From 96dc09de38fe99d4607117078048e1190b1890af Mon Sep 17 00:00:00 2001 From: brokensound77 Date: Thu, 28 Jan 2021 10:23:13 -0900 Subject: [PATCH 1/3] [Rule Tuning] Add windows integration index to rules --- ...access_cookies_chromium_browsers_debugging.toml | 5 +++-- ...efense_evasion_deleting_websvr_access_logs.toml | 5 +++-- .../cross-platform/impact_hosts_file_modified.toml | 4 ++-- rules/promotions/external_alerts.toml | 12 ++++++++++-- ...llection_email_powershell_exchange_mailbox.toml | 9 +++++---- ...ershell_exch_mailbox_activesync_add_device.toml | 9 +++++---- ...nd_and_control_certutil_network_connection.toml | 4 ++-- .../command_and_control_common_webservices.toml | 11 ++++++----- ...command_and_control_dns_tunneling_nslookup.toml | 4 ++-- ..._and_control_encrypted_channel_freesslcert.toml | 5 +++-- .../command_and_control_iexplore_via_com.toml | 4 ++-- ...control_remote_file_copy_desktopimgdownldr.toml | 4 ++-- ...mand_and_control_remote_file_copy_mpcmdrun.toml | 4 ++-- ...nd_and_control_remote_file_copy_powershell.toml | 4 ++-- ...mmand_and_control_remote_file_copy_scripts.toml | 4 ++-- ...nd_and_control_teamviewer_remote_file_copy.toml | 4 ++-- .../credential_access_cmdline_dump_tool.toml | 9 +++++---- ...l_access_copy_ntds_sam_volshadowcp_cmdline.toml | 5 +++-- ...edential_access_credential_dumping_msbuild.toml | 4 ++-- ...al_access_domain_backup_dpapi_private_keys.toml | 4 ++-- .../credential_access_dump_registry_hives.toml | 14 +++++++------- ...credential_access_iis_apppoolsa_pwd_appcmd.toml | 5 +++-- ...ntial_access_iis_connectionstrings_dumping.toml | 5 +++-- ...ntial_access_kerberoasting_unusual_process.toml | 5 +++-- ...edential_access_lsass_memdump_file_created.toml | 10 ++++++---- ...ential_access_mimikatz_memssp_default_logs.toml | 4 ++-- ...ntial_access_mod_wdigest_security_provider.toml | 4 ++-- .../credential_access_saved_creds_vaultcmd.toml | 10 +++++----- ...e_hidden_file_attribute_with_via_attribexe.toml | 4 ++-- ...efense_evasion_clearing_windows_event_logs.toml | 5 +++-- ...nse_evasion_clearing_windows_security_logs.toml | 12 ++++++++---- .../defense_evasion_code_injection_conhost.toml | 4 ++-- rules/windows/defense_evasion_cve_2020_0601.toml | 4 ++-- ...sion_delete_volume_usn_journal_with_fsutil.toml | 4 ++-- ...sion_deleting_backup_catalogs_with_wbadmin.toml | 4 ++-- ..._disable_windows_firewall_rules_with_netsh.toml | 4 ++-- ...nse_evasion_dotnet_compiler_parent_process.toml | 4 ++-- ...ense_evasion_enable_inbound_rdp_with_netsh.toml | 5 +++-- ...on_encoding_or_decoding_files_via_certutil.toml | 4 ++-- .../defense_evasion_execution_lolbas_wuauclt.toml | 4 ++-- ...on_execution_msbuild_started_by_office_app.toml | 4 ++-- ...vasion_execution_msbuild_started_by_script.toml | 4 ++-- ...xecution_msbuild_started_by_system_process.toml | 4 ++-- ..._evasion_execution_msbuild_started_renamed.toml | 4 ++-- ...n_execution_msbuild_started_unusal_process.toml | 4 ++-- ...sion_execution_suspicious_explorer_winword.toml | 4 ++-- ..._execution_via_trusted_developer_utilities.toml | 4 ++-- ...fense_evasion_file_creation_mult_extension.toml | 5 +++-- ...e_evasion_hide_encoded_executable_registry.toml | 5 +++-- .../defense_evasion_iis_httplogging_disabled.toml | 4 ++-- .../windows/defense_evasion_injection_msbuild.toml | 4 ++-- .../defense_evasion_installutil_beacon.toml | 4 ++-- ...n_masquerading_as_elastic_endpoint_process.toml | 5 +++-- ...efense_evasion_masquerading_renamed_autoit.toml | 9 +++++---- ...masquerading_suspicious_werfault_childproc.toml | 4 ++-- ...nse_evasion_masquerading_trusted_directory.toml | 9 +++++---- .../defense_evasion_masquerading_werfault.toml | 4 ++-- ...ion_misc_lolbin_connecting_to_the_internet.toml | 4 ++-- ...efense_evasion_modification_of_boot_config.toml | 4 ++-- .../defense_evasion_msbuild_beacon_sequence.toml | 4 ++-- rules/windows/defense_evasion_mshta_beacon.toml | 4 ++-- rules/windows/defense_evasion_msxsl_beacon.toml | 4 ++-- ...ion_network_connection_from_windows_binary.toml | 4 ++-- ...nse_evasion_port_forwarding_added_registry.toml | 5 +++-- ...ense_evasion_potential_processherpaderping.toml | 9 +++++---- rules/windows/defense_evasion_reg_beacon.toml | 4 ++-- .../defense_evasion_rundll32_no_arguments.toml | 4 ++-- ..._evasion_scheduledjobs_at_protocol_enabled.toml | 14 +++++++------- ...fense_evasion_sdelete_like_filename_rename.toml | 5 ++--- .../windows/defense_evasion_sip_provider_mod.toml | 4 ++-- ...nds_backdoor_service_disabled_via_registry.toml | 4 ++-- ...nse_evasion_stop_process_service_threshold.toml | 5 +++-- ...vasion_suspicious_managedcode_host_process.toml | 4 ++-- ...ense_evasion_suspicious_powershell_imgload.toml | 5 +++-- .../defense_evasion_suspicious_scrobj_load.toml | 4 ++-- ...ense_evasion_suspicious_zoom_child_process.toml | 6 +++--- ...ystem_critical_proc_abnormal_file_activity.toml | 4 ++-- rules/windows/defense_evasion_unusual_dir_ads.toml | 5 +++-- ...se_evasion_unusual_system_vp_child_program.toml | 4 ++-- .../defense_evasion_via_filter_manager.toml | 4 ++-- ...n_volume_shadow_copy_deletion_via_vssadmin.toml | 4 ++-- ...asion_volume_shadow_copy_deletion_via_wmic.toml | 4 ++-- .../windows/discovery_adfind_command_activity.toml | 5 +++-- rules/windows/discovery_admin_recon.toml | 4 ++-- rules/windows/discovery_file_dir_discovery.toml | 9 ++++----- .../discovery_net_command_system_account.toml | 4 ++-- rules/windows/discovery_net_view.toml | 4 ++-- rules/windows/discovery_peripheral_device.toml | 9 +++++---- ...ery_process_discovery_via_tasklist_command.toml | 4 ++-- .../windows/discovery_query_registry_via_reg.toml | 8 ++++---- ...y_remote_system_discovery_commands_windows.toml | 4 ++-- .../windows/discovery_security_software_wmic.toml | 5 +++-- .../windows/discovery_whoami_command_activity.toml | 4 ++-- ...t_solarwinds_backdoor_child_cmd_powershell.toml | 4 ++-- ...olarwinds_backdoor_unusual_child_processes.toml | 4 ++-- ..._command_prompt_connecting_to_the_internet.toml | 4 ++-- ...cution_command_shell_started_by_powershell.toml | 5 +++-- ...execution_command_shell_started_by_svchost.toml | 4 ++-- ...n_command_shell_started_by_unusual_process.toml | 4 ++-- .../execution_command_shell_via_rundll32.toml | 5 +++-- .../execution_downloaded_shortcut_files.toml | 4 ++-- rules/windows/execution_downloaded_url_file.toml | 4 ++-- .../execution_enumeration_via_wmiprvse.toml | 4 ++-- .../windows/execution_from_unusual_directory.toml | 9 +++++---- .../execution_from_unusual_path_cmdline.toml | 5 +++-- ...cutable_program_connecting_to_the_internet.toml | 4 ++-- .../windows/execution_local_service_commands.toml | 4 ++-- .../windows/execution_ms_office_written_file.toml | 4 ++-- ...ecution_msbuild_making_network_connections.toml | 4 ++-- ...execution_mshta_making_network_connections.toml | 4 ++-- rules/windows/execution_msxsl_network.toml | 4 ++-- rules/windows/execution_pdf_written_file.toml | 4 ++-- .../execution_psexec_lateral_movement_command.toml | 4 ++-- ..._server_program_connecting_to_the_internet.toml | 4 ++-- .../execution_script_executing_powershell.toml | 4 ++-- .../execution_scripts_process_started_via_wmi.toml | 9 +++++---- .../execution_shared_modules_local_sxs_dll.toml | 10 ++++++---- ...cution_suspicious_image_load_wmi_ms_office.toml | 4 ++-- ...ecution_suspicious_ms_office_child_process.toml | 4 ++-- ...cution_suspicious_ms_outlook_child_process.toml | 4 ++-- rules/windows/execution_suspicious_pdf_reader.toml | 4 ++-- rules/windows/execution_suspicious_psexesvc.toml | 4 ++-- .../execution_suspicious_short_program_name.toml | 5 +++-- .../execution_unusual_dns_service_children.toml | 4 ++-- .../execution_unusual_dns_service_file_writes.toml | 4 ++-- ...on_unusual_network_connection_via_rundll32.toml | 5 +++-- ...ecution_unusual_process_network_connection.toml | 4 ++-- .../windows/execution_via_compiled_html_file.toml | 4 ++-- ..._via_explorer_suspicious_child_parent_args.toml | 4 ++-- .../execution_via_hidden_shell_conhost.toml | 4 ++-- .../windows/execution_via_net_com_assemblies.toml | 4 ++-- ...ion_via_xp_cmdshell_mssql_stored_procedure.toml | 4 ++-- rules/windows/exfiltration_winrar_encryption.toml | 10 ++++++---- rules/windows/lateral_movement_cmd_service.toml | 4 ++-- rules/windows/lateral_movement_dcom_hta.toml | 5 +++-- rules/windows/lateral_movement_dcom_mmc20.toml | 9 +++++---- ...vement_dcom_shellwindow_shellbrowserwindow.toml | 4 ++-- ...al_movement_direct_outbound_smb_connection.toml | 4 ++-- ...eral_movement_executable_tool_transfer_smb.toml | 5 +++-- ...teral_movement_execution_from_tsclient_mup.toml | 4 ++-- ...ovement_execution_via_file_shares_sequence.toml | 5 +++-- ...al_movement_incoming_winrm_shell_execution.toml | 5 +++-- rules/windows/lateral_movement_incoming_wmi.toml | 5 +++-- ..._movement_mount_hidden_or_webdav_share_net.toml | 8 +++++--- ...ateral_movement_powershell_remoting_target.toml | 14 ++++++++++---- .../lateral_movement_rdp_enabled_registry.toml | 9 +++++---- .../lateral_movement_rdp_sharprdp_target.toml | 9 +++++---- .../windows/lateral_movement_rdp_tunnel_plink.toml | 10 +++++----- ...ral_movement_remote_file_copy_hidden_share.toml | 5 +++-- .../windows/lateral_movement_remote_services.toml | 5 +++-- ..._movement_scheduled_task_powershell_source.toml | 4 ++-- .../lateral_movement_scheduled_task_target.toml | 9 ++++----- .../lateral_movement_suspicious_cmd_wmi.toml | 9 +++++---- ...l_movement_suspicious_rdp_client_imageload.toml | 9 +++++---- ...ateral_movement_via_startup_folder_rdp_smb.toml | 9 +++++---- .../persistence_adobe_hijack_persistence.toml | 4 ++-- rules/windows/persistence_app_compat_shim.toml | 4 ++-- .../windows/persistence_appcertdlls_registry.toml | 9 +++++---- .../windows/persistence_appinitdlls_registry.toml | 9 +++++---- ...ence_evasion_hidden_local_account_creation.toml | 4 ++-- ...ersistence_evasion_registry_ifeo_injection.toml | 4 ++-- .../persistence_gpo_schtask_service_creation.toml | 4 ++-- .../persistence_local_scheduled_task_commands.toml | 4 ++-- ...persistence_local_scheduled_task_scripting.toml | 10 +++++++--- .../windows/persistence_ms_office_addins_file.toml | 5 +++-- .../persistence_ms_outlook_vba_template.toml | 5 +++-- ...priv_escalation_via_accessibility_features.toml | 4 ++-- rules/windows/persistence_registry_uncommon.toml | 5 +++-- .../persistence_run_key_and_startup_broad.toml | 9 +++++---- ...istence_runtime_run_key_startup_susp_procs.toml | 7 ++++--- rules/windows/persistence_services_registry.toml | 5 +++-- ..._folder_file_written_by_suspicious_process.toml | 5 +++-- .../persistence_startup_folder_scripts.toml | 5 +++-- ...persistence_suspicious_com_hijack_registry.toml | 13 ++++++++----- ...icious_image_load_scheduled_task_ms_office.toml | 4 ++-- ...sistence_suspicious_scheduled_task_runtime.toml | 4 ++-- ...stence_suspicious_service_created_registry.toml | 5 +++-- .../persistence_system_shells_via_services.toml | 4 ++-- rules/windows/persistence_time_provider_mod.toml | 4 ++-- .../windows/persistence_user_account_creation.toml | 4 ++-- .../persistence_via_application_shimming.toml | 4 ++-- .../persistence_via_hidden_run_key_valuename.toml | 10 +++++----- ...via_lsa_security_support_provider_registry.toml | 8 +++++--- ...a_telemetrycontroller_scheduledtask_hijack.toml | 4 ++-- ...nce_via_update_orchestrator_service_hijack.toml | 4 ++-- ...agement_instrumentation_event_subscription.toml | 6 +++--- ...vilege_escalation_named_pipe_impersonation.toml | 12 ++++++++---- ...escalation_printspooler_registry_copyfiles.toml | 5 +++-- ...ation_printspooler_service_suspicious_file.toml | 4 ++-- ...scalation_printspooler_suspicious_spl_file.toml | 4 ++-- ...ge_escalation_rogue_windir_environment_var.toml | 5 +++-- ...privilege_escalation_uac_bypass_com_clipup.toml | 9 +++++---- ...ivilege_escalation_uac_bypass_com_ieinstal.toml | 5 +++-- ...lation_uac_bypass_com_interface_icmluautil.toml | 5 +++-- ...e_escalation_uac_bypass_diskcleanup_hijack.toml | 5 +++-- ...lege_escalation_uac_bypass_dll_sideloading.toml | 9 +++++---- ...ivilege_escalation_uac_bypass_event_viewer.toml | 4 ++-- ...rivilege_escalation_uac_bypass_mock_windir.toml | 9 +++++---- ...ege_escalation_uac_bypass_winfw_mmc_hijack.toml | 5 +++-- rules/windows/privilege_escalation_uac_sdclt.toml | 4 ++-- ...scalation_unusual_parentchild_relationship.toml | 4 ++-- ...lation_unusual_svchost_childproc_childless.toml | 9 +++++---- tests/test_all_rules.py | 1 + 203 files changed, 604 insertions(+), 500 deletions(-) diff --git a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml index 36018c3c625..ad3df15cb23 100644 --- a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml +++ b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/21" maturity = "production" -updated_date = "2020/12/21" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ access web applications or Internet services as an authenticated user without ne """ false_positives = ["Developers performing browsers plugin or extension debugging."] from = "now-9m" -index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*"] +index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" max_signals = 33 @@ -58,3 +58,4 @@ reference = "https://attack.mitre.org/techniques/T1539/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml index 5d909d4dc62..0d0b5af4bfd 100644 --- a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml +++ b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies the deletion of WebServer access logs. This may indicate an attempt t evidence on a system. """ from = "now-9m" -index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*"] +index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "WebServer Access Logs Deleted" @@ -42,3 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1070/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/cross-platform/impact_hosts_file_modified.toml b/rules/cross-platform/impact_hosts_file_modified.toml index 95800e82efb..14491a62928 100644 --- a/rules/cross-platform/impact_hosts_file_modified.toml +++ b/rules/cross-platform/impact_hosts_file_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/07" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ to malicious infrastructure. This rule detects modifications to the hosts file o RHEL) and macOS systems. """ from = "now-9m" -index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*"] +index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Hosts File Modified" diff --git a/rules/promotions/external_alerts.toml b/rules/promotions/external_alerts.toml index 8641e23c9ed..d66d6a4d238 100644 --- a/rules/promotions/external_alerts.toml +++ b/rules/promotions/external_alerts.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/08" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -9,7 +9,15 @@ description = """ Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app. """ -index = ["apm-*-transaction*", "auditbeat-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"] +index = [ + "apm-*-transaction*", + "auditbeat-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*", + "logs-windows.*", +] language = "kuery" license = "Elastic License" max_signals = 10000 diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index fb8f65da551..d043a3de707 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -1,16 +1,16 @@ [metadata] creation_date = "2020/12/15" maturity = "production" -updated_date = "2020/12/15" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or -archive to a .pst file. Adversaries may target user email to collect sensitive information. +Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary +mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information. """ false_positives = ["Legitimate exchange system administration activity."] -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Exporting Exchange Mailbox via PowerShell" @@ -42,3 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1114/" id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + diff --git a/rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml index e0db1ab58ad..eac372e2b8f 100644 --- a/rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -1,16 +1,16 @@ [metadata] creation_date = "2020/12/15" maturity = "production" -updated_date = "2020/12/15" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may -target user email to collect sensitive information. +Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. +Adversaries may target user email to collect sensitive information. """ false_positives = ["Legitimate exchange system administration activity."] -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "New ActiveSyncAllowedDeviceID Added via PowerShell" @@ -42,3 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1114/" id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + diff --git a/rules/windows/command_and_control_certutil_network_connection.toml b/rules/windows/command_and_control_certutil_network_connection.toml index e52c4f9ae37..656a334db2f 100644 --- a/rules/windows/command_and_control_certutil_network_connection.toml +++ b/rules/windows/command_and_control_certutil_network_connection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/19" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies certutil.exe making a network connection. Adversaries could abuse cer malware, from a remote URL. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Network Connection via Certutil" diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index 8437e68fe6e..7e1d6813564 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -1,18 +1,18 @@ [metadata] creation_date = "2020/11/04" maturity = "production" -updated_date = "2020/11/04" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ Adversaries may implement command and control communications that use common web services in order to hide their -activity. This attack technique is typically targeted to an organization and uses web services common to the victim network which allows the adversary to blend into legitimate traffic. -activity. These popular services are typically targeted since they have most likely been used before a compromise and -allow adversaries to blend in the network. +activity. This attack technique is typically targeted to an organization and uses web services common to the victim +network which allows the adversary to blend into legitimate traffic. activity. These popular services are typically +targeted since they have most likely been used before a compromise and allow adversaries to blend in the network. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Connection to Commonly Abused Web Services" @@ -74,3 +74,4 @@ reference = "https://attack.mitre.org/techniques/T1102/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml index dab12bf4289..03cebc83e3e 100644 --- a/rules/windows/command_and_control_dns_tunneling_nslookup.toml +++ b/rules/windows/command_and_control_dns_tunneling_nslookup.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/11" maturity = "production" -updated_date = "2020/11/11" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ This rule identifies a large number (15) of nslookup.exe executions with an expl may indicate command and control activity utilizing the DNS protocol. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Potential DNS Tunneling via NsLookup" diff --git a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml index 133270ff29d..db063a8ea22 100644 --- a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml +++ b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/04" maturity = "production" -updated_date = "2020/11/04" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies unusual processes connecting to domains using known free SSL certific encryption algorithm to conceal command and control traffic. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Connection to Commonly Abused Free SSL Certificate Providers" @@ -50,3 +50,4 @@ reference = "https://attack.mitre.org/techniques/T1573/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/windows/command_and_control_iexplore_via_com.toml b/rules/windows/command_and_control_iexplore_via_com.toml index 9de17950870..506a063e1be 100644 --- a/rules/windows/command_and_control_iexplore_via_com.toml +++ b/rules/windows/command_and_control_iexplore_via_com.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/28" maturity = "production" -updated_date = "2020/11/28" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ unusual network connections. Adversaries could abuse Internet Explorer via COM t network connections and bypass host-based firewall restrictions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Potential Command and Control via Internet Explorer" diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index 41014df3905..e7b1ba8e93c 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies the desktopimgdownldr utility being used to download a remote file. A download arbitrary files as an alternative to certutil. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Remote File Download via Desktopimgdownldr Utility" diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index d5e47c50f6d..73a18765ad7 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Remote File Download via MpCmdRun" diff --git a/rules/windows/command_and_control_remote_file_copy_powershell.toml b/rules/windows/command_and_control_remote_file_copy_powershell.toml index 63ee46ce45a..11c74a502da 100644 --- a/rules/windows/command_and_control_remote_file_copy_powershell.toml +++ b/rules/windows/command_and_control_remote_file_copy_powershell.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2020/11/30" maturity = "production" -updated_date = "2020/11/30" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = "Identifies powershell.exe being used to download an executable file from an untrusted remote destination." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Remote File Download via PowerShell" diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml index 69aa34be074..53338cb901d 100644 --- a/rules/windows/command_and_control_remote_file_copy_scripts.toml +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/29" maturity = "production" -updated_date = "2020/11/29" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) bei from a remote destination. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Remote File Download via Script Interpreter" diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index 052139ed05a..96c202468c1 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Remote File Copy via TeamViewer" diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index ebcbf7b4683..764c741a47b 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -1,16 +1,16 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -updated_date = "2020/11/24" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory -database (NTDS.dit) in preparation for credential access. +Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database +(NTDS.dit) in preparation for credential access. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Potential Credential Access via Windows Utilities" @@ -48,3 +48,4 @@ reference = "https://attack.mitre.org/techniques/T1003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index 93b8f2462bd..55ad8359b66 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -updated_date = "2020/11/24" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies a copy operation of the Active Directory Domain Database (ntds.dit) o Those files contain sensitive information including hashed domain and/or local credentials. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" max_signals = 33 @@ -42,3 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index c800a91a3aa..08d91f7354a 100755 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ credential management. This technique is sometimes used for credential dumping. """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Microsoft Build Engine Loading Windows Credential Libraries" diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index 2c0db39f274..9f563237212 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/13" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies the creation or modification of Domain Backup private keys. Adversari (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Creation or Modification of Domain Backup DPAPI private key" diff --git a/rules/windows/credential_access_dump_registry_hives.toml b/rules/windows/credential_access_dump_registry_hives.toml index d241e35f8e2..623af7a5385 100644 --- a/rules/windows/credential_access_dump_registry_hives.toml +++ b/rules/windows/credential_access_dump_registry_hives.toml @@ -1,19 +1,19 @@ [metadata] creation_date = "2020/11/23" maturity = "production" -updated_date = "2020/11/23" +updated_date = "2020/01/28" [rule] author = ["Elastic"] -description = """ -Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool. -""" +description = "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Credential Acquisition via Registry Hive Dumping" -references = ["https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8"] +references = [ + "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8", +] risk_score = 73 rule_id = "a7e7bfa3-088e-4f13-b29e-3986e0e756b8" severity = "high" @@ -26,7 +26,6 @@ process where event.type in ("start", "process_started") and process.args : ("save", "export") and process.args : ("hklm\\sam", "hklm\\security") and not process.parent.executable : "C:\\Program Files*\\Rapid7\\Insight Agent\\components\\insight_agent\\*\\ir_agent.exe" - ''' @@ -42,3 +41,4 @@ reference = "https://attack.mitre.org/techniques/T1003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml index 813cad4ea9e..430dca58ee1 100644 --- a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies the Internet Information Services (IIS) command-line tool, AppCmd, be with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" max_signals = 33 @@ -41,3 +41,4 @@ reference = "https://attack.mitre.org/techniques/T1003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index d4d28d04365..0cab24b9a7d 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ access via a webshell or alike can decrypt and dump any hardcoded connection str password using aspnet_regiis command. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" max_signals = 33 @@ -45,3 +45,4 @@ reference = "https://attack.mitre.org/techniques/T1003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml index 61484e5d860..09517c33470 100644 --- a/rules/windows/credential_access_kerberoasting_unusual_process.toml +++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/02" maturity = "production" -updated_date = "2020/11/02" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Kerberos Traffic from Unusual Process" @@ -46,3 +46,4 @@ reference = "https://attack.mitre.org/techniques/T1558/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_lsass_memdump_file_created.toml b/rules/windows/credential_access_lsass_memdump_file_created.toml index bc8d38e781d..70c06d63d56 100644 --- a/rules/windows/credential_access_lsass_memdump_file_created.toml +++ b/rules/windows/credential_access_lsass_memdump_file_created.toml @@ -1,16 +1,17 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -updated_date = "2020/11/24" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate -a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial. +Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may +indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper +(sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "LSASS Memory Dump Creation" @@ -38,3 +39,4 @@ reference = "https://attack.mitre.org/techniques/T1003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index 7b873df1cad..2fd7a2306ad 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2020/08/31" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = "Identifies the password log file from the default Mimikatz memssp module." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Mimikatz Memssp Log File Detected" diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index 0b5b337bbc3..5d14d0e609c 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/01/19" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ an endpoint. Once the UseLogonCredential value is modified, the adversary may at memory. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Modification of WDigest Security Provider" diff --git a/rules/windows/credential_access_saved_creds_vaultcmd.toml b/rules/windows/credential_access_saved_creds_vaultcmd.toml index 8b1ee65a0ca..388c98a1cc8 100644 --- a/rules/windows/credential_access_saved_creds_vaultcmd.toml +++ b/rules/windows/credential_access_saved_creds_vaultcmd.toml @@ -1,17 +1,17 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/01/19" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, -connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential -Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement. +Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected +applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for +saved usernames and passwords. This may also be performed in preparation of lateral movement. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Searching for Saved Credentials via VaultCmd" diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index f36142b70e4..a50c2934270 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Adding Hidden File Attribute via Attrib" diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index 43a168fea47..02637967b77 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/30" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies attempts to clear or disable Windows event log stores using Windows w attackers in an attempt to evade detection or destroy forensic evidence on a system. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Clearing Windows Event Logs" @@ -39,3 +39,4 @@ reference = "https://attack.mitre.org/techniques/T1070/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml index 79e50dac8be..a8cbb375c69 100644 --- a/rules/windows/defense_evasion_clearing_windows_security_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_security_logs.toml @@ -1,16 +1,16 @@ [metadata] creation_date = "2020/11/12" maturity = "production" -updated_date = "2021/01/11" +updated_date = "2020/01/28" [rule] author = ["Elastic", "Anabella Cristaldi"] description = """ -Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade -detection or destroy forensic evidence on a system. +Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection +or destroy forensic evidence on a system. """ from = "now-9m" -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Windows Event Logs Cleared" @@ -24,13 +24,17 @@ query = ''' event.action:("audit-log-cleared" or "Log clear") ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1070" name = "Indicator Removal on Host" reference = "https://attack.mitre.org/techniques/T1070/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_code_injection_conhost.toml b/rules/windows/defense_evasion_code_injection_conhost.toml index 5adfd251044..a88fe9ea95e 100644 --- a/rules/windows/defense_evasion_code_injection_conhost.toml +++ b/rules/windows/defense_evasion_code_injection_conhost.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2020/08/31" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = "Identifies a suspicious Conhost child process which may be an indication of code injection activity." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Suspicious Process from Conhost" diff --git a/rules/windows/defense_evasion_cve_2020_0601.toml b/rules/windows/defense_evasion_cve_2020_0601.toml index e5c9ba358af..86a8a8565d9 100644 --- a/rules/windows/defense_evasion_cve_2020_0601.toml +++ b/rules/windows/defense_evasion_cve_2020_0601.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/19" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) valid certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)" diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index fc4c74f26f6..32458c2ac5b 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is of files created during post-exploitation activities. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Delete Volume USN Journal with Fsutil" diff --git a/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml index d9c2d01e1ab..704868555c1 100644 --- a/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and o system recovery. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Deleting Backup Catalogs with Wbadmin" diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index f83c8dd25e8..103ef5325f8 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies use of the netsh.exe to disable or weaken the local firewall. Attacke disable the firewall during troubleshooting or to enable network mobility. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Disable Windows Firewall Rules via Netsh" diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index 9ccf8830cca..a0972ac0203 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2020/08/21" maturity = "production" -updated_date = "2020/11/30" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = "Identifies suspicious .NET code execution. connections." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Suspicious .NET Code Compilation" diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index cbb3b9686da..624ec123e70 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/13" maturity = "production" -updated_date = "2020/10/13" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies use of the network shell utility (netsh.exe) to enable inbound Remote the Windows Firewall. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Remote Desktop Enabled in Windows Firewall" @@ -40,3 +40,4 @@ reference = "https://attack.mitre.org/techniques/T1089/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml b/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml index 95c69675511..2ac834a3077 100644 --- a/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml +++ b/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Certificate Services. CertUtil is often abused by attackers to encode or decode control or exfiltration. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Encoding or Decoding Files via CertUtil" diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index ef84d65bf25..a5ddb4fd5e4 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/13" maturity = "production" -updated_date = "2020/10/13" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load as a defense evasion technique to blend-in malicious activity with legitimate Windows software. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "ImageLoad via Windows Update Auto Update Client" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index b291933a7cf..7d0b4871a6f 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Microsoft Build Engine Started by an Office Application" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index 81bd5a8f6b4..e1f20e7c5f1 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ behavior is unusual and is sometimes used by malicious payloads. """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Microsoft Build Engine Started by a Script Process" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index 58eabf98baa..147c3e8582a 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Instrumentation) subsystem. This behavior is unusual and is sometimes used by ma """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Microsoft Build Engine Started by a System Process" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index 8a28677cb9a..ad51c3bf08f 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ indicate an attempt to run unnoticed or undetected. """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Microsoft Build Engine Using an Alternate Name" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index fa1d0dc38ba..7d42e0c25f2 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Microsoft Build Engine Started an Unusual Process" diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index 3982806f5ed..e4c8aa0c687 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ starting after being renamed or from a non-standard path. This is uncommon behav defenses via side loading a malicious DLL within the memory space of one of those processes. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Potential DLL SideLoading via Trusted Microsoft Programs" diff --git a/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml b/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml index 5c8584d0f4b..a8a63dfea89 100644 --- a/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml +++ b/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = "Identifies possibly suspicious activity using trusted Windows developer activity." false_positives = ["These programs may be used by Windows developers but use by non-engineers is unusual."] -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Trusted Developer Application Usage" diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index 55c93389a43..84aec1be2da 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/01/19" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ when the name or location of a file is manipulated as a means of tricking a user benign file type but is actually executable code. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Executable File Creation with Multiple Extensions" @@ -70,3 +70,4 @@ reference = "https://attack.mitre.org/techniques/T1036/004/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml index 85fe52dfdca..51d8d9039dc 100644 --- a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml +++ b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/25" maturity = "production" -updated_date = "2020/11/25" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies registry write modifications to hide an encoded portable executable. defense evasion by avoiding the storing of malicious content directly on disk. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Encoded Executable Stored in the Registry" @@ -39,3 +39,4 @@ reference = "https://attack.mitre.org/techniques/T1140/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index 5847bb7281c..1c7df26de08 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/14" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies when Internet Information Services (IIS) HTTP Logging is disabled on access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" max_signals = 33 diff --git a/rules/windows/defense_evasion_injection_msbuild.toml b/rules/windows/defense_evasion_injection_msbuild.toml index 4476d1d7905..9693eb5a878 100755 --- a/rules/windows/defense_evasion_injection_msbuild.toml +++ b/rules/windows/defense_evasion_injection_msbuild.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ An instance of MSBuild, the Microsoft Build Engine, created a thread in another used to evade detection or elevate privileges. """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Process Injection by the Microsoft Build Engine" diff --git a/rules/windows/defense_evasion_installutil_beacon.toml b/rules/windows/defense_evasion_installutil_beacon.toml index 9fcb9aab347..8add216a98e 100644 --- a/rules/windows/defense_evasion_installutil_beacon.toml +++ b/rules/windows/defense_evasion_installutil_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies InstallUtil.exe making outbound network connections. This may indicat often leveraged by adversaries to execute code and evade detection. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "InstallUtil Process Making Network Connections" diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 0b1a30517cc..40aa5af2ad8 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/24" maturity = "production" -updated_date = "2020/11/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ A suspicious Endpoint Security parent process was detected. This may indicate a injection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Suspicious Endpoint Security Parent Process" @@ -44,3 +44,4 @@ reference = "https://attack.mitre.org/techniques/T1036/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index 18b21064604..4f1177a4ea1 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -1,16 +1,16 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable -to avoid detection. +Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt +executable to avoid detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Renamed AutoIt Scripts Interpreter" @@ -38,3 +38,4 @@ reference = "https://attack.mitre.org/techniques/T1036/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index 96acddb3cf2..97320631fee 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/24" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ such as command line, network connections, file writes and parent process detail """ false_positives = ["Custom Windows Error Reporting Debugger"] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Suspicious WerFault Child Process" diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index 35757eb712b..ca7784060a5 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -1,17 +1,17 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2020/11/18" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and -usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections -whitelisting those folders. +usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass +detections whitelisting those folders. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Program Files Directory Masquerading" @@ -41,3 +41,4 @@ reference = "https://attack.mitre.org/techniques/T1036/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_masquerading_werfault.toml b/rules/windows/defense_evasion_masquerading_werfault.toml index 940b85cc45f..586c67f7f6c 100644 --- a/rules/windows/defense_evasion_masquerading_werfault.toml +++ b/rules/windows/defense_evasion_masquerading_werfault.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/24" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ masquerading attempt to evade suspicious child process behavior detections. """ false_positives = ["Legit Application Crash with rare Werfault commandline value"] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Potential Windows Error Manager Masquerading" diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index 41f54606c75..05fe605e3a4 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ validation. Adversaries may use these binaries to 'live off the land' and execut application allowlists and signature validation. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Network Connection via Signed Binary" diff --git a/rules/windows/defense_evasion_modification_of_boot_config.toml b/rules/windows/defense_evasion_modification_of_boot_config.toml index 1e0970daa79..4ae163a34d5 100644 --- a/rules/windows/defense_evasion_modification_of_boot_config.toml +++ b/rules/windows/defense_evasion_modification_of_boot_config.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/16" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies use of bcdedit.exe to delete boot configuration data. This tactic is attacker as a destructive technique. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Modification of Boot Configuration" diff --git a/rules/windows/defense_evasion_msbuild_beacon_sequence.toml b/rules/windows/defense_evasion_msbuild_beacon_sequence.toml index 850fdcc1751..86860727081 100644 --- a/rules/windows/defense_evasion_msbuild_beacon_sequence.toml +++ b/rules/windows/defense_evasion_msbuild_beacon_sequence.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies MsBuild.exe making outbound network connections. This may indicate ad leveraged by adversaries to execute code and evade detection. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "MsBuild Network Connection Sequence" diff --git a/rules/windows/defense_evasion_mshta_beacon.toml b/rules/windows/defense_evasion_mshta_beacon.toml index a4998c6cbed..7ad3d5a6e56 100644 --- a/rules/windows/defense_evasion_mshta_beacon.toml +++ b/rules/windows/defense_evasion_mshta_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies Mshta.exe making outbound network connections. This may indicate adve leveraged by adversaries to execute malicious scripts and evade detection. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Mshta Making Network Connections" diff --git a/rules/windows/defense_evasion_msxsl_beacon.toml b/rules/windows/defense_evasion_msxsl_beacon.toml index 1341ab523a9..6f11678d811 100644 --- a/rules/windows/defense_evasion_msxsl_beacon.toml +++ b/rules/windows/defense_evasion_msxsl_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies MsXsl.exe making outbound network connections. This may indicate adve leveraged by adversaries to execute malicious scripts and evade detection. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "MsXsl Making Network Connections" diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index 4a0a39c1d12..1be23e6f7f2 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies network activity from unexpected system applications. This may indica applications are often leveraged by adversaries to execute code and evade detection. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Unusual Network Activity from a Windows System Binary" diff --git a/rules/windows/defense_evasion_port_forwarding_added_registry.toml b/rules/windows/defense_evasion_port_forwarding_added_registry.toml index 04bbd7e825f..df7c50c379e 100644 --- a/rules/windows/defense_evasion_port_forwarding_added_registry.toml +++ b/rules/windows/defense_evasion_port_forwarding_added_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/25" maturity = "production" -updated_date = "2020/11/25" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies the creation of a new port forwarding rule. An adversary may abuse th segmentation restrictions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Port Forwarding Rule Addition" @@ -40,3 +40,4 @@ reference = "https://attack.mitre.org/techniques/T1089/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_potential_processherpaderping.toml b/rules/windows/defense_evasion_potential_processherpaderping.toml index 975007031c8..6dc366f162a 100644 --- a/rules/windows/defense_evasion_potential_processherpaderping.toml +++ b/rules/windows/defense_evasion_potential_processherpaderping.toml @@ -1,16 +1,16 @@ [metadata] creation_date = "2020/10/27" maturity = "production" -updated_date = "2020/10/27" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Identifies process execution followed by a file overwrite of an executable by the same parent process. This may indicate an -evasion attempt to execute malicious code in a stealthy way. +Identifies process execution followed by a file overwrite of an executable by the same parent process. This may indicate +an evasion attempt to execute malicious code in a stealthy way. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Potential Process Herpaderping Attempt" @@ -40,3 +40,4 @@ reference = "https://attack.mitre.org/techniques/T1036/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_reg_beacon.toml b/rules/windows/defense_evasion_reg_beacon.toml index 26b2655ffac..492e3472d8e 100644 --- a/rules/windows/defense_evasion_reg_beacon.toml +++ b/rules/windows/defense_evasion_reg_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies registration utilities making outbound network connections. This incl may indicate adversarial activity as these tools are often leveraged by adversaries to execute code and evade detection. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Registration Tool Making Network Connections" diff --git a/rules/windows/defense_evasion_rundll32_no_arguments.toml b/rules/windows/defense_evasion_rundll32_no_arguments.toml index 8013637904b..b8bc4e58439 100644 --- a/rules/windows/defense_evasion_rundll32_no_arguments.toml +++ b/rules/windows/defense_evasion_rundll32_no_arguments.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies child processes of unusual instances of RunDLL32 where the command li RunDLL32 could indicate malicious activity. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Unusual Child Processes of RunDLL32" diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml index f426198ecc4..ceb221a9b4a 100644 --- a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +++ b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml @@ -1,22 +1,21 @@ [metadata] creation_date = "2020/11/23" maturity = "production" -updated_date = "2020/11/23" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or -persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility. +Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to +move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still +exists for backwards compatibility. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Scheduled Tasks AT Command Enabled" -references = [ - "https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob", -] +references = ["https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"] risk_score = 47 rule_id = "9aa0e1f6-52ce-42e1-abb3-09657cee2698" severity = "medium" @@ -41,3 +40,4 @@ reference = "https://attack.mitre.org/techniques/T1089/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index 33eeed9acc4..900653eb280 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Detects file name patterns generated by the use of Sysinternals SDelete utility file overwrite and rename operations. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Potential Secure File Deletion via SDelete Utility" @@ -21,7 +21,6 @@ severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "eql" - query = ''' file where event.type == "change" and wildcard(file.name,"*AAA.AAA") ''' diff --git a/rules/windows/defense_evasion_sip_provider_mod.toml b/rules/windows/defense_evasion_sip_provider_mod.toml index 88268281aae..86011885df0 100644 --- a/rules/windows/defense_evasion_sip_provider_mod.toml +++ b/rules/windows/defense_evasion_sip_provider_mod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/20" maturity = "production" -updated_date = "2021/01/20" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Windows cryptographic system to validate file signatures on the system. This may validation checks or inject code into critical processes. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "SIP Provider Modification" diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index 54c7deaf2b8..a351f48686e 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2020/12/14" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies a SolarWinds binary modifying the start type of a service to be disab technique to manipulate relevant security services. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "SolarWinds Process Disabling Services via Registry" diff --git a/rules/windows/defense_evasion_stop_process_service_threshold.toml b/rules/windows/defense_evasion_stop_process_service_threshold.toml index b4adc684148..ae89418fed1 100644 --- a/rules/windows/defense_evasion_stop_process_service_threshold.toml +++ b/rules/windows/defense_evasion_stop_process_service_threshold.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/03" maturity = "production" -updated_date = "2020/12/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ This rule identifies a high number (10) of process terminations (stop, delete, o short time period. This may indicate a defense evasion attempt. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "High Number of Process and/or Service Terminations" @@ -42,3 +42,4 @@ reference = "https://attack.mitre.org/tactics/TA0005/" [rule.threshold] field = "host.id" value = 10 + diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml index c6fab8cc4d5..89c3495e9df 100644 --- a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/21" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies a suspicious managed code hosting process which could indicate code i code execution. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Suspicious Managed Code Hosting Process" diff --git a/rules/windows/defense_evasion_suspicious_powershell_imgload.toml b/rules/windows/defense_evasion_suspicious_powershell_imgload.toml index d340009a674..97e1f7796cb 100644 --- a/rules/windows/defense_evasion_suspicious_powershell_imgload.toml +++ b/rules/windows/defense_evasion_suspicious_powershell_imgload.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2020/11/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies the PowerShell engine being invoked by unexpected processes. Rather t with powershell.exe, some attackers do this to operate more stealthily. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Suspicious PowerShell Engine ImageLoad" @@ -85,3 +85,4 @@ reference = "https://attack.mitre.org/techniques/T1086/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index 329d054ba32..645fd496daa 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies scrobj.dll loaded into unusual Microsoft processes. This usually mean executed in the target process. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Windows Suspicious Script Object Execution" diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index c8440cb1f9b..052cff176bf 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ A suspicious Zoom child process was detected, which may indicate an attempt to r such as command line, network connections, file writes and associated file signature details as well. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Suspicious Zoom Child Process" @@ -20,7 +20,6 @@ severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "eql" - query = ''' process where event.type in ("start", "process_started", "info") and process.parent.name : "Zoom.exe" and process.name : ("cmd.exe", "powershell.exe", "pwsh.exe") @@ -39,6 +38,7 @@ id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index 8bd85f5cba5..74e97e2b77e 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/19" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies an unexpected executable file being created or modified by a Windows indicate activity related to remote code execution or other forms of exploitation. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Unusual Executable File Creation by a System Critical Process" diff --git a/rules/windows/defense_evasion_unusual_dir_ads.toml b/rules/windows/defense_evasion_unusual_dir_ads.toml index cc318e3c5b4..810d55ebbd7 100644 --- a/rules/windows/defense_evasion_unusual_dir_ads.toml +++ b/rules/windows/defense_evasion_unusual_dir_ads.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2020/12/04" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = """ Identifies processes running from an Alternate Data Stream. This is uncommon for legitimate processes and sometimes done by adversaries to hide malware. """ -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Unusual Process Execution Path - Alternate Data Stream" @@ -37,3 +37,4 @@ reference = "https://attack.mitre.org/techniques/T1564/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index 7277a0627da..a3d6a78669e 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2020/08/19" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Unusual Child Process from a System Virtual Process" diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index db983590aca..9219ddd55e1 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = """ The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses. """ -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Potential Evasion via Filter Manager" diff --git a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml index caada8f2143..517591227d0 100644 --- a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml +++ b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies use of vssadmin.exe for shadow copy deletion on endpoints. This commo other destructive attacks. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Volume Shadow Copy Deletion via VssAdmin" diff --git a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml index f1d6741f63b..e4722e1fdd7 100644 --- a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly other destructive attacks. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Volume Shadow Copy Deletion via WMIC" diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index 1bed7f7deb2..e059f809713 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ leveraged by threat actors to perform post-exploitation Active Directory reconna observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "AdFind Command Activity" @@ -75,3 +75,4 @@ reference = "https://attack.mitre.org/techniques/T1482/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index c5be81f340f..4326cdb3422 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2020/12/04" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = """ Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools. """ -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Enumeration of Administrator Accounts" diff --git a/rules/windows/discovery_file_dir_discovery.toml b/rules/windows/discovery_file_dir_discovery.toml index 6e2d1953ea5..79ccffa21b2 100644 --- a/rules/windows/discovery_file_dir_discovery.toml +++ b/rules/windows/discovery_file_dir_discovery.toml @@ -1,15 +1,15 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2020/12/04" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Enumeration of files and directories using built-in tools. Adversaries may use the information discovered -to plan follow-on activity. +Enumeration of files and directories using built-in tools. Adversaries may use the information discovered to plan +follow-on activity. """ -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "File and Directory Discovery" @@ -23,7 +23,6 @@ query = ''' process where event.type in ("start", "process_started") and (process.name : "cmd.exe" or process.pe.original_file_name == "Cmd.Exe") and process.args : ("dir", "tree") - ''' diff --git a/rules/windows/discovery_net_command_system_account.toml b/rules/windows/discovery_net_command_system_account.toml index 3d3e1509e0e..28c5d15b6d9 100644 --- a/rules/windows/discovery_net_command_system_account.toml +++ b/rules/windows/discovery_net_command_system_account.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies the SYSTEM account using an account discovery utility. This could be adversary has achieved privilege escalation. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Net command via SYSTEM account" diff --git a/rules/windows/discovery_net_view.toml b/rules/windows/discovery_net_view.toml index be09241a651..b1d52d18d80 100644 --- a/rules/windows/discovery_net_view.toml +++ b/rules/windows/discovery_net_view.toml @@ -1,12 +1,12 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2020/12/04" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool." -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Windows Network Enumeration" diff --git a/rules/windows/discovery_peripheral_device.toml b/rules/windows/discovery_peripheral_device.toml index b50ab30ee80..4bc5afbb26b 100644 --- a/rules/windows/discovery_peripheral_device.toml +++ b/rules/windows/discovery_peripheral_device.toml @@ -1,15 +1,15 @@ [metadata] creation_date = "2020/11/02" maturity = "production" -updated_date = "2020/11/02" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Identifies use of the Windows file system utility (fsutil.exe ) to gather information about attached peripheral devices and components -connected to a computer system. +Identifies use of the Windows file system utility (fsutil.exe ) to gather information about attached peripheral devices +and components connected to a computer system. """ -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Peripheral Device Discovery" @@ -38,3 +38,4 @@ reference = "https://attack.mitre.org/techniques/T1120/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/windows/discovery_process_discovery_via_tasklist_command.toml b/rules/windows/discovery_process_discovery_via_tasklist_command.toml index 36b7e5c8360..3f264806413 100644 --- a/rules/windows/discovery_process_discovery_via_tasklist_command.toml +++ b/rules/windows/discovery_process_discovery_via_tasklist_command.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = [ tasklist to get information about running processes. """, ] -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Process Discovery via Tasklist" diff --git a/rules/windows/discovery_query_registry_via_reg.toml b/rules/windows/discovery_query_registry_via_reg.toml index 100e6ad580d..17bc8d09ef6 100644 --- a/rules/windows/discovery_query_registry_via_reg.toml +++ b/rules/windows/discovery_query_registry_via_reg.toml @@ -1,15 +1,15 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2020/12/04" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Enumeration or discovery of the Windows registry using reg.exe. This information can be used to perform -follow-on activities. +Enumeration or discovery of the Windows registry using reg.exe. This information can be used to perform follow-on +activities. """ -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Query Registry via reg.exe" diff --git a/rules/windows/discovery_remote_system_discovery_commands_windows.toml b/rules/windows/discovery_remote_system_discovery_commands_windows.toml index 3d15ca05fd5..3225015d51f 100644 --- a/rules/windows/discovery_remote_system_discovery_commands_windows.toml +++ b/rules/windows/discovery_remote_system_discovery_commands_windows.toml @@ -1,12 +1,12 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2020/12/04" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = "Discovery of remote system information using built-in commands, which may be used to mover laterally." -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Remote System Discovery Commands" diff --git a/rules/windows/discovery_security_software_wmic.toml b/rules/windows/discovery_security_software_wmic.toml index b77116394c3..8404f61e510 100644 --- a/rules/windows/discovery_security_software_wmic.toml +++ b/rules/windows/discovery_security_software_wmic.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2020/10/19" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies the use of Windows Management Instrumentation Command (WMIC) to disco such as AntiVirus or Host Firewall details. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Security Software Discovery using WMIC" @@ -39,3 +39,4 @@ reference = "https://attack.mitre.org/techniques/T1518/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 3f8dcc1b7c2..b8139f26583 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ frameworks. Usage by non-engineers and ordinary users is unusual. """, ] -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Whoami Process Activity" diff --git a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml index be8e2c1938b..f5d92d21fd2 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2020/12/14" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ false_positives = [ "Trusted SolarWinds child processes. Verify process details such as network connections and file writes.", ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Command Execution via SolarWinds Process" diff --git a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml index 676728e9ee1..3447ec10cc3 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2020/12/14" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ false_positives = [ "Trusted SolarWinds child processes, verify process details such as network connections and file writes.", ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Suspicious SolarWinds Child Process" diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index c31e41d343b..4635dc443af 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Command Prompt Network Connection" diff --git a/rules/windows/execution_command_shell_started_by_powershell.toml b/rules/windows/execution_command_shell_started_by_powershell.toml index 1fa834d3376..86e1bd76a72 100644 --- a/rules/windows/execution_command_shell_started_by_powershell.toml +++ b/rules/windows/execution_command_shell_started_by_powershell.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = "Identifies a suspicious parent child process relationship with cmd.exe descending from PowerShell.exe." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "PowerShell spawning Cmd" @@ -35,6 +35,7 @@ id = "T1086" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1086/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index a95042cd919..ff2cf27aa74 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe" from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Svchost spawning Cmd" diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index 69d781b4a26..6a76eaa392e 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2020/08/21" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Unusual Parent Process for cmd.exe" diff --git a/rules/windows/execution_command_shell_via_rundll32.toml b/rules/windows/execution_command_shell_via_rundll32.toml index 1887a833845..1f73fd5d5f9 100644 --- a/rules/windows/execution_command_shell_via_rundll32.toml +++ b/rules/windows/execution_command_shell_via_rundll32.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2020/10/19" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = "Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Command Shell Activity Started via RunDLL32" @@ -38,6 +38,7 @@ id = "T1086" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1086/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/execution_downloaded_shortcut_files.toml b/rules/windows/execution_downloaded_shortcut_files.toml index 639482fd69b..bfb6189be7d 100644 --- a/rules/windows/execution_downloaded_shortcut_files.toml +++ b/rules/windows/execution_downloaded_shortcut_files.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" maturity = "development" query_schema_validation = false -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies .lnk shortcut file downloaded from outside the local network. These s phishing campaigns. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Downloaded Shortcut Files" diff --git a/rules/windows/execution_downloaded_url_file.toml b/rules/windows/execution_downloaded_url_file.toml index 4922cec1523..2620af7cdc5 100644 --- a/rules/windows/execution_downloaded_url_file.toml +++ b/rules/windows/execution_downloaded_url_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" maturity = "development" query_schema_validation = false -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies .url shortcut files downloaded from outside the local network. These phishing campaigns. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Downloaded URL Files" diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index 50d20d0a6d2..1ad6808da7f 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/01/19" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies native Windows host and network enumeration commands spawned by the W Provider Service (WMIPrvSE). """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Enumeration Command Spawned via WMIPrvSE" diff --git a/rules/windows/execution_from_unusual_directory.toml b/rules/windows/execution_from_unusual_directory.toml index 0867febdabd..9df1a4f1d83 100644 --- a/rules/windows/execution_from_unusual_directory.toml +++ b/rules/windows/execution_from_unusual_directory.toml @@ -1,16 +1,16 @@ [metadata] creation_date = "2020/10/30" maturity = "production" -updated_date = "2020/10/30" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Identifies process execution from suspicious default Windows directories. This is sometimes done by -adversaries to hide malware in trusted paths. +Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide +malware in trusted paths. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Process Execution from an Unusual Directory" @@ -39,3 +39,4 @@ process.executable : ("C:\\PerfLogs\\*.exe","C:\\Users\\Public\\*.exe","C:\\User /* uncomment once in winlogbeat */ /* and not (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) */ ''' + diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index e8c8371d3b4..679a8a9ebc2 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/30" maturity = "production" -updated_date = "2020/10/30" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies process execution from suspicious default Windows directories. This m malware in trusted paths. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Execution from Unusual Directory - Command Line" @@ -38,3 +38,4 @@ process.args : ("C:\\PerfLogs\\*","C:\\Users\\Public\\*","C:\\Users\\Default\\*" "C:\\Windows\\rescache\\*","C:\\Windows\\Provisioning\\*","C:\\Windows\\PrintDialog\\*","C:\\Windows\\PolicyDefinitions\\*","C:\\Windows\\media\\*", "C:\\Windows\\Globalization\\*","C:\\Windows\\L2Schemas\\*","C:\\Windows\\LiveKernelReports\\*","C:\\Windows\\ModemLogs\\*","C:\\Windows\\ImmersiveControlPanel\\*") ''' + diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index 65e2c930441..66ae25af7f9 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ malicious code in a CHM file and deliver it to a victim for execution. CHM conte program (hh.exe). """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Network Connection via Compiled HTML File" diff --git a/rules/windows/execution_local_service_commands.toml b/rules/windows/execution_local_service_commands.toml index e9e18570702..8da64e6173c 100644 --- a/rules/windows/execution_local_service_commands.toml +++ b/rules/windows/execution_local_service_commands.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies use of sc.exe to create, modify, or start services on remote hosts. T lateral movement but will be noisy if commonly done by admins. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Local Service Commands" diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index e16d184c823..8cadf594453 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies an executable created by a Microsoft Office application and subsequen launched via scripts inside documents or during exploitation of MS Office applications. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Execution of File Written or Modified by Microsoft Office" diff --git a/rules/windows/execution_msbuild_making_network_connections.toml b/rules/windows/execution_msbuild_making_network_connections.toml index 57eb2eb9b87..ef1b4b70508 100644 --- a/rules/windows/execution_msbuild_making_network_connections.toml +++ b/rules/windows/execution_msbuild_making_network_connections.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies MsBuild.exe making outbound network connections. This may indicate ad leveraged by adversaries to execute code and evade detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "MsBuild Making Network Connections" diff --git a/rules/windows/execution_mshta_making_network_connections.toml b/rules/windows/execution_mshta_making_network_connections.toml index e4b1581a1b5..ed7ad0b0c9d 100644 --- a/rules/windows/execution_mshta_making_network_connections.toml +++ b/rules/windows/execution_mshta_making_network_connections.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "development" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies mshta.exe making a network connection. This may indicate adversarial by adversaries to execute malicious scripts and evade detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Network Connection via Mshta" diff --git a/rules/windows/execution_msxsl_network.toml b/rules/windows/execution_msxsl_network.toml index 062b71705eb..e94b466491a 100644 --- a/rules/windows/execution_msxsl_network.toml +++ b/rules/windows/execution_msxsl_network.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies msxsl.exe making a network connection. This may indicate adversarial by adversaries to execute malicious scripts and evade detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Network Connection via MsXsl" diff --git a/rules/windows/execution_pdf_written_file.toml b/rules/windows/execution_pdf_written_file.toml index 71383b6cf9b..44f7604ad0f 100644 --- a/rules/windows/execution_pdf_written_file.toml +++ b/rules/windows/execution_pdf_written_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies a suspicious file that was written by a PDF reader application and su often launched via exploitation of PDF applications. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Execution of File Written or Modified by PDF Reader" diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index df7b997b88b..25877af5581 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "PsExec Network Connection" diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index 006f2b02b1d..7dfadc2eb12 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Network Connection via Registration Utility" diff --git a/rules/windows/execution_script_executing_powershell.toml b/rules/windows/execution_script_executing_powershell.toml index 003c2b21dea..72c2c79bb59 100644 --- a/rules/windows/execution_script_executing_powershell.toml +++ b/rules/windows/execution_script_executing_powershell.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies a PowerShell process launched by either cscript.exe or wscript.exe. O executing a PowerShell script, may be indicative of malicious activity. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Windows Script Executing PowerShell" diff --git a/rules/windows/execution_scripts_process_started_via_wmi.toml b/rules/windows/execution_scripts_process_started_via_wmi.toml index be39c554493..905e9469705 100644 --- a/rules/windows/execution_scripts_process_started_via_wmi.toml +++ b/rules/windows/execution_scripts_process_started_via_wmi.toml @@ -1,16 +1,16 @@ [metadata] creation_date = "2020/11/27" maturity = "production" -updated_date = "2020/11/27" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management -Instrumentation (WMI). This may be indicative of malicious activity. +Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process +via Windows Management Instrumentation (WMI). This may be indicative of malicious activity. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Windows Script Interpreter Executing Process via WMI" @@ -63,6 +63,7 @@ id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index 06a1448856d..348c0a113c4 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -1,16 +1,17 @@ [metadata] creation_date = "2020/10/28" maturity = "production" -updated_date = "2020/10/28" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to -execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths. +Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse +shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local +paths. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Execution via local SxS Shared Module" @@ -39,3 +40,4 @@ reference = "https://attack.mitre.org/techniques/T1129/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml index 6ed42402840..312a0225fd0 100644 --- a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml +++ b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2020/11/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processe adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from MS Office products. """ -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Suspicious WMI Image Load from MS Office" diff --git a/rules/windows/execution_suspicious_ms_office_child_process.toml b/rules/windows/execution_suspicious_ms_office_child_process.toml index a2f5d71569e..15087cea041 100644 --- a/rules/windows/execution_suspicious_ms_office_child_process.toml +++ b/rules/windows/execution_suspicious_ms_office_child_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/12/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ These child processes are often launched during exploitation of Office applicati macros. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Suspicious MS Office Child Process" diff --git a/rules/windows/execution_suspicious_ms_outlook_child_process.toml b/rules/windows/execution_suspicious_ms_outlook_child_process.toml index b119ee390cf..3f94fb18d61 100644 --- a/rules/windows/execution_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/execution_suspicious_ms_outlook_child_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies suspicious child processes of Microsoft Outlook. These child processe phishing activity. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Suspicious MS Outlook Child Process" diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index 9a4b315a30b..67b30042769 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/30" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies suspicious child processes of PDF reader applications. These child pr exploitation of PDF applications or social engineering. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Suspicious PDF Reader Child Process" diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index 78616331e22..e540796fcc6 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies suspicious psexec activity which is executing from the psexec service evade detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Suspicious Process Execution via Renamed PsExec Executable" diff --git a/rules/windows/execution_suspicious_short_program_name.toml b/rules/windows/execution_suspicious_short_program_name.toml index 07e7d1c729c..c7134e37b1a 100644 --- a/rules/windows/execution_suspicious_short_program_name.toml +++ b/rules/windows/execution_suspicious_short_program_name.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/15" maturity = "production" -updated_date = "2020/11/15" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies process execution with a single character process name. This is often executing temporary utilities. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Suspicious Execution - Short Program Name" @@ -24,3 +24,4 @@ query = ''' process where event.type in ("start", "process_started") and length(process.name) > 0 and length(process.name) == 5 and host.os.name == "Windows" and length(process.pe.original_file_name) > 5 ''' + diff --git a/rules/windows/execution_unusual_dns_service_children.toml b/rules/windows/execution_unusual_dns_service_children.toml index 703e0b4b452..ce38138eea6 100644 --- a/rules/windows/execution_unusual_dns_service_children.toml +++ b/rules/windows/execution_unusual_dns_service_children.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ to spawn. """, ] -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Unusual Child Process of dns.exe" diff --git a/rules/windows/execution_unusual_dns_service_file_writes.toml b/rules/windows/execution_unusual_dns_service_file_writes.toml index 5e4c5d6119d..d2cb44bf492 100644 --- a/rules/windows/execution_unusual_dns_service_file_writes.toml +++ b/rules/windows/execution_unusual_dns_service_file_writes.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = """ Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation. """ -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Unusual File Modification by dns.exe" diff --git a/rules/windows/execution_unusual_network_connection_via_rundll32.toml b/rules/windows/execution_unusual_network_connection_via_rundll32.toml index 4180a568f98..22f39160d86 100644 --- a/rules/windows/execution_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/execution_unusual_network_connection_via_rundll32.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/12/07" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies unusual instances of rundll32.exe making outbound network connections and Control activity. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Unusual Network Connection via RunDLL32" @@ -40,3 +40,4 @@ reference = "https://attack.mitre.org/techniques/T1085/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_unusual_process_network_connection.toml b/rules/windows/execution_unusual_process_network_connection.toml index 653e37b993b..c6c1f006d38 100644 --- a/rules/windows/execution_unusual_process_network_connection.toml +++ b/rules/windows/execution_unusual_process_network_connection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies network activity from unexpected system applications. This may indica applications are often leveraged by adversaries to execute code and evade detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Unusual Process Network Connection" diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index 4c26d15119d..34968c9d215 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ to conceal malicious code. """, ] -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Process Activity via Compiled HTML File" diff --git a/rules/windows/execution_via_explorer_suspicious_child_parent_args.toml b/rules/windows/execution_via_explorer_suspicious_child_parent_args.toml index 8d43e039929..c16745f5982 100644 --- a/rules/windows/execution_via_explorer_suspicious_child_parent_args.toml +++ b/rules/windows/execution_via_explorer_suspicious_child_parent_args.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/29" maturity = "production" -updated_date = "2020/10/29" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies a suspicious Windows explorer child process. Explorer.exe can be abus executables from a trusted parent process. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Suspicious Explorer Child Process" diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index 7391f6ae599..e0a38fc11c3 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Detects when the Console Window Host (conhost.exe) process is spawned by a suspi indicative of code injection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Conhost Spawned By Suspicious Parent Process" diff --git a/rules/windows/execution_via_net_com_assemblies.toml b/rules/windows/execution_via_net_com_assemblies.toml index abda5a1ff5c..d828c0b1963 100644 --- a/rules/windows/execution_via_net_com_assemblies.toml +++ b/rules/windows/execution_via_net_com_assemblies.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ RegSvcs.exe and RegAsm.exe are Windows command line utilities that are used to r utility. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Execution via Regsvcs/Regasm" diff --git a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml index 8d450b1d78e..d2c9f7034c6 100644 --- a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Execution via MSSQL xp_cmdshell Stored Procedure" diff --git a/rules/windows/exfiltration_winrar_encryption.toml b/rules/windows/exfiltration_winrar_encryption.toml index 92871c3f6cb..e7b2511aa0a 100644 --- a/rules/windows/exfiltration_winrar_encryption.toml +++ b/rules/windows/exfiltration_winrar_encryption.toml @@ -1,15 +1,15 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2020/12/04" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and -encrypt data in preparation for exfiltration. +Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in +preparation for exfiltration. """ -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Encrypting Files with WinRar or 7z" @@ -42,7 +42,9 @@ id = "T1560" name = "Archive Collected Data" reference = "https://attack.mitre.org/techniques/T1560/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index ab3d813cb55..e422cf1fbca 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies use of sc.exe to create, modify, or start services on remote hosts. T lateral movement but will be noisy if commonly done by admins. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Service Command Lateral Movement" diff --git a/rules/windows/lateral_movement_dcom_hta.toml b/rules/windows/lateral_movement_dcom_hta.toml index 0fb1132d709..5eac56b198b 100644 --- a/rules/windows/lateral_movement_dcom_hta.toml +++ b/rules/windows/lateral_movement_dcom_hta.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ launched via the HTA Application COM Object. This behavior may indicate an attac laterally while attempting to evading detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Incoming DCOM Lateral Movement via MSHTA" @@ -46,3 +46,4 @@ reference = "https://attack.mitre.org/techniques/T1021/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/lateral_movement_dcom_mmc20.toml b/rules/windows/lateral_movement_dcom_mmc20.toml index 671662da7a7..bb0b641e285 100644 --- a/rules/windows/lateral_movement_dcom_mmc20.toml +++ b/rules/windows/lateral_movement_dcom_mmc20.toml @@ -1,17 +1,17 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2020/11/06" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via -the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move +Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched +via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Incoming DCOM Lateral Movement with MMC" @@ -45,3 +45,4 @@ reference = "https://attack.mitre.org/techniques/T1021/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml index cf92d464cc7..75eaa527a25 100644 --- a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml +++ b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2020/11/06" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may application to stealthily move laterally. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows" diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index c6b545bd84b..3f0d413ff22 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ connections are established by the kernel. Processes making 445/tcp connections suspicious user-level processes moving laterally. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Direct Outbound SMB Connection" diff --git a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml index 70b53c121b5..23cfaf3befd 100644 --- a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml +++ b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/10" maturity = "production" -updated_date = "2020/11/10" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies the creation or change of a Windows executable file over network shar other files between systems in a compromised environment. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Lateral Tool Transfer" @@ -43,3 +43,4 @@ reference = "https://attack.mitre.org/techniques/T1570/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml index e3f9268cd2b..a3787807349 100644 --- a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +++ b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/11" maturity = "production" -updated_date = "2020/11/11" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint ts indicate a lateral movement attempt. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Execution via TSClient Mountpoint" diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index d1678826ed0..7b38983334b 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies the execution of a file that was created by the virtual system proces via network file shares. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Remote Execution via File Shares" @@ -40,3 +40,4 @@ reference = "https://attack.mitre.org/techniques/T1077/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml index 358cf3522b0..78e58a4a65a 100644 --- a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml +++ b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -updated_date = "2020/11/24" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Incoming Execution via WinRM Remote Shell" @@ -47,3 +47,4 @@ reference = "https://attack.mitre.org/techniques/T1021/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index ffb92d03ae0..4b665285214 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/15" maturity = "production" -updated_date = "2020/11/15" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies processes executed via Windows Management Instrumentation (WMI) on a adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "WMI Incoming Lateral Movement" @@ -54,3 +54,4 @@ reference = "https://attack.mitre.org/techniques/T1047/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml index 3a4396a90af..cea0c39b783 100644 --- a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml +++ b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml @@ -1,15 +1,16 @@ [metadata] creation_date = "2020/11/02" maturity = "production" -updated_date = "2020/11/02" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Identifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or preparation for data exfiltration. +Identifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or +preparation for data exfiltration. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Mounting Hidden or WebDav Remote Shares" @@ -43,3 +44,4 @@ reference = "https://attack.mitre.org/techniques/T1077/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/lateral_movement_powershell_remoting_target.toml b/rules/windows/lateral_movement_powershell_remoting_target.toml index b48cac213d4..941a8a418ac 100644 --- a/rules/windows/lateral_movement_powershell_remoting_target.toml +++ b/rules/windows/lateral_movement_powershell_remoting_target.toml @@ -1,11 +1,14 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -updated_date = "2020/11/24" +updated_date = "2020/01/28" [rule] author = ["Elastic"] -description = "Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows for running any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement." +description = """ +Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows for running any Windows +PowerShell command on one or more remote computers. This could be an indication of lateral movement. +""" false_positives = [ """ PowerShell remoting is a dual-use protocol that can be used for benign or malicious activity. It's important to @@ -13,11 +16,13 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Incoming Execution via PowerShell Remoting" -references = ["https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1"] +references = [ + "https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1", +] risk_score = 43 rule_id = "2772264c-6fb9-4d9d-9014-b416eed21254" severity = "medium" @@ -45,3 +50,4 @@ reference = "https://attack.mitre.org/techniques/T1021/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml index c6f62e55f10..a283a94b576 100644 --- a/rules/windows/lateral_movement_rdp_enabled_registry.toml +++ b/rules/windows/lateral_movement_rdp_enabled_registry.toml @@ -1,16 +1,16 @@ [metadata] creation_date = "2020/11/25" maturity = "production" -updated_date = "2020/11/25" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement -preparation. +Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of +adversary lateral movement preparation. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "RDP Enabled via Registry" @@ -40,3 +40,4 @@ reference = "https://attack.mitre.org/techniques/T1021/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/lateral_movement_rdp_sharprdp_target.toml b/rules/windows/lateral_movement_rdp_sharprdp_target.toml index fa35a2ef51a..27c319f0efa 100644 --- a/rules/windows/lateral_movement_rdp_sharprdp_target.toml +++ b/rules/windows/lateral_movement_rdp_sharprdp_target.toml @@ -1,16 +1,16 @@ [metadata] creation_date = "2020/11/11" maturity = "production" -updated_date = "2020/11/11" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a -remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement. +Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution +against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Potential SharpRDP Behavior" @@ -57,3 +57,4 @@ reference = "https://attack.mitre.org/techniques/T1021/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/lateral_movement_rdp_tunnel_plink.toml b/rules/windows/lateral_movement_rdp_tunnel_plink.toml index f5979ee6f39..dea64cab9ff 100644 --- a/rules/windows/lateral_movement_rdp_tunnel_plink.toml +++ b/rules/windows/lateral_movement_rdp_tunnel_plink.toml @@ -1,16 +1,16 @@ [metadata] creation_date = "2020/10/14" maturity = "production" -updated_date = "2020/10/14" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This could be indicative of adversary lateral -movement to interactively access restricted networks. +Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This could be indicative of +adversary lateral movement to interactively access restricted networks. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Potential Remote Desktop Tunneling Detected" @@ -24,7 +24,7 @@ type = "eql" query = ''' process where event.type in ("start", "process_started", "info") and /* RDP port and usual SSH tunneling related switches in commandline */ -wildcard(process.args, "*:3389") and wildcard(process.args,"-L", "-P", "-R", "-pw", "-ssh") +wildcard(process.args, "*:3389") and wildcard(process.args,"-L", "-P", "-R", "-pw", "-ssh") ''' diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index 6dcd267ffa1..c6efb5b9847 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/04" maturity = "production" -updated_date = "2020/11/04" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies a remote file copy attempt to a hidden network share. This may indica activity. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Remote File Copy to a Hidden Share" @@ -39,3 +39,4 @@ reference = "https://attack.mitre.org/techniques/T1077/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index 64cef67cfad..9aad9c4860c 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/16" maturity = "production" -updated_date = "2020/11/16" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies remote execution of Windows services over remote procedure call (RPC) movement, but will be noisy if commonly done by administrators." """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Remotely Started Services via RPC" @@ -49,3 +49,4 @@ reference = "https://attack.mitre.org/techniques/T1035/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/lateral_movement_scheduled_task_powershell_source.toml b/rules/windows/lateral_movement_scheduled_task_powershell_source.toml index 75a53bd30f7..98cf55bb064 100644 --- a/rules/windows/lateral_movement_scheduled_task_powershell_source.toml +++ b/rules/windows/lateral_movement_scheduled_task_powershell_source.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/15" maturity = "production" -updated_date = "2020/12/15" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ within a short time period. This may indicate lateral movement or remote discove """ false_positives = ["Legitimate scheduled tasks may be created during installation of new software."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Outbound Scheduled Task Activity via PowerShell" diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml index 9f54174f317..8047fa05c36 100644 --- a/rules/windows/lateral_movement_scheduled_task_target.toml +++ b/rules/windows/lateral_movement_scheduled_task_target.toml @@ -1,15 +1,13 @@ [metadata] creation_date = "2020/11/20" maturity = "production" -updated_date = "2020/11/20" +updated_date = "2020/01/28" [rule] author = ["Elastic"] -description = """ -Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement. -""" +description = "Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement." from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Remote Scheduled Task Creation" @@ -56,3 +54,4 @@ reference = "https://attack.mitre.org/techniques/T1053/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/lateral_movement_suspicious_cmd_wmi.toml b/rules/windows/lateral_movement_suspicious_cmd_wmi.toml index b228ef0c5ec..4ae034b4302 100644 --- a/rules/windows/lateral_movement_suspicious_cmd_wmi.toml +++ b/rules/windows/lateral_movement_suspicious_cmd_wmi.toml @@ -1,16 +1,16 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2020/10/19" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be -indicative of adversary lateral movement. +Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could +be indicative of adversary lateral movement. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Suspicious Cmd Execution via WMI" @@ -39,3 +39,4 @@ reference = "https://attack.mitre.org/techniques/T1047/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml index 7425c8945bc..159e99a2a38 100644 --- a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml +++ b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml @@ -1,16 +1,16 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2020/11/19" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence -of RDP lateral movement capability. +Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the +presence of RDP lateral movement capability. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Suspicious RDP ActiveX Client Loaded" @@ -49,3 +49,4 @@ reference = "https://attack.mitre.org/techniques/T1021/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index f1bd430fbaa..958ec2eabcb 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -1,16 +1,16 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2020/10/19" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this -to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon. +Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move +laterally by dropping a malicious script or executable that will be executed after a reboot or user logon. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Lateral Movement via Startup Folder" @@ -53,3 +53,4 @@ reference = "https://attack.mitre.org/techniques/T1060/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index 1d869adc6bc..1cb3fba2469 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = "Detects writing executable files that will be automatically launched by Adobe on launch." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Adobe Hijack Persistence" diff --git a/rules/windows/persistence_app_compat_shim.toml b/rules/windows/persistence_app_compat_shim.toml index b67f983a510..f7bd63eeef1 100644 --- a/rules/windows/persistence_app_compat_shim.toml +++ b/rules/windows/persistence_app_compat_shim.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies the installation of custom Application Compatibility Shim databases. abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Installation of Custom Shim Databases" diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index 352c1b96312..8d3196e0fde 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -1,15 +1,15 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2020/11/18" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process -using the common API functions to create processes. +Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every +process using the common API functions to create processes. """ -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Registry Persistence via AppCert DLL" @@ -38,3 +38,4 @@ reference = "https://attack.mitre.org/techniques/T1182/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml index a51d4175c1d..138bad2dbbe 100644 --- a/rules/windows/persistence_appinitdlls_registry.toml +++ b/rules/windows/persistence_appinitdlls_registry.toml @@ -1,15 +1,15 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2020/11/18" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Attackers may maintain persistence by creating registry keys using AppInit DLLs. AppInit DLLs are loaded by every process -using the common library, user32.dll. +Attackers may maintain persistence by creating registry keys using AppInit DLLs. AppInit DLLs are loaded by every +process using the common library, user32.dll. """ -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Registry Persistence via AppInit DLL" @@ -42,3 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1103/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index e3880080250..f10112484ca 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/18" maturity = "production" -updated_date = "2020/12/18" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ sometimes done by attackers to increase access to a system and avoid appearing i the net users command. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Creation of a Hidden Local User Account" diff --git a/rules/windows/persistence_evasion_registry_ifeo_injection.toml b/rules/windows/persistence_evasion_registry_ifeo_injection.toml index 8c7a7313be3..57ab5b0decb 100644 --- a/rules/windows/persistence_evasion_registry_ifeo_injection.toml +++ b/rules/windows/persistence_evasion_registry_ifeo_injection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2020/11/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = """ The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence. """ -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Image File Execution Options Injection" diff --git a/rules/windows/persistence_gpo_schtask_service_creation.toml b/rules/windows/persistence_gpo_schtask_service_creation.toml index 4d72b9b9bf6..7d17f3cd50b 100644 --- a/rules/windows/persistence_gpo_schtask_service_creation.toml +++ b/rules/windows/persistence_gpo_schtask_service_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/13" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ legitimate system administration, but can also be abused by an attacker with dom malicious payload remotely on all or a subset of the domain joined machines. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Creation or Modification of a new GPO Scheduled Task or Service" diff --git a/rules/windows/persistence_local_scheduled_task_commands.toml b/rules/windows/persistence_local_scheduled_task_commands.toml index 6067b4463a2..f394d9203e3 100644 --- a/rules/windows/persistence_local_scheduled_task_commands.toml +++ b/rules/windows/persistence_local_scheduled_task_commands.toml @@ -1,14 +1,14 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = "A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges." false_positives = ["Legitimate scheduled tasks may be created during installation of new software."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Local Scheduled Task Commands" diff --git a/rules/windows/persistence_local_scheduled_task_scripting.toml b/rules/windows/persistence_local_scheduled_task_scripting.toml index 639f9fe4aa8..cd0a91b71f1 100644 --- a/rules/windows/persistence_local_scheduled_task_scripting.toml +++ b/rules/windows/persistence_local_scheduled_task_scripting.toml @@ -1,14 +1,17 @@ [metadata] creation_date = "2020/11/29" maturity = "production" -updated_date = "2020/11/29" +updated_date = "2020/01/28" [rule] author = ["Elastic"] -description = "A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence." +description = """ +A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by +an adversary to establish persistence. +""" false_positives = ["Legitimate scheduled tasks may be created during installation of new software."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Scheduled Task Created by a Windows Script" @@ -38,3 +41,4 @@ reference = "https://attack.mitre.org/techniques/T1053/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_ms_office_addins_file.toml b/rules/windows/persistence_ms_office_addins_file.toml index b8ce8e5028d..c77ac92243d 100644 --- a/rules/windows/persistence_ms_office_addins_file.toml +++ b/rules/windows/persistence_ms_office_addins_file.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2020/10/16" maturity = "production" -updated_date = "2020/10/16" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = "Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins." from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Persistence via Microsoft Office AddIns" @@ -39,3 +39,4 @@ reference = "https://attack.mitre.org/techniques/T1137/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml index 4ee6ffc573e..da98ec8e0af 100644 --- a/rules/windows/persistence_ms_outlook_vba_template.toml +++ b/rules/windows/persistence_ms_outlook_vba_template.toml @@ -1,14 +1,14 @@ [metadata] creation_date = "2020/11/23" maturity = "production" -updated_date = "2020/11/23" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = "Detects attempts to establish persistence on an endpoint by installing a rogue Microsoft Outlook VBA Template." false_positives = ["A legitimate VBA for Outlook is usually configured interactively via OUTLOOK.EXE."] from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Persistence via Microsoft Outlook VBA" @@ -40,3 +40,4 @@ reference = "https://attack.mitre.org/techniques/T1137/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index decec678a44..b87cfacffd6 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Windows contains accessibility features that may be launched with a key combinat adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. """ -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Potential Modification of Accessibility Binaries" diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index 62fe0700540..89b5b6cd28c 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2020/11/18" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = """ Detects changes to registry persistence keys that are uncommonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner. """ -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Uncommon Registry Persistence Change" @@ -95,3 +95,4 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_run_key_and_startup_broad.toml b/rules/windows/persistence_run_key_and_startup_broad.toml index 86ff51a3b65..73601417dcf 100644 --- a/rules/windows/persistence_run_key_and_startup_broad.toml +++ b/rules/windows/persistence_run_key_and_startup_broad.toml @@ -1,15 +1,15 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2020/11/18" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage -startup folder items as a form of persistence. +Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, +attackers will modify run keys within the registry or leverage startup folder items as a form of persistence. """ -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Startup or Run Key Registry Modification" @@ -61,3 +61,4 @@ reference = "https://attack.mitre.org/techniques/T1060/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml index f5864c827e7..381b9c31734 100644 --- a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml +++ b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml @@ -1,15 +1,15 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2020/11/19" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ Identifies execution of suspicious persistent programs (scripts, rundll32, etc.) by looking at process lineage and -command line usage. +command line usage. """ -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Execution of Persistent Suspicious Program" @@ -53,3 +53,4 @@ reference = "https://attack.mitre.org/techniques/T1060/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index 9cb48d11828..9ab29b14305 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2020/11/18" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies processes modifying the services registry key directly, instead of th could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service. """ -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Unusual Persistence via Services Registry" @@ -48,3 +48,4 @@ reference = "https://attack.mitre.org/techniques/T1050/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index 63690696aa4..9940ad08074 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2020/11/18" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = """ Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence. """ -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Shortcut File Written or Modified for Persistence" @@ -57,3 +57,4 @@ reference = "https://attack.mitre.org/techniques/T1060/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index d1a9b2aa397..bf773ceadc0 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -1,12 +1,12 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2020/11/18" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = "Identifies script engines creating files in the startup folder, or the creation of script files in the startup folder." -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Persistent Scripts in the Startup Directory" @@ -44,3 +44,4 @@ reference = "https://attack.mitre.org/techniques/T1060/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index b9f1f8e3a56..36438bc15fa 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -1,19 +1,21 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2020/11/18" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content -triggered by hijacked references to COM objects. +Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by +executing malicious content triggered by hijacked references to COM objects. """ -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Component Object Model Hijacking" -references = ["https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/"] +references = [ + "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", +] risk_score = 47 rule_id = "16a52c14-7883-47af-8745-9357803f0d4c" severity = "medium" @@ -49,3 +51,4 @@ reference = "https://attack.mitre.org/techniques/T1122/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index 8d376601fda..48604cbad44 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2020/11/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ adversarial activity where a scheduled task is configured via Windows Component be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks. """ -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Suspicious Image Load (taskschd.dll) from MS Office" diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml index 2f9db10d1cf..a5af34a1d0c 100644 --- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml @@ -1,14 +1,14 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2020/11/19" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = "Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage." false_positives = ["Legitimate scheduled tasks running third party software."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Suspicious Execution via Scheduled Task" diff --git a/rules/windows/persistence_suspicious_service_created_registry.toml b/rules/windows/persistence_suspicious_service_created_registry.toml index 7935c7563a9..7342b04ac26 100644 --- a/rules/windows/persistence_suspicious_service_created_registry.toml +++ b/rules/windows/persistence_suspicious_service_created_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/23" maturity = "production" -updated_date = "2020/11/23" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = """ Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation. """ -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Suspicious ImagePath Service Creation" @@ -38,3 +38,4 @@ reference = "https://attack.mitre.org/techniques/T1050/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index e06d2618bd5..60cc2b9e50f 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Windows services typically run as SYSTEM and can be used as a privilege escalati testers may run a shell as a service to gain SYSTEM permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "System Shells via Services" diff --git a/rules/windows/persistence_time_provider_mod.toml b/rules/windows/persistence_time_provider_mod.toml index 6988f1ec470..fc42eccc711 100644 --- a/rules/windows/persistence_time_provider_mod.toml +++ b/rules/windows/persistence_time_provider_mod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/01/19" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ abuse this architecture to establish persistence, specifically by registering an provider. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Potential Persistence via Time Provider Modification" diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index 75ca39cc8ce..e1425794c7c 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies attempts to create new local users. This is sometimes done by attacke domain. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "User Account Creation" diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index a68dc17d4c5..cce8f85b9af 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ The Application Shim was created to allow for backward compatibility of software changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes. """ -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Potential Application Shimming via Sdbinst" diff --git a/rules/windows/persistence_via_hidden_run_key_valuename.toml b/rules/windows/persistence_via_hidden_run_key_valuename.toml index 17a869ca691..bc2af68e37a 100644 --- a/rules/windows/persistence_via_hidden_run_key_valuename.toml +++ b/rules/windows/persistence_via_hidden_run_key_valuename.toml @@ -1,17 +1,16 @@ [metadata] creation_date = "2020/11/15" maturity = "production" -updated_date = "2020/11/15" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null -terminated) registry key. An adversary may use this method to hide from system utilities such as -the Registry Editor (regedit). +Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) +registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit). """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Persistence via Hidden Run Key Detected" @@ -48,3 +47,4 @@ reference = "https://attack.mitre.org/techniques/T1060/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml index 20900c994bf..3ba2fa3501b 100644 --- a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml +++ b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml @@ -1,14 +1,15 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2020/11/18" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment. +Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may +abuse this to establish persistence in an environment. """ -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Installation of Security Support Provider" @@ -38,3 +39,4 @@ reference = "https://attack.mitre.org/techniques/T1101/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index ecfdc511ed1..1b6ff95a572 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Detects the successful hijack of Microsoft Compatibility Appraiser scheduled tas integrity level of system. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Persistence via TelemetryController Scheduled Task Hijack" diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index f63bbef467d..6d06fea724a 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies potential hijacking of the Microsoft Update Orchestrator Service to e level of SYSTEM. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Persistence via Update Orchestrator Service Hijack" diff --git a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml index 0da8cdd7d57..d56ffd152c0 100644 --- a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +++ b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2020/12/04" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ An adversary can use Windows Management Instrumentation (WMI) to install event f bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. """ -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Persistence via WMI Event Subscription" @@ -25,7 +25,6 @@ process where event.type in ("start", "process_started") and (process.name : "wmic.exe" or process.pe.original_file_name == "wmic.exe") and process.args : "create" and process.args : ("ActiveScriptEventConsumer", "CommandLineEventConsumer") - ''' @@ -41,3 +40,4 @@ reference = "https://attack.mitre.org/techniques/T1546/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index f4d1f09c960..d3f1af3f984 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -1,18 +1,21 @@ [metadata] creation_date = "2020/11/23" maturity = "production" -updated_date = "2020/11/23" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command. +Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by +utilizing a framework such Metasploit's meterpreter getsystem command. """ -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Privilege Escalation via Named Pipe Impersonation" -references = ["https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation"] +references = [ + "https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation", +] risk_score = 73 rule_id = "3ecbdc9e-e4f2-43fa-8cca-63802125e582" severity = "high" @@ -38,3 +41,4 @@ reference = "https://attack.mitre.org/techniques/T1134/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml index b9695e93280..6afbac4db3f 100644 --- a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml +++ b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/26" maturity = "production" -updated_date = "2020/11/26" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Exploitation involves chaining multiple primitives to load an arbitrary DLL into SYSTEM. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Suspicious Print Spooler Point and Print DLL" @@ -49,3 +49,4 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index d14526aab5d..d48f4792e5b 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE- system is patched. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Suspicious PrintSpooler Service Executable File Creation" diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml index 04a8a87f391..9980801efe3 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Detects attempts to exploit privilege escalation vulnerabilities related to the CVE-2020-1048 and CVE-2020-1337. . """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Suspicious PrintSpooler SPL File Created" diff --git a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml index ecef369cc6b..0a4defe31d4 100644 --- a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml +++ b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/26" maturity = "production" -updated_date = "2020/11/26" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = """ Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known primitive that is often combined with other vulnerabilities to elevate privileges. """ -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Privilege Escalation via Windir Environment Variable" @@ -38,3 +38,4 @@ reference = "https://attack.mitre.org/techniques/T1034/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml index 5eb3bc30aea..b75785fe4b8 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml @@ -1,16 +1,16 @@ [metadata] creation_date = "2020/10/28" maturity = "production" -updated_date = "2020/10/28" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue -Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. +Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows +ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface" @@ -41,3 +41,4 @@ reference = "https://attack.mitre.org/techniques/T1088/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index 5c58e2c1e49..8aa4f5b067a 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer" @@ -43,3 +43,4 @@ reference = "https://attack.mitre.org/techniques/T1088/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml index 683c08e4284..3067a29a175 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2020/10/19" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevate to bypass UAC to stealthily execute code with elevated permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "UAC Bypass via ICMLuaUtil Elevated COM Interface" @@ -40,3 +40,4 @@ reference = "https://attack.mitre.org/techniques/T1088/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index 8147e17c431..f5dcc18d995 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled stealthily execute code with elevated permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "UAC Bypass via DiskCleanup Scheduled Task Hijack" @@ -39,3 +39,4 @@ reference = "https://attack.mitre.org/techniques/T1088/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml index 05f3fd77480..dafcb7a265b 100644 --- a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +++ b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml @@ -1,16 +1,16 @@ [metadata] creation_date = "2020/10/27" maturity = "production" -updated_date = "2020/10/27" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with -elevated permissions. +Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to +stealthily execute code with elevated permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "UAC Bypass Attempt via Privileged IFileOperation COM Interface" @@ -42,3 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1088/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index 14e2f330dda..4b655de02ad 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/17" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass elevated permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Bypass UAC via Event Viewer" diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index 178ea37d5f6..7dddf8725a6 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -1,16 +1,16 @@ [metadata] creation_date = "2020/10/26" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to -stealthily execute code with elevated permissions. +Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. +Attackers may bypass UAC to stealthily execute code with elevated permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "UAC Bypass Attempt via Windows Directory Masquerading" @@ -39,3 +39,4 @@ reference = "https://attack.mitre.org/techniques/T1088/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index 7ef9015e142..5ad5566e865 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/14" maturity = "production" -updated_date = "2020/10/14" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies attempts to bypass User Account Control (UAC) by hijacking the Micros Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "UAC Bypass via Windows Firewall Snap-In Hijack" @@ -42,3 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1088/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_uac_sdclt.toml b/rules/windows/privilege_escalation_uac_sdclt.toml index fc6770739e0..fd699fa24d0 100644 --- a/rules/windows/privilege_escalation_uac_sdclt.toml +++ b/rules/windows/privilege_escalation_uac_sdclt.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2020/11/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies User Account Control (UAC) bypass via sdclt.exe. Attackers bypass UAC elevated permissions. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Bypass UAC via Sdclt" diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index 7b24606f33c..03df0a38b8d 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/12/03" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies Windows programs run from unexpected parent processes. This could ind activity on a system. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Unusual Parent-Child Relationship" diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml index be18ffee3b3..2c3c154cebe 100644 --- a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -1,17 +1,17 @@ [metadata] creation_date = "2020/10/13" maturity = "production" -updated_date = "2020/10/13" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate -a code injection or an equivalent form of exploitation. +Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. +This may indicate a code injection or an equivalent form of exploitation. """ false_positives = ["Changes to Windows services or a rarely executed child process."] from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Unusual Service Host Child Process - Childless Service" @@ -64,3 +64,4 @@ reference = "https://attack.mitre.org/techniques/T1055/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index 57c33c48d4e..84ed3e99cd1 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -268,6 +268,7 @@ def test_required_tags(self): 'logs-endpoint.alerts-*': {'all': ['Endpoint Security']}, 'logs-endpoint.events.*': {'any': ['Windows', 'macOS', 'Linux', 'Host']}, 'logs-okta*': {'all': ['Okta']}, + 'logs-windows.*': {'all': ['Windows']}, 'packetbeat-*': {'all': ['Network']}, 'winlogbeat-*': {'all': ['Windows']} } From bd0a08c82d3381aa80d319dfef1cec83ceae5fcc Mon Sep 17 00:00:00 2001 From: brokensound77 Date: Thu, 28 Jan 2021 20:32:48 -0900 Subject: [PATCH 2/3] Update indexes from resolved conflicts --- .../cross-platform/impact_hosts_file_modified.toml | 5 +++-- ...he_hidden_file_attribute_with_via_attribexe.toml | 4 ++-- rules/windows/defense_evasion_cve_2020_0601.toml | 5 +++-- ...asion_delete_volume_usn_journal_with_fsutil.toml | 5 +++-- ...asion_deleting_backup_catalogs_with_wbadmin.toml | 5 +++-- ...fense_evasion_enable_inbound_rdp_with_netsh.toml | 5 +++-- ...execution_msbuild_started_by_system_process.toml | 4 ++-- ...on_execution_msbuild_started_unusal_process.toml | 5 +++-- ...n_execution_via_trusted_developer_utilities.toml | 4 ++-- .../windows/defense_evasion_installutil_beacon.toml | 5 +++-- ...sion_misc_lolbin_connecting_to_the_internet.toml | 4 ++-- ...defense_evasion_modification_of_boot_config.toml | 5 +++-- ..._evasion_msbuild_making_network_connections.toml | 4 ++-- rules/windows/defense_evasion_mshta_beacon.toml | 5 +++-- ...se_evasion_mshta_making_network_connections.toml | 4 ++-- rules/windows/defense_evasion_msxsl_network.toml | 4 ++-- ...ense_evasion_port_forwarding_added_registry.toml | 5 +++-- rules/windows/defense_evasion_reg_beacon.toml | 5 +++-- .../defense_evasion_rundll32_no_arguments.toml | 5 +++-- ...e_evasion_scheduledjobs_at_protocol_enabled.toml | 5 +++-- ...efense_evasion_sdelete_like_filename_rename.toml | 5 +++-- ...inds_backdoor_service_disabled_via_registry.toml | 4 ++-- ...ion_unusual_network_connection_via_rundll32.toml | 4 ++-- ..._evasion_unusual_process_network_connection.toml | 4 ++-- ...vasion_volume_shadow_copy_deletion_via_wmic.toml | 5 +++-- ...ecution_command_shell_started_by_powershell.toml | 5 +++-- .../execution_command_shell_via_rundll32.toml | 5 +++-- .../execution_downloaded_shortcut_files.toml | 4 ++-- rules/windows/execution_downloaded_url_file.toml | 4 ++-- ...ecutable_program_connecting_to_the_internet.toml | 4 ++-- rules/windows/execution_ms_office_written_file.toml | 5 ++--- rules/windows/execution_pdf_written_file.toml | 5 ++--- .../execution_psexec_lateral_movement_command.toml | 4 ++-- ...r_server_program_connecting_to_the_internet.toml | 4 ++-- .../execution_scheduled_task_powershell_source.toml | 4 ++-- rules/windows/execution_suspicious_cmd_wmi.toml | 4 ++-- .../execution_suspicious_powershell_imgload.toml | 4 ++-- rules/windows/execution_suspicious_psexesvc.toml | 5 +++-- rules/windows/execution_via_compiled_html_file.toml | 4 ++-- rules/windows/execution_via_net_com_assemblies.toml | 4 ++-- ...ct_volume_shadow_copy_deletion_via_vssadmin.toml | 4 ++-- .../initial_access_script_executing_powershell.toml | 5 +++-- ...tial_access_scripts_process_started_via_wmi.toml | 4 ++-- ...l_access_suspicious_ms_office_child_process.toml | 4 ++-- ..._access_suspicious_ms_outlook_child_process.toml | 4 ++-- ...initial_access_unusual_dns_service_children.toml | 4 ++-- ...tial_access_unusual_dns_service_file_writes.toml | 4 ++-- ...s_via_explorer_suspicious_child_parent_args.toml | 4 ++-- rules/windows/lateral_movement_cmd_service.toml | 4 ++-- ...movement_execution_via_file_shares_sequence.toml | 5 +++-- rules/windows/lateral_movement_incoming_wmi.toml | 4 ++-- .../lateral_movement_local_service_commands.toml | 4 ++-- ...l_movement_mount_hidden_or_webdav_share_net.toml | 5 +++-- ...eral_movement_remote_file_copy_hidden_share.toml | 5 +++-- rules/windows/lateral_movement_remote_services.toml | 4 ++-- ...lateral_movement_via_startup_folder_rdp_smb.toml | 8 ++++---- .../persistence_adobe_hijack_persistence.toml | 5 +++-- rules/windows/persistence_app_compat_shim.toml | 5 +++-- rules/windows/persistence_appcertdlls_registry.toml | 5 +++-- rules/windows/persistence_appinitdlls_registry.toml | 5 +++-- ...persistence_evasion_registry_ifeo_injection.toml | 5 +++-- .../persistence_gpo_schtask_service_creation.toml | 4 ++-- ..._priv_escalation_via_accessibility_features.toml | 6 ++++-- rules/windows/persistence_registry_uncommon.toml | 4 ++-- .../persistence_run_key_and_startup_broad.toml | 5 +++-- ...sistence_runtime_run_key_startup_susp_procs.toml | 5 +++-- rules/windows/persistence_services_registry.toml | 5 +++-- ...p_folder_file_written_by_suspicious_process.toml | 5 +++-- .../windows/persistence_startup_folder_scripts.toml | 5 +++-- .../persistence_suspicious_com_hijack_registry.toml | 5 +++-- ...istence_suspicious_service_created_registry.toml | 5 +++-- .../persistence_system_shells_via_services.toml | 5 +++-- ..._via_lsa_security_support_provider_registry.toml | 5 +++-- .../privilege_escalation_uac_bypass_com_clipup.toml | 5 +++-- ...rivilege_escalation_uac_bypass_com_ieinstal.toml | 5 +++-- ...rivilege_escalation_uac_bypass_event_viewer.toml | 5 +++-- ...lege_escalation_uac_bypass_winfw_mmc_hijack.toml | 5 +++-- rules/windows/privilege_escalation_uac_sdclt.toml | 5 +++-- ...escalation_unusual_parentchild_relationship.toml | 5 +++-- ...alation_unusual_svchost_childproc_childless.toml | 13 +++++++------ 80 files changed, 211 insertions(+), 168 deletions(-) diff --git a/rules/cross-platform/impact_hosts_file_modified.toml b/rules/cross-platform/impact_hosts_file_modified.toml index 68e0fd2e755..d776e701479 100644 --- a/rules/cross-platform/impact_hosts_file_modified.toml +++ b/rules/cross-platform/impact_hosts_file_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/07" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ to malicious infrastructure. This rule detects modifications to the hosts file o RHEL) and macOS systems. """ from = "now-9m" -index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*"] +index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Hosts File Modified" @@ -41,6 +41,7 @@ name = "Stored Data Manipulation" reference = "https://attack.mitre.org/techniques/T1565/001/" + [rule.threat.tactic] id = "TA0040" name = "Impact" diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index 806c06c3419..a05c41d59bb 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Adding Hidden File Attribute via Attrib" diff --git a/rules/windows/defense_evasion_cve_2020_0601.toml b/rules/windows/defense_evasion_cve_2020_0601.toml index 04afe61143f..a3d5f8125dc 100644 --- a/rules/windows/defense_evasion_cve_2020_0601.toml +++ b/rules/windows/defense_evasion_cve_2020_0601.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/19" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) valid certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)" @@ -37,6 +37,7 @@ name = "Code Signing" reference = "https://attack.mitre.org/techniques/T1553/002/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index 2a3ef5a976f..3223d8fdb21 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is of files created during post-exploitation activities. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Delete Volume USN Journal with Fsutil" @@ -38,6 +38,7 @@ name = "File Deletion" reference = "https://attack.mitre.org/techniques/T1070/004/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml index c048558a403..8b06e81b78f 100644 --- a/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and o system recovery. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Deleting Backup Catalogs with Wbadmin" @@ -38,6 +38,7 @@ name = "File Deletion" reference = "https://attack.mitre.org/techniques/T1070/004/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index 8274f5e148d..74be3620b98 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/13" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies use of the network shell utility (netsh.exe) to enable inbound Remote the Windows Firewall. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Remote Desktop Enabled in Windows Firewall" @@ -40,6 +40,7 @@ name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index 94bf7dbe499..61c0ac9a1da 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Instrumentation) subsystem. This behavior is unusual and is sometimes used by ma """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Microsoft Build Engine Started by a System Process" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index fada88b384c..65a4ff9d8a2 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Microsoft Build Engine Started an Unusual Process" @@ -45,6 +45,7 @@ name = "Compile After Delivery" reference = "https://attack.mitre.org/techniques/T1027/004/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml b/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml index 010927a20c9..12451567524 100644 --- a/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml +++ b/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = "Identifies possibly suspicious activity using trusted Windows developer activity." false_positives = ["These programs may be used by Windows developers but use by non-engineers is unusual."] -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Trusted Developer Application Usage" diff --git a/rules/windows/defense_evasion_installutil_beacon.toml b/rules/windows/defense_evasion_installutil_beacon.toml index 3c9cde6cc08..c4123749ed0 100644 --- a/rules/windows/defense_evasion_installutil_beacon.toml +++ b/rules/windows/defense_evasion_installutil_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies InstallUtil.exe making outbound network connections. This may indicat often leveraged by adversaries to execute code and evade detection. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "InstallUtil Process Making Network Connections" @@ -41,6 +41,7 @@ name = "InstallUtil" reference = "https://attack.mitre.org/techniques/T1218/004/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index 4979a4dcb10..3432bf084fb 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ validation. Adversaries may use these binaries to 'live off the land' and execut application allowlists and signature validation. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Network Connection via Signed Binary" diff --git a/rules/windows/defense_evasion_modification_of_boot_config.toml b/rules/windows/defense_evasion_modification_of_boot_config.toml index c413ecd3822..26fa35e19d3 100644 --- a/rules/windows/defense_evasion_modification_of_boot_config.toml +++ b/rules/windows/defense_evasion_modification_of_boot_config.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/16" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies use of bcdedit.exe to delete boot configuration data. This tactic is attacker as a destructive technique. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Modification of Boot Configuration" @@ -40,6 +40,7 @@ name = "File Deletion" reference = "https://attack.mitre.org/techniques/T1070/004/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_msbuild_making_network_connections.toml b/rules/windows/defense_evasion_msbuild_making_network_connections.toml index 3620dce9603..4ec6b268e4b 100644 --- a/rules/windows/defense_evasion_msbuild_making_network_connections.toml +++ b/rules/windows/defense_evasion_msbuild_making_network_connections.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies MsBuild.exe making outbound network connections. This may indicate ad leveraged by adversaries to execute code and evade detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "MsBuild Making Network Connections" diff --git a/rules/windows/defense_evasion_mshta_beacon.toml b/rules/windows/defense_evasion_mshta_beacon.toml index 71e35698de0..faa3b2740f8 100644 --- a/rules/windows/defense_evasion_mshta_beacon.toml +++ b/rules/windows/defense_evasion_mshta_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies Mshta.exe making outbound network connections. This may indicate adve leveraged by adversaries to execute malicious scripts and evade detection. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Mshta Making Network Connections" @@ -43,6 +43,7 @@ name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_mshta_making_network_connections.toml b/rules/windows/defense_evasion_mshta_making_network_connections.toml index 09415235614..6081de4868c 100644 --- a/rules/windows/defense_evasion_mshta_making_network_connections.toml +++ b/rules/windows/defense_evasion_mshta_making_network_connections.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "development" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies mshta.exe making a network connection. This may indicate adversarial by adversaries to execute malicious scripts and evade detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Network Connection via Mshta" diff --git a/rules/windows/defense_evasion_msxsl_network.toml b/rules/windows/defense_evasion_msxsl_network.toml index 63b5d133956..1360c7ed1bf 100644 --- a/rules/windows/defense_evasion_msxsl_network.toml +++ b/rules/windows/defense_evasion_msxsl_network.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/18" maturity = "production" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies msxsl.exe making a network connection. This may indicate adversarial by adversaries to execute malicious scripts and evade detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Network Connection via MsXsl" diff --git a/rules/windows/defense_evasion_port_forwarding_added_registry.toml b/rules/windows/defense_evasion_port_forwarding_added_registry.toml index 28943786689..110703d218e 100644 --- a/rules/windows/defense_evasion_port_forwarding_added_registry.toml +++ b/rules/windows/defense_evasion_port_forwarding_added_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/25" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies the creation of a new port forwarding rule. An adversary may abuse th segmentation restrictions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Port Forwarding Rule Addition" @@ -40,6 +40,7 @@ name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_reg_beacon.toml b/rules/windows/defense_evasion_reg_beacon.toml index a95b228904c..ed5e0d06589 100644 --- a/rules/windows/defense_evasion_reg_beacon.toml +++ b/rules/windows/defense_evasion_reg_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies registration utilities making outbound network connections. This incl may indicate adversarial activity as these tools are often leveraged by adversaries to execute code and evade detection. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Registration Tool Making Network Connections" @@ -46,6 +46,7 @@ name = "Regsvcs/Regasm" reference = "https://attack.mitre.org/techniques/T1218/009/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_rundll32_no_arguments.toml b/rules/windows/defense_evasion_rundll32_no_arguments.toml index 495c877f717..5fc458d385e 100644 --- a/rules/windows/defense_evasion_rundll32_no_arguments.toml +++ b/rules/windows/defense_evasion_rundll32_no_arguments.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies child processes of unusual instances of RunDLL32 where the command li RunDLL32 could indicate malicious activity. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Unusual Child Processes of RunDLL32" @@ -43,6 +43,7 @@ name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml index 0364b79796a..ea32cb8f472 100644 --- a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +++ b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/23" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ move laterally or persist locally. The AT command has been deprecated since Wind exists for backwards compatibility. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Scheduled Tasks AT Command Enabled" @@ -40,6 +40,7 @@ name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index e7bba632d38..f0910331f78 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Detects file name patterns generated by the use of Sysinternals SDelete utility file overwrite and rename operations. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Potential Secure File Deletion via SDelete Utility" @@ -38,6 +38,7 @@ name = "File Deletion" reference = "https://attack.mitre.org/techniques/T1070/004/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index 2dfc53f5c07..ddebaf5d739 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies a SolarWinds binary modifying the start type of a service to be disab technique to manipulate relevant security services. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "SolarWinds Process Disabling Services via Registry" diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml index d98865d3436..27e9cd5966d 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies unusual instances of rundll32.exe making outbound network connections and Control activity. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Unusual Network Connection via RunDLL32" diff --git a/rules/windows/defense_evasion_unusual_process_network_connection.toml b/rules/windows/defense_evasion_unusual_process_network_connection.toml index 129f10051d2..32e0879b446 100644 --- a/rules/windows/defense_evasion_unusual_process_network_connection.toml +++ b/rules/windows/defense_evasion_unusual_process_network_connection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies network activity from unexpected system applications. This may indica applications are often leveraged by adversaries to execute code and evade detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Unusual Process Network Connection" diff --git a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml index bebe6febc16..30a44204456 100644 --- a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly other destructive attacks. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Volume Shadow Copy Deletion via WMIC" @@ -38,6 +38,7 @@ name = "File Deletion" reference = "https://attack.mitre.org/techniques/T1070/004/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/execution_command_shell_started_by_powershell.toml b/rules/windows/execution_command_shell_started_by_powershell.toml index 8569ffef77e..2ea28ee715f 100644 --- a/rules/windows/execution_command_shell_started_by_powershell.toml +++ b/rules/windows/execution_command_shell_started_by_powershell.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = "Identifies a suspicious parent child process relationship with cmd.exe descending from PowerShell.exe." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "PowerShell spawning Cmd" @@ -35,6 +35,7 @@ name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/execution_command_shell_via_rundll32.toml b/rules/windows/execution_command_shell_via_rundll32.toml index 52069e2452e..0fea0ce6516 100644 --- a/rules/windows/execution_command_shell_via_rundll32.toml +++ b/rules/windows/execution_command_shell_via_rundll32.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = "Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Command Shell Activity Started via RunDLL32" @@ -38,6 +38,7 @@ name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/execution_downloaded_shortcut_files.toml b/rules/windows/execution_downloaded_shortcut_files.toml index 4ed46cc5765..345c155e433 100644 --- a/rules/windows/execution_downloaded_shortcut_files.toml +++ b/rules/windows/execution_downloaded_shortcut_files.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" maturity = "development" query_schema_validation = false -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies .lnk shortcut file downloaded from outside the local network. These s phishing campaigns. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Downloaded Shortcut Files" diff --git a/rules/windows/execution_downloaded_url_file.toml b/rules/windows/execution_downloaded_url_file.toml index adda9c2df5b..30652c94a14 100644 --- a/rules/windows/execution_downloaded_url_file.toml +++ b/rules/windows/execution_downloaded_url_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" maturity = "development" query_schema_validation = false -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies .url shortcut files downloaded from outside the local network. These phishing campaigns. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Downloaded URL Files" diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index d7cffc390d9..37b5ff7aa7b 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ malicious code in a CHM file and deliver it to a victim for execution. CHM conte program (hh.exe). """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Network Connection via Compiled HTML File" diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index ce2c4a302c2..c0917416111 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies an executable created by a Microsoft Office application and subsequen launched via scripts inside documents or during exploitation of MS Office applications. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Execution of File Written or Modified by Microsoft Office" @@ -43,7 +43,6 @@ framework = "MITRE ATT&CK" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/execution_pdf_written_file.toml b/rules/windows/execution_pdf_written_file.toml index e0e0949158d..816cd25dbbb 100644 --- a/rules/windows/execution_pdf_written_file.toml +++ b/rules/windows/execution_pdf_written_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies a suspicious file that was written by a PDF reader application and su often launched via exploitation of PDF applications. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Execution of File Written or Modified by PDF Reader" @@ -45,7 +45,6 @@ framework = "MITRE ATT&CK" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index 49f337bb6a7..e856870df5d 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "PsExec Network Connection" diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index a5f8ce9e896..2eba386be0d 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Network Connection via Registration Utility" diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index ebb0834d844..f871c98fe92 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/15" maturity = "production" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ within a short time period. This may indicate lateral movement or remote discove """ false_positives = ["Legitimate scheduled tasks may be created during installation of new software."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Outbound Scheduled Task Activity via PowerShell" diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index bbf9690af16..dc4cf8e1f7b 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies suspicious command execution (cmd) via Windows Management Instrumenta be indicative of adversary lateral movement. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Suspicious Cmd Execution via WMI" diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index 56955e45a8a..a2c021e51e8 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies the PowerShell engine being invoked by unexpected processes. Rather t with powershell.exe, some attackers do this to operate more stealthily. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Suspicious PowerShell Engine ImageLoad" diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index 0c6e0e1b0af..68c2afc50c4 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies suspicious psexec activity which is executing from the psexec service evade detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Suspicious Process Execution via Renamed PsExec Executable" @@ -38,6 +38,7 @@ name = "Service Execution" reference = "https://attack.mitre.org/techniques/T1569/002/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index 3f24fe5148a..4cf4f53e9a6 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ to conceal malicious code. """, ] -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Process Activity via Compiled HTML File" diff --git a/rules/windows/execution_via_net_com_assemblies.toml b/rules/windows/execution_via_net_com_assemblies.toml index c96efc9eeed..2123d07fd45 100644 --- a/rules/windows/execution_via_net_com_assemblies.toml +++ b/rules/windows/execution_via_net_com_assemblies.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ RegSvcs.exe and RegAsm.exe are Windows command line utilities that are used to r utility. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Execution via Regsvcs/Regasm" diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml index 5ec64942b5f..5a35faa9c98 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies use of vssadmin.exe for shadow copy deletion on endpoints. This commo other destructive attacks. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Volume Shadow Copy Deletion via VssAdmin" diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index e39a2b9a6ee..dc11fb3d183 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies a PowerShell process launched by either cscript.exe or wscript.exe. O executing a PowerShell script, may be indicative of malicious activity. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Windows Script Executing PowerShell" @@ -37,6 +37,7 @@ name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml index 796ded65196..3221c1b5e0b 100644 --- a/rules/windows/initial_access_scripts_process_started_via_wmi.toml +++ b/rules/windows/initial_access_scripts_process_started_via_wmi.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/27" maturity = "production" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies use of the built-in Windows script interpreters (cscript.exe or wscri via Windows Management Instrumentation (WMI). This may be indicative of malicious activity. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Windows Script Interpreter Executing Process via WMI" diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index ff8b6ca37d2..e8526f72360 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ These child processes are often launched during exploitation of Office applicati macros. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Suspicious MS Office Child Process" diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index ae58cf4b192..5c52c25882b 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies suspicious child processes of Microsoft Outlook. These child processe phishing activity. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Suspicious MS Outlook Child Process" diff --git a/rules/windows/initial_access_unusual_dns_service_children.toml b/rules/windows/initial_access_unusual_dns_service_children.toml index 179972ccf97..d1ea761f65c 100644 --- a/rules/windows/initial_access_unusual_dns_service_children.toml +++ b/rules/windows/initial_access_unusual_dns_service_children.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ to spawn. """, ] -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Unusual Child Process of dns.exe" diff --git a/rules/windows/initial_access_unusual_dns_service_file_writes.toml b/rules/windows/initial_access_unusual_dns_service_file_writes.toml index c235df6db97..12fc23f881e 100644 --- a/rules/windows/initial_access_unusual_dns_service_file_writes.toml +++ b/rules/windows/initial_access_unusual_dns_service_file_writes.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = """ Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation. """ -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Unusual File Modification by dns.exe" diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml index 8d257f0ce10..3beaad64455 100644 --- a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +++ b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/29" maturity = "production" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies a suspicious Windows explorer child process. Explorer.exe can be abus executables from a trusted parent process. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Suspicious Explorer Child Process" diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index 1182d1e1990..699681a6ed7 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies use of sc.exe to create, modify, or start services on remote hosts. T lateral movement but will be noisy if commonly done by admins. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Service Command Lateral Movement" diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index fbc592c1b67..468b820aa8f 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies the execution of a file that was created by the virtual system proces via network file shares. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Remote Execution via File Shares" @@ -40,6 +40,7 @@ name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index 864c8ddfaf3..2329a1f09ef 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/15" maturity = "production" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies processes executed via Windows Management Instrumentation (WMI) on a adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "WMI Incoming Lateral Movement" diff --git a/rules/windows/lateral_movement_local_service_commands.toml b/rules/windows/lateral_movement_local_service_commands.toml index 22c8d08e3f7..1cb6e5c0b87 100644 --- a/rules/windows/lateral_movement_local_service_commands.toml +++ b/rules/windows/lateral_movement_local_service_commands.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies use of sc.exe to create, modify, or start services on remote hosts. T lateral movement but will be noisy if commonly done by admins. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Local Service Commands" diff --git a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml index b617a86924d..f7e9a635131 100644 --- a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml +++ b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/02" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies the use of net.exe to mount a WebDav or hidden remote share. This may preparation for data exfiltration. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Mounting Hidden or WebDav Remote Shares" @@ -44,6 +44,7 @@ name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index 19010e833be..5b93b437b1c 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/04" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies a remote file copy attempt to a hidden network share. This may indica activity. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Remote File Copy to a Hidden Share" @@ -39,6 +39,7 @@ name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index 909cb6e3b6d..e83f1a590e7 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/16" maturity = "production" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies remote execution of Windows services over remote procedure call (RPC) movement, but will be noisy if commonly done by administrators." """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Remotely Started Services via RPC" diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index fbf78340dc9..85ac0adb8c7 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies suspicious file creations in the startup folder of a remote system. A laterally by dropping a malicious script or executable that will be executed after a reboot or user logon. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Lateral Movement via Startup Folder" @@ -36,12 +36,11 @@ id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -54,6 +53,7 @@ name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index 70ba285bec4..750223212d6 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = "Detects writing executable files that will be automatically launched by Adobe on launch." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Adobe Hijack Persistence" @@ -37,6 +37,7 @@ name = "Services File Permissions Weakness" reference = "https://attack.mitre.org/techniques/T1574/010/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/persistence_app_compat_shim.toml b/rules/windows/persistence_app_compat_shim.toml index e5f553b0e4e..58a9ce856f6 100644 --- a/rules/windows/persistence_app_compat_shim.toml +++ b/rules/windows/persistence_app_compat_shim.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies the installation of custom Application Compatibility Shim databases. abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Installation of Custom Shim Databases" @@ -41,6 +41,7 @@ name = "Application Shimming" reference = "https://attack.mitre.org/techniques/T1546/011/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index 9b44b5fd9eb..5df2d65606f 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = """ Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes. """ -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Registry Persistence via AppCert DLL" @@ -38,6 +38,7 @@ name = "AppCert DLLs" reference = "https://attack.mitre.org/techniques/T1546/009/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml index aa597f78ff8..e2385e6867d 100644 --- a/rules/windows/persistence_appinitdlls_registry.toml +++ b/rules/windows/persistence_appinitdlls_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = """ Attackers may maintain persistence by creating registry keys using AppInit DLLs. AppInit DLLs are loaded by every process using the common library, user32.dll. """ -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Registry Persistence via AppInit DLL" @@ -42,6 +42,7 @@ name = "AppInit DLLs" reference = "https://attack.mitre.org/techniques/T1546/010/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/persistence_evasion_registry_ifeo_injection.toml b/rules/windows/persistence_evasion_registry_ifeo_injection.toml index bdd7a7616b8..6a367b5734f 100644 --- a/rules/windows/persistence_evasion_registry_ifeo_injection.toml +++ b/rules/windows/persistence_evasion_registry_ifeo_injection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = """ The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence. """ -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Image File Execution Options Injection" @@ -45,6 +45,7 @@ name = "Image File Execution Options Injection" reference = "https://attack.mitre.org/techniques/T1546/012/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/persistence_gpo_schtask_service_creation.toml b/rules/windows/persistence_gpo_schtask_service_creation.toml index 20d728a51ba..6b6ea7e251e 100644 --- a/rules/windows/persistence_gpo_schtask_service_creation.toml +++ b/rules/windows/persistence_gpo_schtask_service_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/13" maturity = "production" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ legitimate system administration, but can also be abused by an attacker with dom malicious payload remotely on all or a subset of the domain joined machines. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Creation or Modification of a new GPO Scheduled Task or Service" diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index 14b17e8b0bc..b32d70ff4f2 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Windows contains accessibility features that may be launched with a key combinat adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. """ -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Potential Modification of Accessibility Binaries" @@ -66,6 +66,7 @@ name = "Accessibility Features" reference = "https://attack.mitre.org/techniques/T1546/008/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -82,6 +83,7 @@ name = "Accessibility Features" reference = "https://attack.mitre.org/techniques/T1546/008/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index 2454b3cdf92..da76dba4b63 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2020/12/17" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = """ Detects changes to registry persistence keys that are uncommonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner. """ -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Uncommon Registry Persistence Change" diff --git a/rules/windows/persistence_run_key_and_startup_broad.toml b/rules/windows/persistence_run_key_and_startup_broad.toml index 644320592eb..f0d93f1471a 100644 --- a/rules/windows/persistence_run_key_and_startup_broad.toml +++ b/rules/windows/persistence_run_key_and_startup_broad.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = """ Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence. """ -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Startup or Run Key Registry Modification" @@ -61,6 +61,7 @@ name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml index 2c5b6469f74..35ccdf84c0a 100644 --- a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml +++ b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = """ Identifies execution of suspicious persistent programs (scripts, rundll32, etc.) by looking at process lineage and command line usage. """ -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Execution of Persistent Suspicious Program" @@ -53,6 +53,7 @@ name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index 4b057ef22cc..68ad1631f54 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies processes modifying the services registry key directly, instead of th could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service. """ -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Unusual Persistence via Services Registry" @@ -48,6 +48,7 @@ name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index f1d3105bf2e..344fbe483d5 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = """ Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence. """ -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Shortcut File Written or Modified for Persistence" @@ -57,6 +57,7 @@ name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index c3798a65566..828a7e5c257 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -1,12 +1,12 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = "Identifies script engines creating files in the startup folder, or the creation of script files in the startup folder." -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Persistent Scripts in the Startup Directory" @@ -44,6 +44,7 @@ name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index ae32d737677..536f3dc73f3 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = """ Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects. """ -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Component Object Model Hijacking" @@ -51,6 +51,7 @@ name = "Component Object Model Hijacking" reference = "https://attack.mitre.org/techniques/T1546/015/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/persistence_suspicious_service_created_registry.toml b/rules/windows/persistence_suspicious_service_created_registry.toml index 27b9e82bea2..2e20ecd9fcc 100644 --- a/rules/windows/persistence_suspicious_service_created_registry.toml +++ b/rules/windows/persistence_suspicious_service_created_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/23" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = """ Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation. """ -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Suspicious ImagePath Service Creation" @@ -38,6 +38,7 @@ name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index 95cdb1f1281..959b6d9298a 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Windows services typically run as SYSTEM and can be used as a privilege escalati testers may run a shell as a service to gain SYSTEM permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "System Shells via Services" @@ -39,6 +39,7 @@ name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml index f7473dce2f7..b988e2116e9 100644 --- a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml +++ b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = """ Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment. """ -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Installation of Security Support Provider" @@ -39,6 +39,7 @@ name = "Security Support Provider" reference = "https://attack.mitre.org/techniques/T1547/005/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml index 5bb6fb4085a..66ae4c810a9 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/28" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies attempts to bypass User Account Control (UAC) by abusing an elevated ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface" @@ -41,6 +41,7 @@ name = "Bypass User Access Control" reference = "https://attack.mitre.org/techniques/T1548/002/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index 5c2e8894932..48f7816be2f 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer" @@ -43,6 +43,7 @@ name = "Bypass User Access Control" reference = "https://attack.mitre.org/techniques/T1548/002/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index 672969093ef..c7a5131baf2 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/17" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass elevated permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" name = "Bypass UAC via Event Viewer" @@ -39,6 +39,7 @@ name = "Bypass User Access Control" reference = "https://attack.mitre.org/techniques/T1548/002/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index 694f60d1936..6368a4fa94b 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/14" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies attempts to bypass User Account Control (UAC) by hijacking the Micros Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "UAC Bypass via Windows Firewall Snap-In Hijack" @@ -42,6 +42,7 @@ name = "Bypass User Access Control" reference = "https://attack.mitre.org/techniques/T1548/002/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/windows/privilege_escalation_uac_sdclt.toml b/rules/windows/privilege_escalation_uac_sdclt.toml index e83dc67c5c0..370e86baea5 100644 --- a/rules/windows/privilege_escalation_uac_sdclt.toml +++ b/rules/windows/privilege_escalation_uac_sdclt.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies User Account Control (UAC) bypass via sdclt.exe. Attackers bypass UAC elevated permissions. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Bypass UAC via Sdclt" @@ -51,6 +51,7 @@ name = "Bypass User Access Control" reference = "https://attack.mitre.org/techniques/T1548/002/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index 7b38389c41f..a13dbf90940 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies Windows programs run from unexpected parent processes. This could ind activity on a system. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Unusual Parent-Child Relationship" @@ -70,6 +70,7 @@ name = "Process Hollowing" reference = "https://attack.mitre.org/techniques/T1055/012/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml index 8600aa443ee..aba98d45dce 100644 --- a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -1,17 +1,17 @@ [metadata] creation_date = "2020/10/13" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2020/01/28" [rule] author = ["Elastic"] description = """ -Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate -a code injection or an equivalent form of exploitation. +Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. +This may indicate a code injection or an equivalent form of exploitation. """ false_positives = ["Changes to Windows services or a rarely executed child process."] from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Unusual Service Host Child Process - Childless Service" @@ -51,12 +51,12 @@ id = "T1055.012" name = "Process Hollowing" reference = "https://attack.mitre.org/techniques/T1055/012/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -69,3 +69,4 @@ reference = "https://attack.mitre.org/techniques/T1055/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + From 1bef07cb89effbb5f0aaa1c0013e0d4b4d3b03f0 Mon Sep 17 00:00:00 2001 From: Justin Ibarra Date: Thu, 28 Jan 2021 20:39:56 -0900 Subject: [PATCH 3/3] remove index from promotion rule --- rules/promotions/external_alerts.toml | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/rules/promotions/external_alerts.toml b/rules/promotions/external_alerts.toml index d66d6a4d238..fa84bfba4e5 100644 --- a/rules/promotions/external_alerts.toml +++ b/rules/promotions/external_alerts.toml @@ -9,15 +9,7 @@ description = """ Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app. """ -index = [ - "apm-*-transaction*", - "auditbeat-*", - "filebeat-*", - "logs-*", - "packetbeat-*", - "winlogbeat-*", - "logs-windows.*", -] +index = ["apm-*-transaction*", "auditbeat-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"] language = "kuery" license = "Elastic License" max_signals = 10000 @@ -64,4 +56,3 @@ operator = "equals" value = "99" severity = "critical" -