diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index ef82fd53792..2932901531c 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -84,6 +84,10 @@ "Target.process.name": "keyword", "process.Ext.api.name": "keyword" }, + "logs-endpoint.events.api-*": { + "process.Ext.api.parameters.consumer_type": "keyword", + "process.Ext.api.name": "keyword" + }, "logs-endpoint.events.file-*": { "file.Ext.header_bytes": "keyword", "file.Ext.windows.zone_identifier": "long" diff --git a/pyproject.toml b/pyproject.toml index 8ef7db21195..b1977c0871e 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "0.3.6" +version = "0.3.7" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12" diff --git a/rules/windows/persistence_sysmon_wmi_event_subscription.toml b/rules/windows/persistence_sysmon_wmi_event_subscription.toml index 586426af047..3a2b3cca798 100644 --- a/rules/windows/persistence_sysmon_wmi_event_subscription.toml +++ b/rules/windows/persistence_sysmon_wmi_event_subscription.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2023/02/02" -integration = ["windows"] +integration = ["windows", "endpoint"] maturity = "production" -updated_date = "2024/10/15" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2024/12/23" +min_stack_version = "8.15.0" +min_stack_comments = "Elastic Defend WMI events were added in Elastic Defend 8.15.0." [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Detects the creation of a WMI Event Subscription. Attackers can abuse this mecha SYSTEM privileges. """ from = "now-9m" -index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"] +index = ["winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-endpoint.events.api-*"] language = "eql" license = "Elastic License v2" name = "Suspicious WMI Event Subscription Created" @@ -30,13 +30,20 @@ tags = [ "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Sysmon", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" query = ''' -any where event.dataset == "windows.sysmon_operational" and event.code == "21" and - winlog.event_data.Operation : "Created" and winlog.event_data.Consumer : ("*subscription:CommandLineEventConsumer*", "*subscription:ActiveScriptEventConsumer*") +any where + ( + (event.dataset == "windows.sysmon_operational" and event.code == "21" and + winlog.event_data.Operation : "Created" and winlog.event_data.Consumer : ("*subscription:CommandLineEventConsumer*", "*subscription:ActiveScriptEventConsumer*")) or + + (event.dataset == "endpoint.events.api" and event.provider == "Microsoft-Windows-WMI-Activity" and process.Ext.api.name == "IWbemServices::PutInstance" and + process.Ext.api.parameters.consumer_type in ("ActiveScriptEventConsumer", "CommandLineEventConsumer")) + ) '''