Skip to content

Commit

Permalink
[Detection Rules] Add 7.9.1 rules (elastic#75939)
Browse files Browse the repository at this point in the history
* increase lookback (`from`) and bump versions
  • Loading branch information
brokensound77 committed Aug 27, 2020
1 parent a8af78b commit 63b2969
Show file tree
Hide file tree
Showing 75 changed files with 150 additions and 75 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
"Elastic"
],
"description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
Expand Down Expand Up @@ -36,5 +37,5 @@
}
],
"type": "query",
"version": 2
"version": 3
}
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
"false_positives": [
"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
],
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
Expand Down Expand Up @@ -39,5 +40,5 @@
}
],
"type": "query",
"version": 2
"version": 3
}
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
"false_positives": [
"Some normal use of this command may originate from server or network administrators engaged in network troubleshooting."
],
"from": "now-9m",
"index": [
"auditbeat-*",
"logs-endpoint.events.*"
Expand Down Expand Up @@ -54,5 +55,5 @@
}
],
"type": "query",
"version": 3
"version": 4
}
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
"Elastic"
],
"description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
Expand Down Expand Up @@ -51,5 +52,5 @@
}
],
"type": "query",
"version": 3
"version": 4
}
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
"Elastic"
],
"description": "Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.",
"from": "now-9m",
"index": [
"auditbeat-*",
"logs-endpoint.events.*"
Expand Down Expand Up @@ -36,5 +37,5 @@
}
],
"type": "query",
"version": 2
"version": 3
}
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
"Elastic"
],
"description": "Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls.",
"from": "now-9m",
"index": [
"auditbeat-*",
"logs-endpoint.events.*"
Expand Down Expand Up @@ -36,5 +37,5 @@
}
],
"type": "query",
"version": 2
"version": 3
}
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
"false_positives": [
"Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."
],
"from": "now-9m",
"index": [
"auditbeat-*",
"logs-endpoint.events.*"
Expand Down Expand Up @@ -54,5 +55,5 @@
}
],
"type": "query",
"version": 2
"version": 3
}
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
"false_positives": [
"Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."
],
"from": "now-9m",
"index": [
"auditbeat-*",
"logs-endpoint.events.*"
Expand Down Expand Up @@ -54,5 +55,5 @@
}
],
"type": "query",
"version": 2
"version": 3
}
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
"Elastic"
],
"description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
Expand Down Expand Up @@ -36,5 +37,5 @@
}
],
"type": "query",
"version": 3
"version": 4
}
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
"Elastic"
],
"description": "Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
Expand Down Expand Up @@ -36,5 +37,5 @@
}
],
"type": "query",
"version": 3
"version": 4
}
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
"Elastic"
],
"description": "Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
Expand Down Expand Up @@ -36,5 +37,5 @@
}
],
"type": "query",
"version": 3
"version": 4
}
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
"Elastic"
],
"description": "Adversaries may attempt to clear the bash command line history in an attempt to evade detection or forensic investigations.",
"from": "now-9m",
"index": [
"auditbeat-*",
"logs-endpoint.events.*"
Expand Down Expand Up @@ -36,5 +37,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
"Elastic"
],
"description": "Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities.",
"from": "now-9m",
"index": [
"auditbeat-*",
"logs-endpoint.events.*"
Expand Down Expand Up @@ -36,5 +37,5 @@
}
],
"type": "query",
"version": 2
"version": 3
}
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
"Elastic"
],
"description": "Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
Expand Down Expand Up @@ -36,5 +37,5 @@
}
],
"type": "query",
"version": 3
"version": 4
}
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
"Elastic"
],
"description": "Identifies the use of certutil.exe to encode or decode data. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to encode or decode base64 data for stealthier command and control or exfiltration.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
Expand Down Expand Up @@ -36,5 +37,5 @@
}
],
"type": "query",
"version": 3
"version": 4
}
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
"false_positives": [
"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel."
],
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
Expand Down Expand Up @@ -57,5 +58,5 @@
}
],
"type": "query",
"version": 2
"version": 3
}
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
"false_positives": [
"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
],
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
Expand Down Expand Up @@ -54,5 +55,5 @@
}
],
"type": "query",
"version": 2
"version": 3
}
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
"false_positives": [
"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
],
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
Expand Down Expand Up @@ -54,5 +55,5 @@
}
],
"type": "query",
"version": 2
"version": 3
}
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
"false_positives": [
"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
],
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
Expand Down Expand Up @@ -39,5 +40,5 @@
}
],
"type": "query",
"version": 2
"version": 3
}
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
"false_positives": [
"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name."
],
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
Expand Down Expand Up @@ -42,5 +43,5 @@
}
],
"type": "query",
"version": 2
"version": 3
}
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
"Elastic"
],
"description": "Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.",
"from": "now-9m",
"index": [
"auditbeat-*",
"logs-endpoint.events.*"
Expand Down Expand Up @@ -36,5 +37,5 @@
}
],
"type": "query",
"version": 2
"version": 3
}
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
"false_positives": [
"Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username."
],
"from": "now-9m",
"index": [
"auditbeat-*",
"logs-endpoint.events.*"
Expand Down Expand Up @@ -39,5 +40,5 @@
}
],
"type": "query",
"version": 2
"version": 3
}
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
"false_positives": [
"Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."
],
"from": "now-9m",
"index": [
"auditbeat-*",
"logs-endpoint.events.*"
Expand Down Expand Up @@ -54,5 +55,5 @@
}
],
"type": "query",
"version": 2
"version": 3
}
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
"false_positives": [
"Certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. These events can be filtered by the process arguments, username, or process name values."
],
"from": "now-9m",
"index": [
"auditbeat-*",
"logs-endpoint.events.*"
Expand Down Expand Up @@ -55,5 +56,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
"false_positives": [
"There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all."
],
"from": "now-9m",
"index": [
"auditbeat-*",
"logs-endpoint.events.*"
Expand Down Expand Up @@ -57,5 +58,5 @@
}
],
"type": "query",
"version": 2
"version": 3
}
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
"Elastic"
],
"description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation.",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-endpoint.events.*"
Expand Down Expand Up @@ -51,5 +52,5 @@
}
],
"type": "query",
"version": 3
"version": 4
}
Loading

0 comments on commit 63b2969

Please sign in to comment.