elastic · brokensound77 · Jan 29, 2021 · Jan 28, 2021 · Jan 29, 2021 · Jan 29, 2021
diff --git a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/21"
 maturity = "production"
-updated_date = "2020/12/21"
+updated_date = "2020/01/28"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ access web applications or Internet services as an authenticated user without ne
 """
 false_positives = ["Developers performing browsers plugin or extension debugging."]
 from = "now-9m"
-index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*"]
+index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License"
 max_signals = 33
@@ -58,3 +58,4 @@ reference = "https://attack.mitre.org/techniques/T1539/"
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
+
diff --git a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/03"
 maturity = "production"
-updated_date = "2020/11/03"
+updated_date = "2020/01/28"
 
 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ Identifies the deletion of WebServer access logs. This may indicate an attempt t
 evidence on a system.
 """
 from = "now-9m"
-index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*"]
+index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License"
 name = "WebServer Access Logs Deleted"
@@ -42,3 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1070/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+
diff --git a/rules/cross-platform/impact_hosts_file_modified.toml b/rules/cross-platform/impact_hosts_file_modified.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/07/07"
 maturity = "production"
-updated_date = "2020/12/09"
+updated_date = "2020/01/28"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ to malicious infrastructure. This rule detects modifications to the hosts file o
 RHEL) and macOS systems.
 """
 from = "now-9m"
-index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*"]
+index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Hosts File Modified"
@@ -41,6 +41,7 @@ name = "Stored Data Manipulation"
 reference = "https://attack.mitre.org/techniques/T1565/001/"
 
 
+
 [rule.threat.tactic]
 id = "TA0040"
 name = "Impact"

diff --git a/rules/promotions/external_alerts.toml b/rules/promotions/external_alerts.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/07/08"
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/01/28"
 
 [rule]
 author = ["Elastic"]
@@ -56,4 +56,3 @@ operator = "equals"
 value = "99"
 severity = "critical"
 
-
diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml
@@ -1,16 +1,16 @@
 [metadata]
 creation_date = "2020/12/15"
 maturity = "production"
-updated_date = "2020/12/15"
+updated_date = "2020/01/28"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or
-archive to a .pst file. Adversaries may target user email to collect sensitive information.
+Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary
+mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.
 """
 false_positives = ["Legitimate exchange system administration activity."]
-index = ["logs-endpoint.events.*", "winlogbeat-*"]
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License"
 name = "Exporting Exchange Mailbox via PowerShell"
@@ -42,3 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1114/"
 id = "TA0009"
 name = "Collection"
 reference = "https://attack.mitre.org/tactics/TA0009/"
+
diff --git a/rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml
@@ -1,16 +1,16 @@
 [metadata]
 creation_date = "2020/12/15"
 maturity = "production"
-updated_date = "2020/12/15"
+updated_date = "2020/01/28"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may
-target user email to collect sensitive information.
+Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device.
+Adversaries may target user email to collect sensitive information.
 """
 false_positives = ["Legitimate exchange system administration activity."]
-index = ["logs-endpoint.events.*", "winlogbeat-*"]
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License"
 name = "New ActiveSyncAllowedDeviceID Added via PowerShell"
@@ -42,3 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1114/"
 id = "TA0009"
 name = "Collection"
 reference = "https://attack.mitre.org/tactics/TA0009/"
+
diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml
@@ -1,15 +1,15 @@
 [metadata]
 creation_date = "2020/12/04"
 maturity = "production"
-updated_date = "2020/12/17"
+updated_date = "2020/01/28"
 
 [rule]
 author = ["Elastic"]
 description = """
 Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in
 preparation for exfiltration.
 """
-index = ["logs-endpoint.events.*", "winlogbeat-*"]
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License"
 name = "Encrypting Files with WinRar or 7z"

diff --git a/rules/windows/command_and_control_certutil_network_connection.toml b/rules/windows/command_and_control_certutil_network_connection.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/03/19"
 maturity = "production"
-updated_date = "2020/11/03"
+updated_date = "2020/01/28"
 
 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ Identifies certutil.exe making a network connection. Adversaries could abuse cer
 malware, from a remote URL.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License"
 name = "Network Connection via Certutil"

diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml
@@ -1,18 +1,18 @@
 [metadata]
 creation_date = "2020/11/04"
 maturity = "production"
-updated_date = "2020/11/04"
+updated_date = "2020/01/28"
 
 [rule]
 author = ["Elastic"]
 description = """
 Adversaries may implement command and control communications that use common web services in order to hide their
-activity. This attack technique is typically targeted to an organization and uses web services common to the victim network which allows the adversary to blend into legitimate traffic.
-activity. These popular services are typically targeted since they have most likely been used before a compromise and
-allow adversaries to blend in the network.
+activity. This attack technique is typically targeted to an organization and uses web services common to the victim
+network which allows the adversary to blend into legitimate traffic. activity. These popular services are typically
+targeted since they have most likely been used before a compromise and allow adversaries to blend in the network.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License"
 name = "Connection to Commonly Abused Web Services"
@@ -74,3 +74,4 @@ reference = "https://attack.mitre.org/techniques/T1102/"
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
+
diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/11"
 maturity = "production"
-updated_date = "2020/11/11"
+updated_date = "2020/01/28"
 
 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ This rule identifies a large number (15) of nslookup.exe executions with an expl
 may indicate command and control activity utilizing the DNS protocol.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Potential DNS Tunneling via NsLookup"

diff --git a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/04"
 maturity = "production"
-updated_date = "2020/11/04"
+updated_date = "2020/01/28"
 
 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ Identifies unusual processes connecting to domains using known free SSL certific
 encryption algorithm to conceal command and control traffic.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License"
 name = "Connection to Commonly Abused Free SSL Certificate Providers"
@@ -50,3 +50,4 @@ reference = "https://attack.mitre.org/techniques/T1573/"
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
+
diff --git a/rules/windows/command_and_control_iexplore_via_com.toml b/rules/windows/command_and_control_iexplore_via_com.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/28"
 maturity = "production"
-updated_date = "2020/11/28"
+updated_date = "2020/01/28"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ unusual network connections. Adversaries could abuse Internet Explorer via COM t
 network connections and bypass host-based firewall restrictions.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License"
 name = "Potential Command and Control via Internet Explorer"

diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/03"
 maturity = "production"
-updated_date = "2020/11/03"
+updated_date = "2020/01/28"
 
 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ Identifies the desktopimgdownldr utility being used to download a remote file. A
 download arbitrary files as an alternative to certutil.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Remote File Download via Desktopimgdownldr Utility"

diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml
@@ -1,13 +1,13 @@
 [metadata]
 creation_date = "2020/09/03"
 maturity = "production"
-updated_date = "2020/11/03"
+updated_date = "2020/01/28"
 
 [rule]
 author = ["Elastic"]
 description = "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file."
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Remote File Download via MpCmdRun"

diff --git a/rules/windows/command_and_control_remote_file_copy_powershell.toml b/rules/windows/command_and_control_remote_file_copy_powershell.toml
@@ -1,13 +1,13 @@
 [metadata]
 creation_date = "2020/11/30"
 maturity = "production"
-updated_date = "2020/12/09"
+updated_date = "2020/01/28"
 
 [rule]
 author = ["Elastic"]
 description = "Identifies powershell.exe being used to download an executable file from an untrusted remote destination."
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License"
 name = "Remote File Download via PowerShell"

diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/29"
 maturity = "production"
-updated_date = "2020/11/29"
+updated_date = "2020/01/28"
 
 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) bei
 from a remote destination.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License"
 name = "Remote File Download via Script Interpreter"

diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml
@@ -1,13 +1,13 @@
 [metadata]
 creation_date = "2020/09/02"
 maturity = "production"
-updated_date = "2020/11/03"
+updated_date = "2020/01/28"
 
 [rule]
 author = ["Elastic"]
 description = "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session."
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Remote File Copy via TeamViewer"

diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml
@@ -1,16 +1,16 @@
 [metadata]
 creation_date = "2020/11/24"
 maturity = "production"
-updated_date = "2020/11/24"
+updated_date = "2020/01/28"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory
-database (NTDS.dit) in preparation for credential access.
+Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database
+(NTDS.dit) in preparation for credential access.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License"
 name = "Potential Credential Access via Windows Utilities"
@@ -48,3 +48,4 @@ reference = "https://attack.mitre.org/techniques/T1003/"
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
+
diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/24"
 maturity = "production"
-updated_date = "2020/11/24"
+updated_date = "2020/01/28"
 
 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ Identifies a copy operation of the Active Directory Domain Database (ntds.dit) o
 Those files contain sensitive information including hashed domain and/or local credentials.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License"
 max_signals = 33
@@ -42,3 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1003/"
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
+