR", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Impact", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "eql" @@ -35,6 +32,7 @@ query = ''' configuration where event.dataset == "github.audit" and event.action == "personal_access_token.access_revoked" ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -47,3 +45,4 @@ reference = "https://attack.mitre.org/techniques/T1531/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules_building_block/impact_github_user_blocked_from_organization.toml b/rules_building_block/impact_github_user_blocked_from_organization.toml index 96daeacf88f..01bce32d75a 100644 --- a/rules_building_block/impact_github_user_blocked_from_organization.toml +++ b/rules_building_block/impact_github_user_blocked_from_organization.toml @@ -1,18 +1,14 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/14" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" -description = """ -A GitHub user was blocked from access to an organization. -""" +description = "A GitHub user was blocked from access to an organization.\n" from = "now-9m" index = ["logs-github.audit-*"] language = "eql" @@ -21,13 +17,14 @@ name = "GitHub User Blocked From Organization" risk_score = 21 rule_id = "4030c951-448a-4017-a2da-ed60f6d14f4f" severity = "low" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Impact", - "Rule Type: BBR", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Impact", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "eql" @@ -35,6 +32,7 @@ query = ''' configuration where event.dataset == "github.audit" and event.action == "org.block_user" ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -47,3 +45,4 @@ reference = "https://attack.mitre.org/techniques/T1531/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules_building_block/initial_access_cross_site_scripting.toml b/rules_building_block/initial_access_cross_site_scripting.toml index 318d1616019..c2a27be30ef 100644 --- a/rules_building_block/initial_access_cross_site_scripting.toml +++ b/rules_building_block/initial_access_cross_site_scripting.toml @@ -2,20 +2,19 @@ creation_date = "2023/07/12" integration = ["apm"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/12" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ -Cross-Site Scripting (XSS) is a type of attack in which malicious scripts are injected into trusted websites. -In XSS attacks, an attacker uses a benign web application to send malicious code, generally in the form of a -browser-side script. This detection rule identifies the potential malicious executions of such browser-side scripts. +Cross-Site Scripting (XSS) is a type of attack in which malicious scripts are injected into trusted websites. In XSS +attacks, an attacker uses a benign web application to send malicious code, generally in the form of a browser-side +script. This detection rule identifies the potential malicious executions of such browser-side scripts. """ from = "now-119m" -interval = "60m" index = ["apm-*-transaction*", "traces-apm*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Potential Cross Site Scripting (XSS)" @@ -25,7 +24,6 @@ rule_id = "4aa58ac6-4dc0-4d18-b713-f58bf8bd015c" severity = "low" tags = ["Data Source: APM", "Use Case: Threat Detection", "Tactic: Initial Access"] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -47,3 +45,4 @@ reference = "https://attack.mitre.org/techniques/T1189/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules_building_block/initial_access_github_new_ip_address_for_pat.toml b/rules_building_block/initial_access_github_new_ip_address_for_pat.toml index b1fa1b90d21..85b7086c02e 100644 --- a/rules_building_block/initial_access_github_new_ip_address_for_pat.toml +++ b/rules_building_block/initial_access_github_new_ip_address_for_pat.toml @@ -1,18 +1,14 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added to GitHub Integration" -min_stack_version = "8.8.0" -updated_date = "2023/12/14" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" -description = """ -Detects a new IP address used for a GitHub PAT not previously seen in the last 14 days. -""" +description = "Detects a new IP address used for a GitHub PAT not previously seen in the last 14 days.\n" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -21,13 +17,14 @@ name = "First Occurrence of IP Address For GitHub Personal Access Token (PAT)" risk_score = 21 rule_id = "fc909baa-fb34-4c46-9691-be276ef4234c" severity = "low" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Initial Access", - "Rule Type: BBR", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Initial Access", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "new_terms" @@ -37,6 +34,7 @@ github.actor_ip:* and github.hashed_token:* and github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -48,6 +46,8 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" @@ -56,7 +56,8 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "github.actor_ip"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules_building_block/initial_access_github_new_ip_address_for_user.toml b/rules_building_block/initial_access_github_new_ip_address_for_user.toml index 38bb8adf040..25ef2800c7d 100644 --- a/rules_building_block/initial_access_github_new_ip_address_for_user.toml +++ b/rules_building_block/initial_access_github_new_ip_address_for_user.toml @@ -1,18 +1,14 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added to GitHub Integration" -min_stack_version = "8.8.0" -updated_date = "2023/12/14" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" -description = """ -Detects a new IP address used for a GitHub user not previously seen in the last 14 days. -""" +description = "Detects a new IP address used for a GitHub user not previously seen in the last 14 days.\n" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -21,13 +17,14 @@ name = "First Occurrence of IP Address For GitHub User" risk_score = 21 rule_id = "3af4cb9b-973f-4c54-be2b-7623c0e21b2b" severity = "low" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Initial Access", - "Rule Type: BBR", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Initial Access", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "new_terms" @@ -36,6 +33,7 @@ event.dataset:"github.audit" and event.category:"configuration" and github.actor_ip:* and user.name:* ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -47,6 +45,8 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" @@ -55,7 +55,8 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["user.name", "github.actor_ip"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules_building_block/initial_access_github_new_user_agent_for_pat.toml b/rules_building_block/initial_access_github_new_user_agent_for_pat.toml index 64308ff178a..b473839076e 100644 --- a/rules_building_block/initial_access_github_new_user_agent_for_pat.toml +++ b/rules_building_block/initial_access_github_new_user_agent_for_pat.toml @@ -1,18 +1,14 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added to GitHub Integration" -min_stack_version = "8.8.0" -updated_date = "2023/12/14" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" -description = """ -Detects a new user agent used for a GitHub PAT not previously seen in the last 14 days. -""" +description = "Detects a new user agent used for a GitHub PAT not previously seen in the last 14 days.\n" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -21,13 +17,14 @@ name = "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)" risk_score = 21 rule_id = "0e4367a0-a483-439d-ad2e-d90500b925fd" severity = "low" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Initial Access", - "Rule Type: BBR", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Initial Access", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "new_terms" @@ -37,6 +34,7 @@ github.user_agent:* and github.hashed_token:* and github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -48,6 +46,8 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" @@ -56,7 +56,8 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "github.user_agent"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules_building_block/initial_access_github_new_user_agent_for_user.toml b/rules_building_block/initial_access_github_new_user_agent_for_user.toml index 7980a538de6..8463648e69e 100644 --- a/rules_building_block/initial_access_github_new_user_agent_for_user.toml +++ b/rules_building_block/initial_access_github_new_user_agent_for_user.toml @@ -1,18 +1,14 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added to GitHub Integration" -min_stack_version = "8.8.0" -updated_date = "2023/12/14" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" -description = """ -Detects a new user agent used for a GitHub user not previously seen in the last 14 days. -""" +description = "Detects a new user agent used for a GitHub user not previously seen in the last 14 days.\n" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -21,13 +17,14 @@ name = "First Occurrence of User-Agent For a GitHub User" risk_score = 21 rule_id = "41761cd3-380f-4d4d-89f3-46d6853ee35d" severity = "low" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Initial Access", - "Rule Type: BBR", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Initial Access", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "new_terms" @@ -36,6 +33,7 @@ event.dataset:"github.audit" and event.category:"configuration" and github.user_agent:* and user.name:* ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -47,6 +45,8 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" @@ -55,7 +55,8 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["user.name", "github.user_agent"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules_building_block/lateral_movement_at.toml b/rules_building_block/lateral_movement_at.toml index 0ccabf7ce6f..17e6965f898 100644 --- a/rules_building_block/lateral_movement_at.toml +++ b/rules_building_block/lateral_movement_at.toml @@ -2,29 +2,41 @@ creation_date = "2023/08/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies use of at.exe to interact with the task scheduler on remote hosts. Remote task creations, modifications or execution could be indicative of adversary lateral movement. """ from = "now-119m" +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] interval = "60m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "At.exe Command Lateral Movement" risk_score = 21 rule_id = "b483365c-98a8-40c0-92d8-0458ca25058a" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Rule Type: BBR", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" -building_block_type = "default" query = ''' process where host.os.type == "windows" and event.type == "start" and process.name : "at.exe" and process.args : "\\\\*" @@ -33,25 +45,22 @@ process where host.os.type == "windows" and event.type == "start" and process.na [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.002" name = "At" @@ -62,7 +71,10 @@ id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/lateral_movement_rdp_conn_unusual_process.toml b/rules_building_block/lateral_movement_rdp_conn_unusual_process.toml index 6110207d585..4a6aa3206d1 100644 --- a/rules_building_block/lateral_movement_rdp_conn_unusual_process.toml +++ b/rules_building_block/lateral_movement_rdp_conn_unusual_process.toml @@ -2,29 +2,33 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Adversaries may attempt to connect to a remote system over Windows Remote Desktop Protocol (RDP) to achieve lateral -movement. Adversaries may avoid using the Microsoft Terminal Services Client (mstsc.exe) binary to establish -an RDP connection to evade detection. +movement. Adversaries may avoid using the Microsoft Terminal Services Client (mstsc.exe) binary to establish an RDP +connection to evade detection. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.network-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Potential Outgoing RDP Connection by Unusual Process" risk_score = 21 rule_id = "8e39f54e-910b-4adb-a87e-494fbba5fb65" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -63,3 +67,4 @@ reference = "https://attack.mitre.org/techniques/T1021/001/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml b/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml index 1739922bb4f..dbc9fce692a 100644 --- a/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml +++ b/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml @@ -1,17 +1,16 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/08/25" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ -Identifies unusual process executions using MSSQL Service accounts, which can indicate the exploitation/compromise of SQL -instances. Attackers may exploit exposed MSSQL instances for initial access or lateral movement. +Identifies unusual process executions using MSSQL Service accounts, which can indicate the exploitation/compromise of +SQL instances. Attackers may exploit exposed MSSQL instances for initial access or lateral movement. """ from = "now-9m" index = ["logs-endpoint.events.process-*"] @@ -20,15 +19,22 @@ license = "Elastic License v2" name = "Unusual Process For MSSQL Service Accounts" references = [ "https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/", - "https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions?view=sql-server-ver16" + "https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions?view=sql-server-ver16", ] risk_score = 21 rule_id = "e74d645b-fec6-431e-bf93-ca64a538e0de" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "eql" -building_block_type = "default" query = ''' process where event.type == "start" and host.os.type == "windows" and @@ -82,21 +88,21 @@ reference = "https://attack.mitre.org/techniques/T1210/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" - [[rule.threat.technique.subtechnique]] id = "T1505.001" name = "SQL Stored Procedures" reference = "https://attack.mitre.org/techniques/T1505/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules_building_block/lateral_movement_wmic_remote.toml b/rules_building_block/lateral_movement_wmic_remote.toml index 9238c44be4d..27337528974 100644 --- a/rules_building_block/lateral_movement_wmic_remote.toml +++ b/rules_building_block/lateral_movement_wmic_remote.toml @@ -2,28 +2,33 @@ creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the use of wmic.exe to run commands on remote hosts. While this can be used by administrators legitimately, attackers can abuse this built-in utility to achieve lateral movement. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.process-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "WMIC Remote Command" risk_score = 21 rule_id = "f59668de-caa0-4b84-94c1-3a1549e1e798" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -37,31 +42,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [[rule.threat.technique.subtechnique]] id = "T1021.006" name = "Windows Remote Management" reference = "https://attack.mitre.org/techniques/T1021/006/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml b/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml index ed153da8642..f4aaaef461d 100644 --- a/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml +++ b/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/30" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -32,7 +30,7 @@ tags = [ "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Persistence", - "Rule Type: BBR" + "Rule Type: BBR", ] timestamp_override = "event.ingested" type = "query" @@ -46,14 +44,6 @@ event.dataset: aws.cloudtrail and event.provider: "iam.amazonaws.com" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" -[[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" @@ -63,6 +53,17 @@ name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + + + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules_building_block/persistence_creation_of_kernel_module.toml b/rules_building_block/persistence_creation_of_kernel_module.toml index 1a5f88f2100..4ba49615de2 100644 --- a/rules_building_block/persistence_creation_of_kernel_module.toml +++ b/rules_building_block/persistence_creation_of_kernel_module.toml @@ -2,19 +2,15 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" -description = """ -Identifies activity related to loading kernel modules on Linux via creation of new ko files in the LKM directory. -""" +description = "Identifies activity related to loading kernel modules on Linux via creation of new ko files in the LKM directory.\n" from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.*", "endgame-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Creation of Kernel Module" @@ -22,16 +18,17 @@ risk_score = 21 rule_id = "947827c6-9ed6-4dec-903e-c856c86e72f3" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.type in ("change", "creation") and file.path : "/lib/modules/*" and file.extension == "ko" and not process.name : ( @@ -39,20 +36,22 @@ file.extension == "ko" and not process.name : ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules_building_block/persistence_github_new_pat_for_user.toml b/rules_building_block/persistence_github_new_pat_for_user.toml index cfef12dc021..a7cfbd7e476 100644 --- a/rules_building_block/persistence_github_new_pat_for_user.toml +++ b/rules_building_block/persistence_github_new_pat_for_user.toml @@ -1,18 +1,14 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added to GitHub Integration" -min_stack_version = "8.8.0" -updated_date = "2023/12/14" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" -description = """ -A new PAT was used for a GitHub user not previously seen in the last 14 days. -""" +description = "A new PAT was used for a GitHub user not previously seen in the last 14 days.\n" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -21,13 +17,14 @@ name = "First Occurrence of Personal Access Token (PAT) Use For a GitHub User" risk_score = 21 rule_id = "f94e898e-94f1-4545-8923-03e4b2866211" severity = "low" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Persistence", - "Rule Type: BBR", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Persistence", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "new_terms" @@ -37,6 +34,7 @@ github.hashed_token:* and user.name:* and github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -48,6 +46,8 @@ id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -56,7 +56,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["user.name", "github.hashed_token"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules_building_block/persistence_github_new_user_added_to_organization.toml b/rules_building_block/persistence_github_new_user_added_to_organization.toml index 685fa8fbe53..6de318f9160 100644 --- a/rules_building_block/persistence_github_new_user_added_to_organization.toml +++ b/rules_building_block/persistence_github_new_user_added_to_organization.toml @@ -1,18 +1,14 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/12/21" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] building_block_type = "default" -description = """ -A new user was added to a GitHub organization. -""" +description = "A new user was added to a GitHub organization.\n" from = "now-9m" index = ["logs-github.audit-*"] language = "eql" @@ -21,13 +17,14 @@ name = "New User Added To GitHub Organization" risk_score = 21 rule_id = "61336fe6-c043-4743-ab6e-41292f439603" severity = "low" -tags = ["Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Persistence", - "Rule Type: BBR", - "Data Source: Github" - ] +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Persistence", + "Rule Type: BBR", + "Data Source: Github", +] timestamp_override = "event.ingested" type = "eql" @@ -35,6 +32,7 @@ query = ''' configuration where event.dataset == "github.audit" and event.action == "org.add_member" ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -46,7 +44,10 @@ id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules_building_block/persistence_startup_folder_lnk.toml b/rules_building_block/persistence_startup_folder_lnk.toml index c8967f887ff..0cfb8ff93eb 100644 --- a/rules_building_block/persistence_startup_folder_lnk.toml +++ b/rules_building_block/persistence_startup_folder_lnk.toml @@ -1,14 +1,13 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" -bypass_bbr_timing = true +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies shortcut files written to or modified in the startup folder. Adversaries may use this technique to maintain persistence. @@ -21,9 +20,15 @@ name = "Shortcut File Written or Modified on Startup Folder" risk_score = 21 rule_id = "ee53d67a-5f0c-423c-a53c-8084ae562b5c" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -63,3 +68,4 @@ reference = "https://attack.mitre.org/techniques/T1547/009/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules_building_block/persistence_transport_agent_exchange.toml b/rules_building_block/persistence_transport_agent_exchange.toml index 993b637e4ae..41a64eb14b5 100644 --- a/rules_building_block/persistence_transport_agent_exchange.toml +++ b/rules_building_block/persistence_transport_agent_exchange.toml @@ -2,20 +2,19 @@ creation_date = "2023/07/14" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/04/05" +updated_date = "2024/05/21" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the use of Cmdlets and methods related to Microsoft Exchange Transport Agents install. Adversaries may leverage malicious Microsoft Exchange Transport Agents to execute tasks in response to adversary-defined criteria, establishing persistence. """ from = "now-119m" -interval = "60m" index = ["winlogbeat-*", "logs-windows.powershell*"] +interval = "60m" language = "kuery" license = "Elastic License v2" name = "Microsoft Exchange Transport Agent Install Script" @@ -37,10 +36,16 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: PowerShell Logs", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: PowerShell Logs", + "Rule Type: BBR", +] timestamp_override = "event.ingested" type = "query" -building_block_type = "default" query = ''' event.category: "process" and host.os.type:windows and @@ -58,34 +63,35 @@ event.category: "process" and host.os.type:windows and ) ''' + [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\*" - +case_insensitive = true +value = "?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\*" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" - +case_insensitive = true +value = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Windows\\\\TEMP\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" - +case_insensitive = true +value = "?:\\\\Windows\\\\TEMP\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" [[rule.filters]] + [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -"case_insensitive" = true -"value" = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" - +case_insensitive = true +value = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -120,3 +126,4 @@ reference = "https://attack.mitre.org/techniques/T1059/001/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/privilege_escalation_trap_execution.toml b/rules_building_block/privilege_escalation_trap_execution.toml index f077ca029f9..52787ad90e8 100644 --- a/rules_building_block/privilege_escalation_trap_execution.toml +++ b/rules_building_block/privilege_escalation_trap_execution.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/24" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -14,8 +12,8 @@ Identify activity related where adversaries can include a trap command which the commands that will be executed upon receiving interrupt signals. """ from = "now-119m" -interval = "60m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Trap Signals Execution" @@ -23,37 +21,40 @@ risk_score = 21 rule_id = "cf6995ec-32a9-4b2d-9340-f8e61acf3f4e" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "trap" and process.args : "SIG*" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.005" name = "Trap" reference = "https://attack.mitre.org/techniques/T1546/005/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index 2170d5a7551..f73dcd8f420 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -28,7 +28,7 @@ ThresholdAlertSuppression, TOMLRuleContents) from detection_rules.rule_loader import FILE_PATTERN from detection_rules.rule_validators import EQLValidator, KQLValidator -from detection_rules.schemas import definitions, get_stack_schemas +from detection_rules.schemas import definitions, get_min_supported_stack_version, get_stack_schemas from detection_rules.utils import INTEGRATION_RULE_DIR, PatchedTemplate, get_path, load_etc_dump from detection_rules.version_lock import default_version_lock from rta import get_available_tests @@ -1111,6 +1111,7 @@ class TestBuildTimeFields(BaseRuleTest): def test_build_fields_min_stack(self): """Test that newly introduced build-time fields for a min_stack for applicable rules.""" current_stack_ver = PACKAGE_STACK_VERSION + min_supported_stack_version = get_min_supported_stack_version() invalids = [] for rule in self.production_rules: @@ -1120,7 +1121,12 @@ def test_build_fields_min_stack(self): errors = [] for build_field, field_versions in build_fields.items(): start_ver, end_ver = field_versions - if start_ver is not None and current_stack_ver >= start_ver: + # when a _new_ build time field is introduced, _all_ rules _must_ have a min_stack_version for the stack + # version in which the field was introduced. This is because the initial change will result in a hash + # change which is different because of the build time fields. + # This also ensures that the introduced version is greater than the min supported, in order to age off + # old and unneeded checks. (i.e. 8.3.0 < 8.9.0 min supported, so it is irrelevant now) + if start_ver is not None and current_stack_ver >= start_ver >= min_supported_stack_version: if min_stack is None or not Version.parse(min_stack) >= start_ver: errors.append(f'{build_field} >= {start_ver}')